RE: [Snort-devel] rules problem relating to offset?

From: Kreimendahl, Chad J <Chad.Kreimendahl(at)umb.com>
Date: Mon Mar 31 2003 - 17:46:05 EST

We have a tool that does an update anytime it sees you guys commit rules, but the application of those to a policy is a manual process (for what I hope are obvious reasons). I used one of the default policies (about a month old), on development, without merging the new changes in.

My bad.

-----Original Message-----
From: Brian [mailto:bmc@snort.org]
Sent: Monday, March 31, 2003 4:29 PM
To: Kreimendahl, Chad J
Cc: snort-sigs@lists.sourceforge.net; snort-devel@lists.sourceforge.net Subject: Re: [Snort-devel] rules problem relating to offset?

On Mon, Mar 31, 2003 at 03:12:02PM -0600, Kreimendahl, Chad J wrote:
> FATAL ERROR: snort.conf (858): Unable to parse as offset value string

When you upgrade snort, you should upgrade your ruleset.

This was corrected before 2.0.0 rc1 went out.

alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP list overflow attempt"; flow:established,to_server; content:" LIST |22 22| {"; nocase; byte_test:5,>,256,0,string,dec,relative; reference:nessus,10374; reference:cve,CAN-2000-0284; classtype:misc-attack; sid:1845; rev:7;)

-brian

---

This SF.net email is sponsored by: ValueWeb: Dedicated Hosting for just $79/mo with 500 GB of bandwidth! No other company gives more support or power for your dedicated server http://click.atdmt.com/AFF/go/sdnxxaff00300020aff/direct/01/

---

Snort-devel mailing list
Snort-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel Received on Mon Mar 31 18:08:05 2003