Re: Strange effect after installing 1.8.2 (1.8.1 did work)

[Martin Roesch <roesch () sourcefire com>]

> 1) 'Something' does output Packet-Contents (but only contents, no header)
>    on the 'terminal' snort ist started on!  The old 1.8.1 did not show
>    this behaviour.  Is there an 'official change' in snort or a module
>    which does define its output in a new way?

What command line are you using?


> 2) in the ddos-rules snort-1.8.2 complained about every rule,
>    which had a 'msg'-field including a ':' in the quoted string like:
>
> redalert udp $EXTERNAL_NET any -> $HOME_NET 31335 (msg:"DDOS Trin00:DaemontoMaster(messagedetected)"; 
> content:"l44";reference:arachnids,186; classtype:attempted-dos; sid:231; rev:1;)
>
> In the same file there is a *working* rule with '\:' instead of ':',
> so I changed ALL the rules that way, and it seems to work...

The rule parser was changed to adhere to the language spec and tell you
when you did something wrong (like using a reserved char in the msg
argument field).  This behavior is correct.

     -Marty


--
Martin Roesch - President, Sourcefire Inc. - (410)552-6999
roesch () sourcefire com - http://www.sourcefire.com  
Snort: Open Source Network IDS - http://www.snort.org

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users