[Snort-users] SnortCenter and the Snort2.0 fixes

Brian bmc at ...950...
Tue Jun 17 18:46:03 EDT 2003

On Tue, Jun 17, 2003 at 07:52:47PM -0300, Daniel A. Melo wrote:
> I'm using Snort 2 and Snortcenter 1RC1 and i'm having lots of problems.
> The rules with the option byte_test are with some kind of error - i
> think it's the empty byte_test :
> alert ip $HOME_NET any -> $EXTERNAL_NET any( sid: 1882; rev: 9; msg:
> "ATTACK-RESPONSES id check returned userid"; content: " gid="; distance:
> 0; within: 15; byte_test: ; byte_test: 5,<,65537,0,relative,string;
> content: "uid="; byte_test: 5,<,65537,0,relative,string; classtype:
> bad-unknown;)

yeah, if thats the rule SnortCenter gave you, then SnortCenter is

Thats totally the wrong order for the keywords.  Check out the official
rule and notice the differences:



More information about the Snort-users mailing list