[Snort-users] Comma seperated port lists broken?

Martin Roesch roesch at ...421...
Tue Mar 27 02:10:34 EST 2001


They never were valid, we just fixed the parser to point this fact out.
:)

    -Marty

"Scott A. McIntyre" wrote:
> 
> Hi,
> 
> Something seems to have changed in the more recent CVS checkouts such
> that lists of ports in rules are no longer valid:
> 
>         --== Initializing Snort ==--
> Checking PID path...
> PATH_VARRUN is set to /var/run/ on this operating system
> Rule application order changed to Pass->Alert->Log
> 
> Initializing Network Interface eth0
> Decoding Ethernet on interface eth0
> Initializing Preprocessors!
> Initializing Plug-ins!
> Initializating Output Plugins!
> 
> +++++++++++++++++++++++++++++++++++++++++++++++++++
> Initializing rule chains...
> ERROR backdoor.rules (16) => Invalid port: 12345,12346
> 
> And that line is:
> 
> alert tcp $HOME_NET 12345,12346 -> $EXTERNAL_NET any (msg:"BACKDOOR -
> netbus active"; flags: A+; content: "NetBus";  reference:arachnids,401;)
> 
> Basically, any comma seperated list of ports now barf.  Is there a
> preferred way of accomplishing this goal?
> 
> Scott
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

--
Martin Roesch
roesch at ...421...
http://www.snort.org




More information about the Snort-users mailing list