tugwilson.co.uk

• Next message: Andrew R. Baker: "[snort] New snort tool"
• Previous message: Erich Meier: "[snort] Livelock with "nocase""
• In reply to: Erich Meier: "[snort] Livelock with "nocase""
• Next in thread: Erich Meier: "Re: [snort] Livelock with "nocase""
• Next in thread: Martin Roesch: "Re: [snort] Livelock with "nocase""
• Reply: John Wilson: "Re: [snort] Livelock with "nocase""
• Reply: Erich Meier: "Re: [snort] Livelock with "nocase""
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

----- Original Message -----
From: Erich Meier <Erich.Meierinformatik.uni-erlangen.de>
To: Snort List <snortbofh.kyrnet.kg>
Sent: 06 March 2000 15:17
Subject: [snort] Livelock with "nocase"

> Hi!
>
> The current version of snort (and all older versions with
sp_pattern_match.c)
> seem to have a livelock problem with nocase matches. When processing rules
like
>
> alert udp $EXTERNAL any -> $INTERNAL 53 (msg:"DNS-version-query";
content:"version|04|bind|0000 1000 03"; nocase;)
>
> snort seems to run in an endless cycle after a few minutes under heavy
traffic.
> Does anyone here use the "nocase" modifier and have similar problems?

Erich,

    do you get the problem with the this version of Snort without the
nocase option?

John Wilson
The Wilson Partnership
5 Market Hill, Whitchurch, Aylesbury, Bucks HP22 4JB, UK
+44 1296 641072, +44 976 611010(mobile), +44 1296 641874(fax)
Mailto: tugwilson.co.uk

• Next message: Andrew R. Baker: "[snort] New snort tool"
• Previous message: Erich Meier: "[snort] Livelock with "nocase""
• In reply to: Erich Meier: "[snort] Livelock with "nocase""
• Next in thread: Erich Meier: "Re: [snort] Livelock with "nocase""
• Next in thread: Martin Roesch: "Re: [snort] Livelock with "nocase""
• Reply: John Wilson: "Re: [snort] Livelock with "nocase""
• Reply: Erich Meier: "Re: [snort] Livelock with "nocase""
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]