Re: help with rules - data capturing

["Paul Melson" <pmelson () gmail com>]

On 12/21/07, Timothy Ding <iolabs () gmail com> wrote:
> many thanks for the reply Paul, i still don't get any results from the rule,
> could it possibly be the version of snort (ver 2.3.3) that i am using?

Yes, I think it could.  I second Joel's suggestion that you upgrade to
Snort 2.8.  I don't subscribe to the notion that you should
automatically run the latest version of anything, but 2.8(.0.1) is a
big improvement in performance and functionality from 2.7, let alone
2.3.  And 2.3 is old enough that you are bound to run into problems
with rules being published by Sourcefire or others.

If you are unable to upgrade from 2.3 for some reason, I recommend
removing the flow: tag from my suggested rule as a first
troubleshooting step.

PaulM

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users