Snort mailing list archives
Re: Garbled classification
From: Phil Wood <cpw () lanl gov>
Date: Tue, 5 Jun 2001 09:07:03 -0600
On Tue, Jun 05, 2001 at 09:56:29AM +0200, Ralf Hildebrandt wrote:
With a snort CVS snapshot I get a garbled classification: Jun 5 09:27:49 john snort: SHELLCODE x86 setgid 0 [Classification: ?)^Z^H?:^Z^H0?^]^H@ Priority: 10]: 62.157.136.80:443 -> 195.243.106.23:64965
Modify these three rules and the problem goes away. It is really a problem with the parser which should exit on a bad rule. policy.rules:alert tcp $HOME_NET any -> $EXTERNAL_NET 6666:6669 (msg:"INFO Possible IRC Access"; flags: A+; content: "NICK "; classtype:not-suspicious; classtype:unknown;) policy.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"INFO FTP anonymous FTP"; content:"anonymous"; nocase; flags:A+; classtype:not-suspicious; classtype:not-suspicious;;) rpc.rules:alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC snmpXdmi query"; rpc:100249,*,*; reference:bugtraq,2417; classtype:attempted-admin;classtype:attempted-recon;) It is not fixed in cvs. -- Phil Wood, cpw () lanl gov _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Garbled classification Ralf Hildebrandt (Jun 05)
- Re: Garbled classification Phil Wood (Jun 05)
- Re: Garbled classification Brian Caswell (Jun 05)
- Re: Garbled classification Phil Wood (Jun 05)