[Snort-users] Comma seperated port lists broken?
Scott A. McIntyre
scott at ...1050...
Tue Mar 27 01:48:19 EST 2001
Something seems to have changed in the more recent CVS checkouts such
that lists of ports in rules are no longer valid:
--== Initializing Snort ==--
Checking PID path...
PATH_VARRUN is set to /var/run/ on this operating system
Rule application order changed to Pass->Alert->Log
Initializing Network Interface eth0
Decoding Ethernet on interface eth0
Initializating Output Plugins!
Initializing rule chains...
ERROR backdoor.rules (16) => Invalid port: 12345,12346
And that line is:
alert tcp $HOME_NET 12345,12346 -> $EXTERNAL_NET any (msg:"BACKDOOR -
netbus active"; flags: A+; content: "NetBus"; reference:arachnids,401;)
Basically, any comma seperated list of ports now barf. Is there a
preferred way of accomplishing this goal?
More information about the Snort-users