[Snort-users] New Feature: Test mode (-T)

Joe McAlerney joey at ...155...
Mon Mar 19 20:43:21 EST 2001


Mark Rowlands wrote:

> ERROR => sp_reference you MUST have BOTH a system & id for references - line
> 35 of /spare/snort/rules/exploit.rules
> Fatal Error, Quiting..

That rule is missing the "cve" identifier.  Here's a fix.

alert udp $EXTERNAL_NET any -> $HOME_NET 67 (msg:"EXPLOIT bootp x86
linux overflow"; content:"|4139 30c0 a801 012f 6269 6e2f 7368 00|";
reference:cve,CVE-1999-0799; reference:cve,CAN-1999-0798;
reference:cve,CAN-1999-0389;)

-Joe M.

-- 
+--                            --+
| Joe McAlerney, Silicon Defense |
| http://www.silicondefense.com/ |
+--                            --+




More information about the Snort-users mailing list