[Snort-users] Broken snort rule

Matt Olney molney at ...1935...
Tue Oct 7 10:23:11 EDT 2008


James,

This is an Emerging Threats rule, not a VRT rule.  However, if you need this
up and running, I would suggest changing the [] to $EXTERNAL_NET.  The ET
guys have some folks on this list, so hopefully they'll catch this.

Matt

On Tue, Oct 7, 2008 at 9:06 AM, James Lay <jlay at ...13475...> wrote:

> FYI
>
> > Subject: Oct  7 06:30:58 gateway snort[21619]: FATAL ERROR:
> > /chroot/snort/etc/snort/rules/emerging-compromised.rules(119) => Empty IP
> used
> > either as source IP or as destination IP in a rule. IP list: [].
>
> alert ip [] any -> $HOME_NET any (msg:"ET COMPROMISED Known Compromised or/
> Hostile Host Traffic (76)";/
> reference:url,doc.emergingthreats.net/bin/view/Main/CompromisedHosts;/
> threshold: type limit, track by_src, seconds 60, count 1;/
> classtype:misc-attack; sid:2500075; rev:1292;)
>
> James
>
>
>
> -------------------------------------------------------------------------
> This SF.Net email is sponsored by the Moblin Your Move Developer's
> challenge
> Build the coolest Linux based applications with Moblin SDK & win great
> prizes
> Grand prize is a trip for two to an Open Source event anywhere in the world
> http://moblin-contest.org/redirect.php?banner_id=100&url=/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users<https://lists.sourceforge.net/lists/listinfo/snort-usersSnort-users>list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20081007/10298a2b/attachment-0001.html>


More information about the Snort-users mailing list