[Snort-users] SnortCenter and the Snort2.0 fixes

Brian bmc at ...950...
Tue Jun 17 18:46:03 EDT 2003


On Tue, Jun 17, 2003 at 07:52:47PM -0300, Daniel A. Melo wrote:
> I'm using Snort 2 and Snortcenter 1RC1 and i'm having lots of problems.
> 
> The rules with the option byte_test are with some kind of error - i
> think it's the empty byte_test :
> 
> alert ip $HOME_NET any -> $EXTERNAL_NET any( sid: 1882; rev: 9; msg:
> "ATTACK-RESPONSES id check returned userid"; content: " gid="; distance:
> 0; within: 15; byte_test: ; byte_test: 5,<,65537,0,relative,string;
> content: "uid="; byte_test: 5,<,65537,0,relative,string; classtype:
> bad-unknown;)

yeah, if thats the rule SnortCenter gave you, then SnortCenter is
whacked.

Thats totally the wrong order for the keywords.  Check out the official
rule and notice the differences:

    http://www.snort.org/snort-db/sid.html?sid=1882

-brian




More information about the Snort-users mailing list