Snort mailing list archives
Snort-1.8.6 on SuSE-7.2 selfmade pcap-0.7.1 dies in 'content list' ?!
From: "Chr. v. Stuckrad" <stucki () math fu-berlin de>
Date: Wed, 10 Apr 2002 14:53:51 +0200
Hi! I just compiled the new snort 1.8.6 on a SuSE 7.2 with an also freshly compiled libpcap 0.7.1. I took the same ruleset as used by the currently running snort(1.8.3 build 90) and tried the new one with '-T -c ...file...'. The following rule kills this new snort: ----------------------------------------------------------------- # BadTrans MailWorm with passwd-mail-kill redalert tcp any any -> any 25 ( \ msg:"BadTrans.B Detected Sending Passwords!"; \ flags:PA; content-list:"/etc/snort/new-rules/badtrans"; \ nocase; resp:rst_all,icmp_all: classtype:misc-activity;) ----------------------------------------------------------------- (Originally the above is formatted as ONE line, but should be correctly written this way too) The new snort dies with a segfault while reading the Data of the file /etc/snort/new-rules/badtrans which contains only the Mailaddresses the virus sends to, line by line enclosed in quotes. I do not see anything special in that file... Any Ideas, what to setup/recompile/test ? Thanks, Stucki _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort-1.8.6 on SuSE-7.2 selfmade pcap-0.7.1 dies in 'content list' ?! Chr. v. Stuckrad (Apr 10)