[Snort-users] Comma seperated port lists broken?

Scott A. McIntyre scott at ...1050...
Tue Mar 27 01:48:19 EST 2001


Hi,

Something seems to have changed in the more recent CVS checkouts such
that lists of ports in rules are no longer valid:

        --== Initializing Snort ==--
Checking PID path...
PATH_VARRUN is set to /var/run/ on this operating system
Rule application order changed to Pass->Alert->Log

Initializing Network Interface eth0
Decoding Ethernet on interface eth0
Initializing Preprocessors!
Initializing Plug-ins!
Initializating Output Plugins!

+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
ERROR backdoor.rules (16) => Invalid port: 12345,12346


And that line is:

alert tcp $HOME_NET 12345,12346 -> $EXTERNAL_NET any (msg:"BACKDOOR -
netbus active"; flags: A+; content: "NetBus";  reference:arachnids,401;)

Basically, any comma seperated list of ports now barf.  Is there a
preferred way of accomplishing this goal?

Scott






More information about the Snort-users mailing list