'Re: [Snort-sigs] Crashing snort'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       snort-sigs
Subject:    Re: [Snort-sigs] Crashing snort
From:       Matthew Jonkman <matt () infotex ! com>
Date:       2004-06-30 3:07:01
Message-ID: 40E22E55.6090207 () infotex ! com
[Download RAW message or body]

That was it. Thanks.

The little details on life are what always get you..

It's fixed and updated.

But why would that core snort rather than generating an error? Snort is
really good about catching and explaining unterminated options and such.

Matt

Joshua Berry wrote:

> The only thing that I notice is there is no semi-colon after the 
> flow:from_server,established on either rule.
> 
>     -----Original Message-----
>     *From:* snort-sigs-admin@lists.sourceforge.net on behalf of Matthew
>     Jonkman
>     *Sent:* Tue 6/29/2004 9:20 PM
>     *To:* snort-sigs mailinglist
>     *Cc:*
>     *Subject:* [Snort-sigs] Crashing snort
> 
>     Put these up but disabled them. They're causing snort to core, recent
>     stable version.
> 
>     alert tcp $EXTERNAL_NET 6667 -> $HOME_NET any ( msg:"BLEEDING-EDGE P2P
>     iroffer IRC Bot help message"; content:"|54 6F 20 72 65 71 75 65 73 74
>     20 61 20 66 69 6C 65 20 74 79 70 65 3A 20 22 2F 6D 73 67|"; depth:500;
>     flow:from_server,established classtype:trojan-activity; sid:2000338;
>     rev:1;)
> 
>     alert tcp $EXTERNAL_NET 6667 -> $HOME_NET any ( msg:"BLEEDING-EDGE P2P
>     iroffer IRC Bot offered files advertisement"; content:"|54 6F 74 61 6C
>     20 4F 66 66 65 72 65 64 3A|"; depth:500; flow:from_server,established
>     classtype:trojan-activity; sid:2000339; rev:1;)
> 
>     Anyone see anything wrong there? Enableing either causes a core.
> 
>     Matt
>     --
> 
> 
>     -------------------------------------------------------
>     This SF.Net email sponsored by Black Hat Briefings & Training.
>     Attend Black Hat Briefings & Training, Las Vegas July 24-29 -
>     digital self defense, top technical experts, no vendor pitches,
>     unmatched networking opportunities. Visit www.blackhat.com
>     _______________________________________________
>     Snort-sigs mailing list
>     Snort-sigs@lists.sourceforge.net
>     https://lists.sourceforge.net/lists/listinfo/snort-sigs
> 
> N?HS^?隊[)?{(??[?ZrAڴ?y???j)?



-------------------------------------------------------
This SF.Net email sponsored by Black Hat Briefings & Training.
Attend Black Hat Briefings & Training, Las Vegas July 24-29 - 
digital self defense, top technical experts, no vendor pitches, 
unmatched networking opportunities. Visit www.blackhat.com
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic