Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Snort-1.8.6 on SuSE-7.2 selfmade pcap-0.7.1 dies in 'content list' ?!

From: "Chr. v. Stuckrad" <stucki () math fu-berlin de>
Date: Wed, 10 Apr 2002 14:53:51 +0200
Hi!

I just compiled the new snort 1.8.6 on a SuSE 7.2
with an also freshly compiled libpcap 0.7.1.

I took the same ruleset as used by the currently
running snort(1.8.3 build 90) and tried the
new one with '-T -c ...file...'.

The following rule kills this new snort:
-----------------------------------------------------------------
# BadTrans MailWorm with passwd-mail-kill
redalert tcp any any -> any 25 ( \
   msg:"BadTrans.B Detected Sending Passwords!"; \
   flags:PA; content-list:"/etc/snort/new-rules/badtrans"; \
   nocase; resp:rst_all,icmp_all: classtype:misc-activity;)
-----------------------------------------------------------------
(Originally the above is formatted as ONE line,
 but should be correctly written this way too)

The new snort dies with a segfault while reading
the Data of the file /etc/snort/new-rules/badtrans
which contains only the Mailaddresses the virus sends to,
line by line enclosed in quotes.

I do not see anything special in that file...

Any Ideas, what to setup/recompile/test ?

Thanks,     Stucki

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: