Rules: flags burp using 2.0.2?

[John Sage <jsage () finchhaven com>]

Sucessfully put on 2.0.2; runs great, and is less filling.

/* specs, for the record */
[jsage@greatwall /etc/snort]$ uname -a
Linux greatwall 2.4.18-5 #1 Mon Jun 10 15:14:29 EDT 2002 i586 unknown

[jsage@greatwall /etc/snort]$ snort -V
-*> Snort! <*-
Version 2.0.2 (Build 92)
By Martin Roesch (roesch () sourcefire com, www.snort.org)

[jsage@greatwall /etc/snort]$ gcc -v
Reading specs from /usr/lib/gcc-lib/i386-redhat-linux/2.96/specs
gcc version 2.96 20000731 (Red Hat Linux 7.3 2.96-110)
/* end specs */

But, suddenly these sorts of rules aren't working:

alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (flags: S; msg:"TCP \
  inbound to 135 dcom, SYN";)
alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (flags: A; dsize: 0; \
  msg:"TCP inbound to 135 dcom, ACK";)
alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (flags: AF; dsize: 0; \
  msg:"TCP inbound to 135 dcom, ACK-FIN";)
alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (flags: F; msg:"TCP \
  inbound to 135 dcom, FIN";)

Rather than picking up these, it drops through to the generic TCP:135
rule I've got, which confuses what I'm trying to do...

Wha' happen' between 1.9.1 and here, flags-wise?

TIA..


- John
-- 
"Warning: time of day goes back, taking countermeasures."
John Sage
InfoSec Groupie
-
ABCD, EFGH, IJKL, EmEnOh, Pplus+, Mminus-
-
ATTENTION: this message is privileged communication. If you read it
even though you aren't supposed to, you're a poopy-head.


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users