Re: [Snort-users] Snort 2.8.0.1 segfaults on a specific rule -

Ya, that was a script error that gave the empty ip list. Was fixed
shortly after, should be good to go now.

Matt

James Lay wrote:
> On 1/15/08 9:15 AM, "Andreas Maus" <maus@ypbind.de> wrote:
>
>> Hi list!
>>
>> After an upgrade of the bleedingedge ruleset I discovered that
>> Snort (2.8.0 and 2.8.0.1) dumps core on a specific rule.
>>
>> This rule can be found in bleeding-botcc.rules. There is only
>> on rule so finding that rule was easy ;)
>>
>> The offending rule is:
>>
>> alert ip $HOME_NET any -> [] any (msg:"BLEEDING-EDGE DROP Known Bot C&C Server
>> Traffic (group 1) "; reference:url,www.shadowserver.org; threshold: type
>> limit, track by_src, seconds 3600, count
>> :trojan-activity; sid:2404000; rev:1026;)
>>
>> I guess it is the "-> []" part that triggers the core dump
>> (I will also post a mail to the appropiate mailinglist - snort-sigs ?
>> about this).
>>
>> Anyway I don't think it is the desired behavior to just SIGSEGV.
>> An error will be o.k.
>>
>> The outout from snort was:
>>
>> Running in Test mode with config file: /etc/snort/snort.conf
>> Running in IDS mode
>
>
> I saw the same thing...oinkmaster runs at 6 AM here, and it couldn't hit
> snort.org, so I killed the process...on two boxes snort would seg fault. I
> reran oinkmaster at 6:38, and could connect and the problem went away. I
> suspect the rules was fixed then.
>
> James
>
>
>> --== Initializing Snort ==--
>> Initializing Output Plugins!
>> Initializing Preprocessors!
>> Initializing Plug-ins!
>> Parsing Rules file /etc/snort/snort.conf
>> PortVar 'HTTP_PORTS' defined : [ 80]
>> PortVar 'SHELLCODE_PORTS' defined : [ 0:79 81:65535]
>> PortVar 'ORACLE_PORTS' defined : [ 1521]
>> -------------------------------------------------
>> Keyword | Preprocessor @
>> -------------------------------------------------
>> rpc_decode : 0x45f6fe
>> bo : 0x45e7aa
>> stream4 : 0x4612d2
>> stream4_reassemble: 0x462ab8
>> stream4_external: 0x462457
>> arpspoof : 0x45daf5
>> arpspoof_detect_host: 0x45dc46
>> http_inspect : 0x4796a2
>> http_inspect_server: 0x4796a2
>> PerfMonitor : 0x471b42
>> flow : 0x47d90e
>> flow-portscan: 0x48d955
>> sfportscan : 0x4809cc
>> frag3_global : 0x4811d2
>> frag3_engine : 0x48130f
>> stream5_global: 0x488594
>> stream5_tcp : 0x488fbd
>> stream5_udp : 0x489034
>> stream5_icmp : 0x4890ab
>> -------------------------------------------------
>>
>> -------------------------------------------------
>> Keyword | Plugin Registered @
>> -------------------------------------------------
>> content : 0x4521af
>> offset : 0x452616
>> depth : 0x45278d
>> nocase : 0x452927
>> rawbytes : 0x4529f9
>> uricontent : 0x452281
>> http_client_body: 0x45235e
>> http_uri : 0x4524ba
>> distance : 0x452aae
>> within : 0x452c3c
>> replace : 0x45075b
>> flags : 0x455433
>> itype : 0x44e943
>> icode : 0x44de9f
>> ttl : 0x4560bf
>> id : 0x44f8df
>> ack : 0x455223
>> seq : 0x455c17
>> dsize : 0x44d86b
>> ipopts : 0x450277
>> rpc : 0x454223
>> icmp_id : 0x44e4b3
>> icmp_seq : 0x44e6fb
>> session : 0x4549d3
>> tos : 0x44ffd3
>> fragbits : 0x44ef53
>> fragoffset : 0x44f542
>> window : 0x455dfe
>> ip_proto : 0x44facf
>> sameip : 0x44fe0b
>> flow : 0x4567ea
>> byte_test : 0x456f0b
>> byte_jump : 0x45790b
>> isdataat : 0x458e8f
>> pcre : 0x4582f2
>> flowbits : 0x45941a
>> asn1 : 0x45a27f
>> ftpbounce : 0x45a8db
>> urilen : 0x45adea
>> -------------------------------------------------
>>
>> -------------------------------------------------
>> Keyword | Output @
>> -------------------------------------------------
>> alert_syslog : 0x440aa3
>> log_tcpdump : 0x44732f
>> database : 0x442f3b
>> alert_fast : 0x43fcfb
>> alert_full : 0x44049b
>> alert_unixsock: 0x4417e3
>> alert_CSV : 0x441dd3
>> log_null : 0x447247
>> log_unified : 0x4499be
>> alert_unified: 0x449667
>> unified : 0x447bcf
>> log_unified2 : 0x44b80a
>> alert_unified2: 0x44b77f
>> unified2 : 0x44a643
>> log_ascii : 0x44b8e7
>> alert_sf_socket: 0x44c53f
>> alert_sf_socket_sid: 0x44c883
>> alert_test : 0x44d0fb
>> -------------------------------------------------
>>
>> Detection:
>> Search-Method = Low-Mem
>> ,-----------[Flow Config]----------------------
>> | Stats Interval: 0
>> | Hash Method: 2
>> | Memcap: 10485760
>> | Rows : 4096
>> | Overhead Bytes: 32776(%0.31)
>> `----------------------------------------------
>> Frag3 global config:
>> Max frags: 65536
>> Fragment memory cap: 4194304 bytes
>> Frag3 engine config:
>> Target-based policy: FIRST
>> Fragment timeout: 60 seconds
>> Fragment min_ttl: 1
>> Fragment ttl_limit: 5
>> Fragment Problems: 1
>> Stream4 config:
>> Stateful inspection: ACTIVE
>> Session statistics: INACTIVE
>> Session timeout: 30 seconds
>> Session memory cap: 8388608 bytes
>> Session count max: 8192 sessions
>> Session cleanup count: 5
>> State alerts: INACTIVE
>> Evasion alerts: INACTIVE
>> Scan alerts: INACTIVE
>> Log Flushed Streams: INACTIVE
>> MinTTL: 1
>> TTL Limit: 5
>> Async Link: 0
>> State Protection: 0
>> Self preservation threshold: 50
>> Self preservation period: 90
>> Suspend threshold: 200
>> Suspend period: 30
>> Enforce TCP State: INACTIVE
>> Midstream Drop Alerts: INACTIVE
>> Allow Blocking of TCP Sessions in Inline: ACTIVE
>> WARNING /etc/snort/snort.conf(439) => flush_behavior set in config file, using
>> old static flushpoints (0)
>> Stream4_reassemble config:
>> Server reassembly: INACTIVE
>> Client reassembly: ACTIVE
>> Reassembler alerts: ACTIVE
>> Zero out flushed packets: INACTIVE
>> Flush stream on alert: INACTIVE
>> flush_data_diff_size: 500
>> Reassembler Packet Preferance : Favor Old
>> Packet Sequence Overlap Limit: -1
>> Flush behavior: Small (<255 bytes)
>> Ports: 21 23 25 42 53 80 110 111 135 136 137 139 143 445 513 1433 1521
>> 3306
>> Emergency Ports: 21 23 25 42 53 80 110 111 135 136 137 139 143 445 513
>> 1433 1521 3306
>> PerfMonitor config:
>> Time: 300 seconds
>> Flow Stats: INACTIVE
>> Event Stats: INACTIVE
>> Max Perf Stats: INACTIVE
>> Console Mode: INACTIVE
>> File Mode: /var/log/snort/snort.stats
>> SnortFile Mode: INACTIVE
>> Packet Count: 10000
>> Dump Summary: No
>> HttpInspect Config:
>> GLOBAL CONFIG
>> Max Pipeline Requests: 0
>> Inspection Type: STATELESS
>> Detect Proxy Usage: NO
>> IIS Unicode Map Filename: /etc/snort/unicode.map
>> IIS Unicode Map Codepage: 1252
>> DEFAULT SERVER CONFIG:
>> Server profile: All
>> Ports: 80 8080 8180
>> Flow Depth: 300
>> Max Chunk Length: 500000
>> Inspect Pipeline Requests: YES
>> URI Discovery Strict Mode: NO
>> Allow Proxy Usage: NO
>> Disable Alerting: NO
>> Oversize Dir Length: 500
>> Only inspect URI: NO
>> Ascii: YES alert: NO
>> Double Decoding: YES alert: YES
>> %U Encoding: YES alert: YES
>> Bare Byte: YES alert: YES
>> Base36: OFF
>> UTF 8: OFF
>> IIS Unicode: YES alert: YES
>> Multiple Slash: YES alert: NO
>> IIS Backslash: YES alert: NO
>> Directory Traversal: YES alert: NO
>> Web Root Traversal: YES alert: YES
>> Apache WhiteSpace: YES alert: NO
>> IIS Delimiter: YES alert: NO
>> IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG
>> Non-RFC Compliant Characters: NONE
>> Whitespace Characters: 0x09 0x0b 0x0c 0x0d
>> rpc_decode arguments:
>> Ports to decode RPC on: 111 32771
>> alert_fragments: INACTIVE
>> alert_large_fragments: ACTIVE
>> alert_incomplete: ACTIVE
>> alert_multiple_requests: ACTIVE
>> Portscan Detection Config:
>> Detect Protocols: TCP UDP ICMP IP
>> Detect Scan Type: portscan portsweep decoy_portscan distributed_portscan
>> Sensitivity Level: Medium
>> Memcap (in bytes): 10000000
>> Number of Nodes: 31347
>> Ignore Scanner IP List:
>> 213.146.114.84 / 255.255.255.255
>> 88.198.22.244 / 255.255.255.255
>>
>> PortVar 'SSH_PORTS' defined : [ 22]
>> Tagged Packet Limit: 256
>> Loading dynamic engine /usr/local/lib/snort_dynamicengine/libsf_engine.so...
>> done
>> Loading all dynamic preprocessor libs from
>> /usr/local/lib/snort_dynamicpreprocessor/...
>> Loading dynamic preprocessor library
>> /usr/local/lib/snort_dynamicpreprocessor//libsf_ftptelnet_preproc.so... done
>> Loading dynamic preprocessor library
>> /usr/local/lib/snort_dynamicpreprocessor//libsf_smtp_preproc.so... done
>> Loading dynamic preprocessor library
>> /usr/local/lib/snort_dynamicpreprocessor//libsf_ssh_preproc.so... done
>> Loading dynamic preprocessor library
>> /usr/local/lib/snort_dynamicpreprocessor//libsf_dcerpc_preproc.so... done
>> Loading dynamic preprocessor library
>> /usr/local/lib/snort_dynamicpreprocessor//libsf_dns_preproc.so... done
>> Loading dynamic preprocessor library
>> /usr/local/lib/snort_dynamicpreprocessor//lib_sfdynamic_preprocessor_example.s
>> o... done
>> Finished Loading all dynamic preprocessor libs from
>> /usr/local/lib/snort_dynamicpreprocessor/
>> FTPTelnet Config:
>> GLOBAL CONFIG
>> Inspection Type: stateful
>> Check for Encrypted Traffic: YES alert: YES
>> Continue to check encrypted data: NO
>> TELNET CONFIG:
>> Ports: 23
>> Are You There Threshold: 200
>> Normalize: YES
>> Detect Anomalies: NO
>> FTP CONFIG:
>> FTP Server: default
>> Ports: 21
>> Check for Telnet Cmds: YES alert: YES
>> Identify open data channels: YES
>> FTP Client: default
>> Check for Bounce Attacks: YES alert: YES
>> Check for Telnet Cmds: YES alert: YES
>> Max Response Length: 256
>>
>> SMTP Config:
>> Ports: 25
>> Inspection Type: Stateful
>> Normalize: EXPN RCPT VRFY
>> Ignore Data: No
>> Ignore TLS Data: No
>> Ignore SMTP Alerts: No
>> Max Command Line Length: Unlimited
>> Max Specific Command Line Length:
>> ETRN:500 EXPN:255 HELO:500 HELP:500 MAIL:260
>> RCPT:300 VRFY:255
>> Max Header Line Length: Unlimited
>> Max Response Line Length: Unlimited
>> X-Link2State Alert: Yes
>> Drop on X-Link2State Alert: No
>> Alert on commands: None
>>
>> DCE/RPC Decoder config:
>> Autodetect ports ENABLED
>> SMB fragmentation ENABLED
>> DCE/RPC fragmentation ENABLED
>> Max Frag Size: 3000 bytes
>> Memcap: 100000 KB
>> Alert if memcap exceeded DISABLED
>>
>> DNS config:
>> DNS Client rdata txt Overflow Alert: ACTIVE
>> Obsolete DNS RR Types Alert: INACTIVE
>> Experimental DNS RR Types Alert: INACTIVE
>> Ports: 53
>>
>> ++++++++++++++++++++++++++++++++++++++++++++++++++ +
>> Initializing rule chains...
>> Segmentation fault (core dumped)
>>
>> The backtrace is from the core file is:
>>
>> debian3164m:/tmp/snort-2.8.0.1# ocal/bin/snort core
>> GNU gdb 6.4.90-debian
>> Copyright (C) 2006 Free Software Foundation, Inc.
>> GDB is free software, covered by the GNU General Public License, and you are
>> welcome to change it and/or distribute copies of it under certain conditions.
>> Type "show copying" to see the conditions.
>> There is absolutely no warranty for GDB. Type "show warranty" for details.
>> This GDB was configured as "x86_64-linux-gnu"...Using host libthread_db
>> library "/lib/libthread_db.so.1".
>>
>> Reading symbols from /usr/lib/libmysqlclient.so.14...done.
>> Loaded symbols for /usr/lib/libmysqlclient.so.14
>> Reading symbols from /lib/libcrypt.so.1...done.
>> Loaded symbols for /lib/libcrypt.so.1
>> Reading symbols from /usr/lib/libz.so.1...done.
>> Loaded symbols for /usr/lib/libz.so.1
>> Reading symbols from /usr/lib/libpcre.so.3...done.
>> Loaded symbols for /usr/lib/libpcre.so.3
>> Reading symbols from /usr/lib/libpcap.so.0.8...done.
>> Loaded symbols for /usr/lib/libpcap.so.0.8
>> Reading symbols from /lib/libm.so.6...done.
>> Loaded symbols for /lib/libm.so.6
>> Reading symbols from /lib/libnsl.so.1...done.
>> Loaded symbols for /lib/libnsl.so.1
>> Reading symbols from /lib/libdl.so.2...done.
>> Loaded symbols for /lib/libdl.so.2
>> Reading symbols from /usr/lib/libnet.so.0...done.
>> Loaded symbols for /usr/lib/libnet.so.0
>> Reading symbols from /lib/libc.so.6...done.
>> Loaded symbols for /lib/libc.so.6
>> Reading symbols from /lib/ld-linux-x86-64.so.2...done.
>> Loaded symbols for /lib64/ld-linux-x86-64.so.2
>> Reading symbols from /lib/libnss_files.so.2...done.
>> Loaded symbols for /lib/libnss_files.so.2
>> Reading symbols from
>> /usr/local/lib/snort_dynamicengine/libsf_engine.so...done.
>> Loaded symbols for /usr/local/lib/snort_dynamicengine/libsf_engine.so
>> Reading symbols from
>> /usr/local/lib/snort_dynamicpreprocessor/libsf_ftptelnet_preproc.so...done.
>> Loaded symbols for
>> /usr/local/lib/snort_dynamicpreprocessor//libsf_ftptelnet_preproc.so
>> Reading symbols from
>> /usr/local/lib/snort_dynamicpreprocessor/libsf_smtp_preproc.so...done.
>> Loaded symbols for
>> /usr/local/lib/snort_dynamicpreprocessor//libsf_smtp_preproc.so
>> Reading symbols from
>> /usr/local/lib/snort_dynamicpreprocessor/libsf_ssh_preproc.so...done.
>> Loaded symbols for
>> /usr/local/lib/snort_dynamicpreprocessor//libsf_ssh_preproc.so
>> Reading symbols from
>> /usr/local/lib/snort_dynamicpreprocessor/libsf_dcerpc_preproc.so...done.
>> Loaded symbols for
>> /usr/local/lib/snort_dynamicpreprocessor//libsf_dcerpc_preproc.so
>> Reading symbols from
>> /usr/local/lib/snort_dynamicpreprocessor/libsf_dns_preproc.so...done.
>> Loaded symbols for
>> /usr/local/lib/snort_dynamicpreprocessor//libsf_dns_preproc.so
>> Reading symbols from
>> /usr/local/lib/snort_dynamicpreprocessor/lib_sfdynamic_preprocessor_example.so
>> ...done.
>> Loaded symbols for
>>
> /usr/local/lib/snort_dynamicpreprocessor//lib_sfdynamic_preprocessor_example.s>
> o
>> Core was generated by `/usr/local/bin/snort -p -u snort -g snort -b -i eth0 -l
>> /var/log/snort -c /etc/'.
>> Program terminated with signal 11, Segmentation fault.
>> #0 0x0000000000416e45 in CheckForIPListConflicts (addrset=0x0) at
>> parser.c:1556
>> 1556 if(!addrset->iplist || !addrset->neg_iplist)
>> (gdb) bt
>> #0 0x0000000000416e45 in CheckForIPListConflicts (addrset=0x0) at
>> parser.c:1556
>> #1 0x0000000000417d63 in ParseRule (rule_file=0x12edb30,
>> prule=0x1377c90 "alert ip $HOME_NET any -> [] any (msg:\"BLEEDING-EDGE
>> DROP Known Bot C&C Server Traffic (group 1) \";
>> reference:url,www.shadowserver.org; threshold: type limit, track by_src, se
>> count 1; clas"..., inclevel=1, parse_rule_lines=1) at parser.c:2090
>> #2 0x0000000000415bda in ParseRulesFile (file=0x40dd840
>> "/etc/snort/rules/bleeding-botcc.rules", inclevel=1, parse_rule_lines=1) at
>> parser.c:732
>> #3 0x000000000041734e in ParseRule (rule_file=0x12ed8f0, prule=0x135fc70
>> "include $RULE_PATH/bleeding-botcc.rules", inclevel=0, parse_rule_lines=1) at
>> parser.c:1749
>> #4 0x0000000000415ba9 in ParseRulesFile (file=0x12c39e0
>> "/etc/snort/snort.conf", inclevel=0, parse_rule_lines=1) at parser.c:730
>> #5 0x000000000042593e in SnortMain (argc=23, argv=0x7fbffff958) at
>> snort.c:913
>> #6 0x0000000000424fe7 in main (argc=23, argv=0x7fbffff958) at snort.c:388
>> (gdb) bt full
>> #0 0x0000000000416e45 in CheckForIPListConflicts (addrset=0x0) at
>> parser.c:1556
>> idx = (IpAddrNode *) 0x0
>> neg_idx = (IpAddrNode *) 0x0
>> #1 0x0000000000417d63 in ParseRule (rule_file=0x12edb30,
>> prule=0x1377c90 "alert ip $HOME_NET any -> [] any (msg:\"BLEEDING-EDGE
>> DROP Known Bot C&C Server Traffic (group 1) \";
>> reference:url,www.shadowserver.org; threshold: type limit, track by_src, se
>> count 1; clas"..., inclevel=1, parse_rule_lines=1) at parser.c:2090
>> toks = (char **) 0x404ac50
>> num_toks = 10
>> rule_type = 2
>> protocol = 2048
>> tmp = 0x100000000 <Address 0x100000000 out of bounds>
>> proto_node = {rule_func = 0x0, head_node_number = 0, type = 2, sip =
>> 0x40b9d20, dip = 0x0, proto = 2048, src_portobject = 0x12f3430, dst_portobject
>> = 0x0, not_sp_flag = 0, hsp = 0, lsp = 0,
>> not_dp_flag = 0, hdp = 0, ldp = 0, flags = 4, active_flag = 0,
>> activation_counter = 0, countdown = 0, activate_list = 0x0, right = 0x0, down
>> = 0x0, listhead = 0x0}
>> node = (RuleListNode *) 0x12d91c0
>> rule = 0x40df030 "alert ip $HOME_NET any -> [] any
>> (msg:\"BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 1) \";
>> reference:url,www.shadowserver.org; threshold: type limit, track by_sr
>> 600, count 1; clas"...
>> preprocessor_rule = 0
>> #2 0x0000000000415bda in ParseRulesFile (file=0x40dd840
>> "/etc/snort/rules/bleeding-botcc.rules", inclevel=1, parse_rule_lines=1) at
>> parser.c:732
>> thefp = (FILE *) 0x12edb30
>> index = 0x1377c90 "alert ip $HOME_NET any -> [] any
>> (msg:\"BLEEDING-EDGE DROP Known Bot C&C Server Traffic (group 1) \";
>> reference:url,www.shadowserver.org; threshold: type limit, track by_s
>> 3600, count 1; clas"...
>> stored_file_name = 0x12ef640 "/etc/snort/snort.conf"
>> stored_file_line = 1025
>> saved_line = 0x0
>> continuation = 0
>> new_line = 0x0
>> file_stat = {st_dev = 2050, st_ino = 8127365, st_nlink = 1, st_mode =
>> 33184, st_uid = 0, st_gid = 106, pad0 = 0, st_rdev = 0, st_size = 2257,
>> st_blksize = 4096, st_blocks = 8, st_atim = {
>> tv_sec = 1200413549, tv_nsec = 311419820}, st_mtim = {tv_sec = 1200413430,
>> tv_nsec = 165384706}, st_ctim = {tv_sec = 1200413430, tv_nsec = 173383232},
>> __unused = {0, 0, 0}}
>> rule = 0x1367c80 ""
>> buf = 0x1377c90 "alert ip $HOME_NET any -> [] any (msg:\"BLEEDING-EDGE
>> DROP Known Bot C&C Server Traffic (group 1) \";
>> reference:url,www.shadowserver.org; threshold: type limit, track by_src
>> 00, count 1; clas"...
>> #3 0x000000000041734e in ParseRule (rule_file=0x12ed8f0, prule=0x135fc70
>> "include $RULE_PATH/bleeding-botcc.rules", inclevel=0, parse_rule_lines=1) at
>> parser.c:1749
>> toks = (char **) 0x40e03a0
>> num_toks = 2
>> rule_type = 4
>> protocol = 0
>> tmp = 0x40dd840 "/etc/snort/rules/bleeding-botcc.rules"
>> proto_node = {rule_func = 0x0, head_node_number = 0, type = 0, sip =
>> 0x0, dip = 0x0, proto = 0, src_portobject = 0x0, dst_portobject = 0x0,
>> not_sp_flag = 0, hsp = 0, lsp = 0, not_dp_flag = 0
>> ldp = 0, flags = 0, active_flag = 0, activation_counter = 0, countdown = 0,
>> activate_list = 0x0, right = 0x0, down = 0x0, listhead = 0x0}
>> node = (RuleListNode *) 0x12d91c0
>> rule = 0x40b96c0 "include /etc/snort/rules/bleeding-botcc.rules"
>> preprocessor_rule = 0
>> #4 0x0000000000415ba9 in ParseRulesFile (file=0x12c39e0
>> "/etc/snort/snort.conf", inclevel=0, parse_rule_lines=1) at parser.c:730
>> thefp = (FILE *) 0x12ed8f0
>> index = 0x135fc70 "include $RULE_PATH/bleeding-botcc.rules"
>> stored_file_name = 0x0
>> stored_file_line = 0
>> saved_line = 0x0
>> continuation = 0
>> new_line = 0x0
>> file_stat = {st_dev = 2050, st_ino = 8127287, st_nlink = 1, st_mode =
>> 33184, st_uid = 0, st_gid = 106, pad0 = 0, st_rdev = 0, st_size = 41827,
>> st_blksize = 4096, st_blocks = 88, st_atim = {
>> tv_sec = 1200413549, tv_nsec = 329416502}, st_mtim = {tv_sec = 1200404707,
>> tv_nsec = 503702715}, st_ctim = {tv_sec = 1200404707, tv_nsec = 512701056},
>> __unused = {0, 0, 0}}
>> rule = 0x1346e60 ""
>> buf = 0x135fc70 "include $RULE_PATH/bleeding-botcc.rules"
>> #5 0x000000000042593e in SnortMain (argc=23, argv=0x7fbffff958) at
>> snort.c:913
>> set = {__val = {0 <repeats 16 times>}}
>> #6 0x0000000000424fe7 in main (argc=23, argv=0x7fbffff958) at snort.c:388
>> No locals.
>> (gdb) quit
>>
>> Despite fixing the rule, is there a known workaround ?
>>
>> Maybe this issue will be fixed in 2.8.0.2 ;)
>>
>> So long,
>>
>> Andreas.
>
>
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Microsoft
> Defy all challenges. Microsoft(R) Visual Studio 2008.
> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
> _______________________________________________
> Snort-users mailing list
> Snort-users@lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/...fo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.p...st=snort-users

--
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc



-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/...fo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.p...st=snort-users