vision at ...4...
Fri Sep 29 09:55:42 EDT 2000
Sorry about that - the source addresses are supposed to be
255.255.255.255/32 for each. They were accidentally changed to $EXTERNAL
during a broad database update. The current vision.conf reflects the
corrected values (again).
On Fri, 29 Sep 2000, Fernando Cardoso wrote:
> Hi all
> I've just downloaded the latest vision.conf sig file. As soon as I restarted
> snort with the new sig lots of Backdoor-Q-icmp alerts appeared. I've checked
> the logs and they are legitimate traffic (one of my watchdogs pinging my
> upstream router and getting the ECHO_REPLY).
> After checcking old and new rulesets I found out that Max changed this rule:
> snort.ruleset.new:alert ICMP $EXTERNAL any -> $INTERNAL any (msg:
> "IDS202/backdoor-Q-icmp"; dsize: >1; itype: 0;)
> snort.ruleset.old:alert ICMP 255.255.255.0/24 any -> $INTERNAL any (msg:
> "IDS202/backdoor-Q-icmp"; itype: 0; dsize: >1;)
> Any good reason for this changing or should I stick with the old
> Fernando Cardoso Phone: +351 21 7982186
> Network Administrator Fax: +351 21 7982185
> National Library E-mail: fernando at ...498...
> Portugal PGP ID: 28551CB8
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
More information about the Snort-users