[Snort-users] IDS484 error

Max Vision vision at ...4...
Fri Mar 2 10:38:28 EST 2001


Sorry that slipped through.  Insufficient sleep :)  Fixed now.
Max

On Fri, 2 Mar 2001, Joshua Fritsch wrote:
> AAAAGGGGHHHH!!! Don't make me think in hex! :)
>
> Snort dies when I add this rule:
>
> alert TCP $INTERNAL 2589 -> $EXTERNAL 1024: (msg:
> "IDS484/trojan-active-dagger_1.4.0"; flags: A+; content:
> "3200000006000000|Drives|2400|"; depth: 16;)
> Here's the error from /var/log/messages:
>
> Mar  2 09:41:08 foo snort: ERROR Line 25 => What is this "r"(0x72) doing in
> your binary buffer?  Valid hex values only please! (0x0 - 0xF) Position: 18
>
> Rule taken from:
>
> http://www.whitehats.com/info/IDS484
>
> -J
>





More information about the Snort-users mailing list