NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Snort IDS> 2000-03

Subject: Re: [snort] Livelock with "nocase"
From: Martin Roesch (roeschhiverworld.com)
Date: Mon Mar 06 2000 - 15:58:11 CST

Next message: Martin Roesch: "Re: [snort] Spurious ALERT msgs in syslog"
Previous message: Erich Meier: "Re: [snort] Livelock with "nocase""
In reply to: Erich Meier: "Re: [snort] Livelock with "nocase""
Next in thread: John Wilson: "Re: [snort] Livelock with "nocase""
Next in thread: Martin Roesch: "Re: [snort] Livelock with "nocase""
Reply: Martin Roesch: "Re: [snort] Livelock with "nocase""
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Erich Meier wrote:
> alert udp $EXTERNAL any -> $INTERNAL 53 (msg:"DNS-version-query";
> content:"version|04|bind|0000 1000 03"; nocase;)

One thing: you're missing the closing "pipe" character on the rule
you've got there, that could be causing the crash.....

-- 
Martin Roesch                      <roeschhiverworld.com>
Director of Forensic Systems     http://www.hiverworld.com
Hiverworld, Inc.               Enterprise Network Security
Network Forensics, Intrusion Detection and Risk Assessment

Next message: Martin Roesch: "Re: [snort] Spurious ALERT msgs in syslog"
Previous message: Erich Meier: "Re: [snort] Livelock with "nocase""
In reply to: Erich Meier: "Re: [snort] Livelock with "nocase""
Next in thread: John Wilson: "Re: [snort] Livelock with "nocase""
Next in thread: Martin Roesch: "Re: [snort] Livelock with "nocase""
Reply: Martin Roesch: "Re: [snort] Livelock with "nocase""
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]