On 4/19/2013 12:46, waldo kitty wrote:
> On 4/19/2013 09:21, Ashraf Ali wrote:
>> *
>> Opened spool file '/var/log/snort/snort.u2.136637438'
>> 04/19-18:07:13.315134  [**] [1:1384:15] DOS UPnP malformed advertisement [**]
>> Segmentation fault*
>> Does it mean that rule (sid 1384 ) is not in proper format or not correct ?
> no, it means that the data in the packet was malformed and detected as such...

this doesn't read as i intended it... the rule detects the malformed upnp 
advertisement and alerts on that... the data in the pcap is what snort caught 
and recorded... it may or may not have something to do with barnyard2's 

> why barnyard2 segfaulted is something the barnyard2 folks need to look at
> concerning this packet and barnyard's processing of the snort data...

this was written as i intended... the barnyard folks may need to look at this in 
case there's a bug in their processing due to this particular packet... unless, 
of course, the barnyard log contains other information about it...

