[Snort-users] Strange effect after installing 1.8.2 (1.8.1 did work)

Martin Roesch roesch at ...1935...
Mon Nov 5 06:31:02 EST 2001


> 1) 'Something' does output Packet-Contents (but only contents, no header)
>    on the 'terminal' snort ist started on!  The old 1.8.1 did not show
>    this behaviour.  Is there an 'official change' in snort or a module
>    which does define its output in a new way?

What command line are you using?


> 2) in the ddos-rules snort-1.8.2 complained about every rule,
>    which had a 'msg'-field including a ':' in the quoted string like:
> 
> redalert udp $EXTERNAL_NET any -> $HOME_NET 31335 (msg:"DDOS Trin00:DaemontoMaster(messagedetected)"; content:"l44";reference:arachnids,186; classtype:attempted-dos; sid:231; rev:1;)
> 
> In the same file there is a *working* rule with '\:' instead of ':',
> so I changed ALL the rules that way, and it seems to work...

The rule parser was changed to adhere to the language spec and tell you
when you did something wrong (like using a reserved char in the msg
argument field).  This behavior is correct.

     -Marty


--
Martin Roesch - President, Sourcefire Inc. - (410)552-6999
roesch at ...1935... - http://www.sourcefire.com  
Snort: Open Source Network IDS - http://www.snort.org




More information about the Snort-users mailing list