[Snort-users] IDS484 error

Joshua Fritsch joshua.fritsch at ...1253...
Fri Mar 2 09:49:37 EST 2001


AAAAGGGGHHHH!!! Don't make me think in hex! :)

Snort dies when I add this rule:

alert TCP $INTERNAL 2589 -> $EXTERNAL 1024: (msg:
"IDS484/trojan-active-dagger_1.4.0"; flags: A+; content:
"3200000006000000|Drives|2400|"; depth: 16;)
Here's the error from /var/log/messages:

Mar  2 09:41:08 foo snort: ERROR Line 25 => What is this "r"(0x72) doing in
your binary buffer?  Valid hex values only please! (0x0 - 0xF) Position: 18

Rule taken from:

http://www.whitehats.com/info/IDS484

-J




More information about the Snort-users mailing list