Snort mailing list archives

RE: Error on new Rule

From: "Snort" <Snort () InterCept Net>
Date: Wed, 16 Mar 2005 10:13:36 -0500

For UDP you use ICMP and TCP uses resets

 

The readme.flexresp and readme.inline might help clear a few things up,
along with the online manual

 

http://www.snort.org/docs/snort_htmanuals/htmanual_232/node7.html

 

 

Michael Brown

  _____  

From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of Ron
Jenkins
Posted At: Wednesday, March 16, 2005 9:12 AM
Posted To: Snort
Conversation: Error on new Rule
Subject: [Snort-users] Error on new Rule
  

On the below new rule, I added the react:block for the FlexResp feature
of snort.  

 

alert udp $HOME_NET any -> $EXTERNAL_NET 41170 (msg:"P2P Manolito Search
Query"; content:"|01 02 00 14|"; offset:16; depth:4;
reference:url,www.blubster.com; reference:url,openlito.sourceforge.net;
react:block; classtype:policy-violation; sid:3459; rev:2;)

 

I get the below error:

 

ERROR: Line /etc/snort/local.rules(28): TCP Options on non-TCP rule

Fatal Error, Quitting..

 

Does FlexResp only work on TCP rules and not UDP?

 

Thanks...

 

 

Ron Jenkins (MCNE, CNE6, MCP, CCNA, CCEA) 
Senior Architect 
Data Integrity, LLC 
"We Integrate People with Solutions" 
1724 Dallas Drive 
Suite 11 
Baton Rouge, La 70806 
Office. 225.927.8030 
Fax. 225.927.8033 
Cell225.931.1632 
Email. rjenkins () dibr net 
Web. www.dibr.net

Current thread:

Error on new Rule Ron Jenkins (Mar 16)
- <Possible follow-ups>
- RE: Error on new Rule Ron Jenkins (Mar 16)
  - RE: Error on new Rule Kendall Risselada (Mar 16)
    - Re: Error on new Rule James Riden (Mar 16)
- RE: Error on new Rule Snort (Mar 16)
- RE: Error on new Rule Joshua Berry (Mar 16)