[Snort-users] 1.8: alert garbage and rules issue.

Scott A. McIntyre scott at ...1050...
Thu Apr 19 04:43:40 EDT 2001


HAH!  Irony.

The reason why I had this first problem was because of the second;
there really really needs to be more syntax checking on these rules
before they go anywhere, in my opinion.   In this case, the squid rule
had a classifcation type specified twice, which of course confused the
parser/logging.

Fixed the rule for me...


> With 1.8 (taken from this mornings CVS checkout) I'm seeing a lot of
> garbage in the output:
> 
> [**] MISC traceroute [**]
> [Classification: ô8A
>                    ] [Priority: 3]
> 04/19/01-09:24:16.676819 xxx.xx.xx.xxx -> xxx.xxx.x.xx
> ICMP TTL:1 TOS:0x0 ID:32502 IpLen:20 DgmLen:84
> Type:8  Code:0  ID:256   Seq:48255  ECHO
> [Xref => http://www.whitehats.com/info/3]
> 
> ^[[?1;2c
> 
> 
> Any idea why?
> 
> Secondly, there are loads of problems with the rules as distributed with
> 1.8; there are duplicates all over the place and quite a few more errors
> (snort won't even startup with the rules as distributed due to these
> errors) -- I'd be happy to volunteer to clean these up but would like to
> know how best to go about that (cvs checkin prvis for rules?)...




More information about the Snort-users mailing list