110103 2005-10-21 22:57 0000 snort basic rules missing >=2.4.x 2006-01-27 10:09:42 0000 1 1 1 Unclassified Gentoo Linux Ebuilds unspecified All Linux RESOLVED FIXED P2 normal --- 1 mark.conway@themobiusproject.com netmon@gentoo.org mark.conway@themobiusproject.com 2005-10-21 22:57:41 0000 In snort 2.4.1, the base rules disappear causing snort to not start. In 2.3.3-r1, snort rules were moved from /etc/snort to /etc/snort/rules for housekeepings sake. Starting in 2.4.1, the base rules disappeared altogether. I think this is because they were taken out of the main snort.tar.gz and put into a seperate archive. There are different versions of the snort rules: subscription release, registered user release, and unregistered user release (which i think most of the gentoo userbase falls into). Because the base rules were removed, snort refuses to start because the files that it is looking for in /etc/snort/rules is missing. The easy fix for this is to add the archive for the official snort ruleset (unregistered version of course) to the snort ebuild. http://www.snort.org/pub-bin/downloads.cgi Current Official Ruleset for Unregistered Users: http://www.snort.org/pub-bin/downloads.cgi/Download/vrt_pr/snortrules-pr-2.4.tar.gz Reproducible: Always Steps to Reproduce: 1. emerge -C snort 2. rm -r /etc/snort/ (to remove all rules for a clean install) 3. emerge >=net-analyzer/snort-2.4.1 mark.conway@themobiusproject.com 2005-10-21 23:00:01 0000 Created an attachment (id=71162) Snort with basic rule set Added line 11 to include official ruleset for snort 2.4. Tested and it works fine for me. mark.conway@themobiusproject.com 2005-10-21 23:20:09 0000 Actually, looking at this a little bit further, i notice that i have just duplicated a few files that should only exist in /etc/snort/ and not in /etc/snort/rules/: classification.config gen-msg.map reference.config sid-msg.map snort.conf threshold.conf unicode.map These were in the snortrules-pr-2.4.tar.gz and thus moved to the rules folder along with the base rules. The init script for snort uses /etc/snort/snort.conf so removing the ./rules/snort.conf is safe. Another quick thought is that /etc/snort/snort.conf should be chmod 640 because there is a username/password to the database program. strerror@gentoo.org 2005-10-23 07:30:44 0000 I thought dragonheart / I fixed this in ~ a while back. Can you try snort 2.4.3 and let me know if its still a problem mark.conway@themobiusproject.com 2005-10-23 08:24:04 0000 $ tar -tf /usr/portage/packages/net-analyzer/snort-2.4.1.tbz2 | grep rules ./etc/snort/rules/ $ tar -tf /usr/portage/packages/net-analyzer/snort-2.4.1-r1.tbz2 | grep rules ./etc/snort/rules/ ./etc/snort/rules/community-mail-client.rules ./etc/snort/rules/community-web-client.rules ./etc/snort/rules/community-virus.rules ./etc/snort/rules/community-misc.rules ./etc/snort/rules/community-web-dos.rules ./etc/snort/rules/sid-msg.map ./etc/snort/rules/community-web-cgi.rules ./etc/snort/rules/community-ftp.rules ./etc/snort/rules/community-exploit.rules ./etc/snort/rules/community-web-misc.rules ./etc/snort/rules/community-inappropriate.rules ./etc/snort/rules/community-game.rules ./etc/snort/rules/community-sql-injection.rules $ tar -tf /usr/portage/packages/net-analyzer/snort-2.4.3.tbz2 | grep rules ./etc/snort/rules/ ./etc/snort/rules/community-mail-client.rules ./etc/snort/rules/community-web-client.rules ./etc/snort/rules/community-virus.rules ./etc/snort/rules/community-misc.rules ./etc/snort/rules/community-web-dos.rules ./etc/snort/rules/sid-msg.map ./etc/snort/rules/community-web-cgi.rules ./etc/snort/rules/community-ftp.rules ./etc/snort/rules/community-exploit.rules ./etc/snort/rules/community-web-misc.rules ./etc/snort/rules/community-inappropriate.rules ./etc/snort/rules/community-game.rules ./etc/snort/rules/community-sql-injection.rules The community rules have been installed, but the base rules are missing in all of the 2.4.x builds. soulse@gmail.com 2005-10-23 08:37:19 0000 theres no more base rules in snort AFAIK since they are selling them or am i wrong? mark.conway@themobiusproject.com 2005-10-23 09:28:04 0000 Thats why I made the link to the "Current Official Ruleset for Unregistered Users". These are available at the beginning of each new major release. They do have newer rule sets for those who are registered and those who subscribe, but people who are just now installing snort still need a basic set of rules. Current Official Ruleset for Unregistered Users: http://www.snort.org/pub-bin/downloads.cgi#PR http://www.snort.org/pub-bin/downloads.cgi/Download/vrt_pr/snortrules-pr-2.4.tar.gz strerror@gentoo.org 2005-10-23 10:33:20 0000 i'm not following the problem. We include the community rules and that is all you need to RUN snort. If you want more uptodate rules then go and get them. Are you saying that you need more then the community rules that are shipped with snort to get snort to run? mark.conway@themobiusproject.com 2005-10-23 11:12:33 0000 My apologies for being vague. I started this bug at about 2 in the morning after trying to figure out why snort wasn't working for me and I knew what I was talking about, though that aaparently didn't help me explain the problem any :) I will try to start from the beginning this time so I don't miss anything. On a gentoo system w/o Snort installed... 1. emerge =net-analyzer/snort-2.4.3 2. follow postinst instructions to make the snort mysql database 3. edit /etc/snort/snort.conf to access the mysql db output database: log, mysql, user=root password=test dbname=db host=localhost 4. /etc/init.d/snort start * Starting snort ... [ ok ] 5. ps x | grep snort 6648 pts/0 S+ 0:00 grep snort (Snort isn't actually running at this point) 6. /etc/init.d/snort stop * Stopping snort ... start-stop-daemon: warning: failed to kill 6587: No such process [ !! ] 7. /etc/init.d/snort zap * Manually resetting snort to stopped state. [ ok ] 8. snort -T -u snort -i eth0 -l /var/log/snort -c /etc/snort/snort.conf (This is essentially the line that the init script uses to start snort except I have replaced the -D [start daemon] with -T [test] to see what the problem is) Running in Test mode with config file: /etc/snort/snort.conf Running in IDS mode ... ERROR: Unable to open rules file: /etc/snort/rules/local.rules or /etc/snort//etc/snort/rules/local.rules Fatal Error, Quitting.. 9. Taking a look at the end of /etc/snort/snort.conf I see: ($RULE_PATH is defined as /etc/snort/rules earlier in the conf) include $RULE_PATH/local.rules include $RULE_PATH/bad-traffic.rules include $RULE_PATH/exploit.rules include $RULE_PATH/scan.rules include $RULE_PATH/finger.rules include $RULE_PATH/ftp.rules include $RULE_PATH/telnet.rules include $RULE_PATH/rpc.rules include $RULE_PATH/rservices.rules include $RULE_PATH/dos.rules include $RULE_PATH/ddos.rules include $RULE_PATH/dns.rules include $RULE_PATH/tftp.rules include $RULE_PATH/web-cgi.rules include $RULE_PATH/web-coldfusion.rules include $RULE_PATH/web-iis.rules include $RULE_PATH/web-frontpage.rules include $RULE_PATH/web-misc.rules include $RULE_PATH/web-client.rules include $RULE_PATH/web-php.rules include $RULE_PATH/sql.rules include $RULE_PATH/x11.rules include $RULE_PATH/icmp.rules include $RULE_PATH/netbios.rules include $RULE_PATH/misc.rules include $RULE_PATH/attack-responses.rules include $RULE_PATH/oracle.rules include $RULE_PATH/mysql.rules include $RULE_PATH/snmp.rules include $RULE_PATH/smtp.rules include $RULE_PATH/imap.rules include $RULE_PATH/pop2.rules include $RULE_PATH/pop3.rules include $RULE_PATH/nntp.rules include $RULE_PATH/other-ids.rules # include $RULE_PATH/web-attacks.rules # include $RULE_PATH/backdoor.rules # include $RULE_PATH/shellcode.rules # include $RULE_PATH/policy.rules # include $RULE_PATH/porn.rules # include $RULE_PATH/info.rules # include $RULE_PATH/icmp-info.rules include $RULE_PATH/virus.rules # include $RULE_PATH/chat.rules # include $RULE_PATH/multimedia.rules # include $RULE_PATH/p2p.rules include $RULE_PATH/experimental.rules # Include any thresholding or suppression commands. See threshold.conf in the # <snort src>/etc directory for details. Commands don't necessarily need to be # contained in this conf, but a separate conf makes it easier to maintain them. # Note for Windows users: You are advised to make this an absolute path, # such as: c:\snort\etc\threshold.conf # Uncomment if needed. # include threshold.conf -- These are all of the basic rules that are missing that stop snort from starting. The community rules are great, but they are suppose to be in addition to the basic rule set. The community rules aren't even being used, though, because none of the config files accesses them. I think that the basic rule set should be included into the snort ebuild so the most basic of users can just install the ebuild and start snort. The /most/ basic set is freely availble from snort.org from the links that I provided above. If the user is a registered user or a subscriber, then they should know how to download the newer rule sets that they have access to. Because the basic rule set for unregistered users only changes once every major release, this shouldn't be any undue burden on the ebuild maintainers. --- I think I have described the problem that I see in full now. But then again it took me about 45 minutes to write this because my son keeps trying to get my attention... strerror@gentoo.org 2005-10-23 13:14:29 0000 k the snort 2.4.3 should work after the emerge, i THOUGHT that dragonheart had commited a fix to touch /etc/snort/rules/local.rules which is all that needs to happen for snort to load up and work. I disagree that the basic rules should be included but I agree that I should add a warning to indicate that the user should go and get the appropriate ruleset. I'm not able to check now but if that fix for the local.rules is not in cvs then I will fix it myself in 12 hours or so when I am near one of my dev machines. mark.conway@themobiusproject.com 2005-10-24 08:32:26 0000 I installed snort 2.4.3 on another test box today. This box has never had snort on it. I tried your fix to: $ touch /etc/snort/rules/local.rules and then ran: $ snort -T -u snort -i eth0 -l /var/log/snort -c /etc/snort/snort.conf as I did before to test the config. Like before, the result was: Running in Test mode with config file: /etc/snort/snort.conf Running in IDS mode ... ERROR: Unable to open rules file: /etc/snort/rules/bad-traffic.rules or /etc/snort//etc/snort/rules/bad-traffic.rules Fatal Error, Quitting.. I then touched /etc/snort/rules/bad-traffic.rules and tried the test string again which resulted in the same error for exploit.rules which leads me to believe that either every file.rules in snort.conf needs to either be touched or commented out. This again doesn't fix the problem of the community rules not being loaded due to these rules not existing in a config file anywhere. donaldgray@dslextreme.com 2005-12-06 13:37:31 0000 Created an attachment (id=74173) Rules patch I noticed this problem on my amd64 box last night. I created a patch which works fine on my machine. vanquirius@gentoo.org 2006-01-27 10:09:42 0000 Basic rules are back in snort-2.4.3-r1, so now it should work by default in new installations. Donald, thanks for your patch, but I don't think it will be necessary anymore :-). Thanks for reporting! 71162 2005-10-21 23:00 0000 Snort with basic rule set snort-2.4.3-r1.ebuild text/plain IyBDb3B5cmlnaHQgMTk5OS0yMDA1IEdlbnRvbyBGb3VuZGF0aW9uCiMgRGlzdHJpYnV0ZWQgdW5k ZXIgdGhlIHRlcm1zIG9mIHRoZSBHTlUgR2VuZXJhbCBQdWJsaWMgTGljZW5zZSB2MgojICRIZWFk ZXI6IC92YXIvY3Zzcm9vdC9nZW50b28teDg2L25ldC1hbmFseXplci9zbm9ydC9zbm9ydC0yLjQu My5lYnVpbGQsdiAxLjEgMjAwNS8xMC8xOSAwOToxOTo0OSBzdHJlcnJvciBFeHAgJAoKaW5oZXJp dCBldXRpbHMgZmxhZy1vLW1hdGljIGF1dG90b29scwoKREVTQ1JJUFRJT049IkxpYnBjYXAtYmFz ZWQgcGFja2V0IHNuaWZmZXIvbG9nZ2VyL2xpZ2h0d2VpZ2h0IElEUyIKSE9NRVBBR0U9Imh0dHA6 Ly93d3cuc25vcnQub3JnLyIKU1JDX1VSST0iaHR0cDovL3d3dy5zbm9ydC5vcmcvZGwvY3VycmVu dC8ke1B9LnRhci5negoJbWlycm9yOi8vZ2VudG9vL3Nub3J0LTIuNC4wLWdlbnBhdGNoZXMudGFy LmJ6MgoJaHR0cDovL3d3dy5zbm9ydC5vcmcvcHViLWJpbi9kb3dubG9hZHMuY2dpL0Rvd25sb2Fk L3ZydF9wci9zbm9ydHJ1bGVzLXByLTIuNC50YXIuZ3oKCWh0dHA6Ly93d3cuc25vcnQub3JnL3B1 Yi1iaW4vZG93bmxvYWRzLmNnaS9Eb3dubG9hZC9jb21tX3J1bGVzL0NvbW11bml0eS1SdWxlcy50 YXIuZ3oKCXNub3J0c2FtPyAoIG1pcnJvcjovL2dlbnRvby9zbm9ydHNhbS0yMDA1MDExMC50YXIu Z3ogKSIKCkxJQ0VOU0U9IkdQTC0yIgpTTE9UPSIwIgpLRVlXT1JEUz0iLWFscGhhIH5hbWQ2NCB+ cHBjIH5wcGM2NCAtc3BhcmMgfng4NiIKSVVTRT0ic3NsIHBvc3RncmVzIG15c3FsIGZsZXhyZXNw IHNlbGludXggc25vcnRzYW0gb2RiYyBwcmVsdWRlIGlubGluZSBzZ3VpbCIKCkRFUEVORD0idmly dHVhbC9saWJjCgk+PWRldi1saWJzL2xpYnBjcmUtNC4yLXIxCgl2aXJ0dWFsL2xpYnBjYXAKCWZs ZXhyZXNwPyAoIH5uZXQtbGlicy9saWJuZXQtMS4wLjJhICkKCXBvc3RncmVzPyAoID49ZGV2LWRi L3Bvc3RncmVzcWwtNy4yICkKCW15c3FsPyAoID49ZGV2LWRiL215c3FsLTMuMjMuMjYgKQoJc3Ns PyAoID49ZGV2LWxpYnMvb3BlbnNzbC0wLjkuNmIgKQoJcHJlbHVkZT8gKCA+PWRldi1saWJzL2xp YnByZWx1ZGUtMC45LjAgKQoJb2RiYz8gKCBkZXYtZGIvdW5peE9EQkMgKQoJaW5saW5lPyAoCgkJ fm5ldC1saWJzL2xpYm5ldC0xLjAuMmEKCQluZXQtZmlyZXdhbGwvaXB0YWJsZXMKCQkpIgoKUkRF UEVORD0iJHtERVBFTkR9CglkZXYtbGFuZy9wZXJsCglzZWxpbnV4PyAoIHNlYy1wb2xpY3kvc2Vs aW51eC1zbm9ydCApCglzbm9ydHNhbT8gKCBuZXQtYW5hbHl6ZXIvc25vcnRzYW0gKSIKCnBrZ19z ZXR1cCgpIHsKCWVuZXdncm91cCBzbm9ydAoJZW5ld3VzZXIgc25vcnQgLTEgLTEgL2Rldi9udWxs IHNub3J0Cn0KCnNyY191bnBhY2soKSB7Cgl1bnBhY2sgJHtBfQoJY2QgIiR7U30iCgoJaWYgdXNl IGZsZXhyZXNwIHx8IHVzZSBpbmxpbmUgOyB0aGVuCgkJZXBhdGNoICIke1dPUktESVJ9LzIuNC4w LWxpYm5ldC0xLjAucGF0Y2giCglmaQoKCXNlZCAtaSAiczp2YXIgUlVMRV9QQVRIIC4uL3J1bGVz OnZhciBSVUxFX1BBVEggL2V0Yy9zbm9ydC9ydWxlczoiIFwKCQlldGMvc25vcnQuY29uZiB8fCBk aWUgInNlZCBzbm9ydC5jb25mIGZhaWxlZCIKCglpZiB1c2UgcHJlbHVkZSA7IHRoZW4KCQlzZWQg LWkgLWUgInM6QUNfUFJPR19SQU5MSUI6QUNfUFJPR19MSUJUT09MOiIgY29uZmlndXJlLmluIFwK CQkJfHwgZGllICJzZWQgY29uZmlndXJlLmluIGZhaWxlZCIKCWZpCgoJaWYgdXNlIHNndWlsIDsg dGhlbgoJCWVwYXRjaCAiJHtXT1JLRElSfS8yLjQuMC1zcHBfcG9ydHNjYW5fc2d1aWwucGF0Y2gi CgkJZXBhdGNoICIke1dPUktESVJ9LzIuNC4wLXNwcF9zdHJlYW00X3NndWlsLnBhdGNoIgoJZmkK CglpZiB1c2Ugc25vcnRzYW0gOyB0aGVuCgkJY2QgLi4KCQllaW5mbyAiQXBwbHlpbmcgc25vcnRz YW0gcGF0Y2giCgkJLi9wYXRjaHNub3J0LnNoICIke1N9IiB8fCBkaWUgInNub3J0c2FtIHBhdGNo IGZhaWxlZCIKCQljZCAiJHtTfSIKCWZpCgoJZWluZm8gIlJlZ2VuZXJhdGluZyBhdXRvY29uZi9h dXRvbWFrZSBmaWxlcyIKCUFUX000RElSPW00IGVhdXRvcmVjb25mCn0KCnNyY19jb21waWxlKCkg ewoJbG9jYWwgbXljb25mCgoJIyBUaGVyZSBpcyBubyAtLWRpc2FibGUtZmxleHJlc3AsIGNhbm5v dCB1c2UgdXNlX2VuYWJsZQoJdXNlIGZsZXhyZXNwICYmIG15Y29uZj0iJHtteWNvbmZ9IC0tZW5h YmxlLWZsZXhyZXNwIgoKCXVzZSBpbmxpbmUgJiYgYXBwZW5kLWZsYWdzIC1JL3Vzci9pbmNsdWRl L2xpYmlwcQoKCWVjb25mIFwKCQkkKHVzZV93aXRoIHBvc3RncmVzIHBvc3RncmVzcWwpIFwKCQkk KHVzZV93aXRoIG15c3FsKSBcCgkJJCh1c2Vfd2l0aCBzc2wgb3BlbnNzbCkgXAoJCSQodXNlX3dp dGggb2RiYykgXAoJCS0td2l0aG91dC1vcmFjbGUgXAoJCSQodXNlX2VuYWJsZSBwcmVsdWRlKSBc CgkJJCh1c2Vfd2l0aCBzZ3VpbCkgXAoJCSQodXNlX2VuYWJsZSBpbmxpbmUpIFwKCQkke215Y29u Zn0gfHwgZGllICJiYWQgLi9jb25maWd1cmUiCgoJZW1ha2UgfHwgZGllICJjb21waWxlIHByb2Js ZW0iCn0KCnNyY19pbnN0YWxsKCkgewoJbWFrZSBERVNURElSPSIke0R9IiBpbnN0YWxsIHx8IGRp ZSAibWFrZSBpbnN0YWxsIGZhaWxlZCIKCglrZWVwZGlyIC92YXIvbG9nL3Nub3J0LwoKCWRvZG9j IGRvYy8qCglkb2NpbnRvIHNjaGVtYXMgOyBkb2RvYyBzY2hlbWFzLyoKCglpbnNpbnRvIC9ldGMv c25vcnQKCWRvaW5zIGV0Yy9yZWZlcmVuY2UuY29uZmlnIGV0Yy9jbGFzc2lmaWNhdGlvbi5jb25m aWcgXAoJCWV0Yy8qLm1hcCBldGMvdGhyZXNob2xkLmNvbmYKCW5ld2lucyBldGMvc25vcnQuY29u ZiBzbm9ydC5jb25mCglpZiB1c2Ugc2d1aWwgOyB0aGVuCgkJc2VkIC1pIC1lICIvXiMgb3V0cHV0 IGxvZ191bmlmaWVkL3M6IyA6OiIgXAoJCQktZSAiczpzbm9ydC5sb2c6c25vcnRfdW5pZmllZC5s b2c6IiBcCgkJIiR7RH0vZXRjL3Nub3J0L3Nub3J0LmNvbmYiIHx8IGRpZSAic2VkIGZhaWxlZCIK CWZpCgoJIyBpbml0IHNjcmlwdCBpcyBrbm93biB0byBiZSBicm9rZW4gaW4gMi40Lng7IGJ1ZyAx MDExNTcKCW5ld2luaXRkICIke0ZJTEVTRElSfS9zbm9ydC5yYzYiIHNub3J0CgluZXdjb25mZCAi JHtGSUxFU0RJUn0vc25vcnQuY29uZmQiIHNub3J0CglpZiB1c2Ugc2d1aWwgOyB0aGVuCgkJc2Vk IC1pIC1lICJzOi92YXIvbG9nL3Nub3J0Oi92YXIvbGliL3NndWlsLyQoaG9zdG5hbWUpOiIgXAoJ CS1lICIvXlNOT1JUX09QVFMvcyUtdSBzbm9ydCUtbSAxMjIgLXUgc2d1aWwgLWcgc2d1aWwgLUEg bm9uZSUiIFwKCQkJIiR7RH0vZXRjL2NvbmYuZC9zbm9ydCIgfHwgZGllICJzZWQgZmFpbGVkIgoJ ZmkKCglmb3duZXJzIHNub3J0OnNub3J0IC92YXIvbG9nL3Nub3J0CglmcGVybXMgMDc3MCAvdmFy L2xvZy9zbm9ydAoKCSMgaW5zdGFsbCBjb21tdW5pdHkgcnVsZXMKCWRvZGlyIC9ldGMvc25vcnQv cnVsZXMKCW12ICR7V09SS0RJUn0vcnVsZXMvKiAiJHtEfS9ldGMvc25vcnQvcnVsZXMvIgp9Cgpw a2dfcG9zdGluc3QoKSB7CglpZiB1c2UgbXlzcWwgfHwgdXNlIHBvc3RncmVzIHx8IHVzZSBvZGJj IDsgdGhlbgoJCWVpbmZvICJUbyB1c2UgYSBkYXRhYmFzZSBhcyBhIGJhY2tlbmQgZm9yIHNub3J0 IHlvdSB3aWxsIGhhdmUgdG8iCgkJZWluZm8gImltcG9ydCB0aGUgY29ycmVjdCB0YWJsZXMgdG8g dGhlIGRhdGFiYXNlLiIKCQllaW5mbyAiWW91IHdpbGwgaGF2ZSB0byBzZXR1cCBhIGRhdGFiYXNl IGNhbGxlZCBzbm9ydCBmaXJzdC4iCgkJZWluZm8KCQl1c2UgbXlzcWwgJiYgXAoJCQllaW5mbyAi ICBNeVNRTDogemNhdCAvdXNyL3NoYXJlL2RvYy8ke1BGfS9zY2hlbWFzL2NyZWF0ZV9teXNxbC5n eiB8IG15c3FsIC1wIHNub3J0IgoJCXVzZSBwb3N0Z3JlcyAmJiBcCgkJCWVpbmZvICIgIFBvc3Rn cmVTUUw6IGltcG9ydCAvdXNyL3NoYXJlL2RvYy8ke1BGfS9zY2hlbWFzL2NyZWF0ZV9wb3N0Z3Jl c3FsLmd6IgoJCXVzZSBvZGJjICYmIGVpbmZvICJTUUwgdGFibGVzIG5lZWQgdG8gYmUgY3JlYXRl ZCAtIGxvb2sgYXQgL3Vzci9zaGFyZS9kb2MvJHtQRn0vc2NoZW1hcy8iCgkJZWluZm8KCQllaW5m byAiQWxzbywgcmVhZCB0aGUgZm9sbG93aW5nIEdlbnRvbyBmb3J1bXMgYXJ0aWNsZToiCgkJZWlu Zm8gJyAgIGh0dHA6Ly9mb3J1bXMuZ2VudG9vLm9yZy92aWV3dG9waWMucGhwP3Q9Nzg3MTgnCglm aQoJZWluZm8KCWV3YXJuICJPbmx5IGEgYmFzaWMgc2V0IG9mIHJ1bGVzIHdhcyBpbnN0YWxsZWQu IgoJZXdhcm4gIlBsZWFzZSBhZGQgeW91ciBvdGhlciBzZXRzIG9mIHJ1bGVzIHRvIC9ldGMvc25v cnQvcnVsZXMuIgoJZXdhcm4gIkZvciBtb3JlIGluZm9ybWF0aW9uIG9uIHJ1bGVzLCB2aXNpdCAk e0hPTUVQQUdFfS4iCn0K 74173 2005-12-06 13:37 0000 Rules patch snort-2.4.3-rules.diff text/plain LS0tIGV0Yy9zbm9ydC5jb25mLm9yaWcJMjAwNS0xMC0xNyAwNjo1MDo1NS4wMDAwMDAwMDAgLTA3 MDAKKysrIGV0Yy9zbm9ydC5jb25mCTIwMDUtMTItMDUgMjI6MzE6NDEuMDAwMDAwMDAwIC0wODAw CkBAIC03MDEsNDUgKzcwMSw0NSBAQAogIyBSRUFETUUuYWxlcnRfb3JkZXIgZm9yIGhvdyBydWxl IG9yZGVyaW5nIGFmZmVjdHMgaG93IGFsZXJ0cyBhcmUgdHJpZ2dlcmVkLgogIz09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09CiAKLWluY2x1ZGUgJFJVTEVfUEFUSC9sb2Nh bC5ydWxlcwotaW5jbHVkZSAkUlVMRV9QQVRIL2JhZC10cmFmZmljLnJ1bGVzCi1pbmNsdWRlICRS VUxFX1BBVEgvZXhwbG9pdC5ydWxlcwotaW5jbHVkZSAkUlVMRV9QQVRIL3NjYW4ucnVsZXMKLWlu Y2x1ZGUgJFJVTEVfUEFUSC9maW5nZXIucnVsZXMKLWluY2x1ZGUgJFJVTEVfUEFUSC9mdHAucnVs ZXMKLWluY2x1ZGUgJFJVTEVfUEFUSC90ZWxuZXQucnVsZXMKLWluY2x1ZGUgJFJVTEVfUEFUSC9y cGMucnVsZXMKLWluY2x1ZGUgJFJVTEVfUEFUSC9yc2VydmljZXMucnVsZXMKLWluY2x1ZGUgJFJV TEVfUEFUSC9kb3MucnVsZXMKLWluY2x1ZGUgJFJVTEVfUEFUSC9kZG9zLnJ1bGVzCi1pbmNsdWRl ICRSVUxFX1BBVEgvZG5zLnJ1bGVzCi1pbmNsdWRlICRSVUxFX1BBVEgvdGZ0cC5ydWxlcwotCi1p bmNsdWRlICRSVUxFX1BBVEgvd2ViLWNnaS5ydWxlcwotaW5jbHVkZSAkUlVMRV9QQVRIL3dlYi1j b2xkZnVzaW9uLnJ1bGVzCi1pbmNsdWRlICRSVUxFX1BBVEgvd2ViLWlpcy5ydWxlcwotaW5jbHVk ZSAkUlVMRV9QQVRIL3dlYi1mcm9udHBhZ2UucnVsZXMKLWluY2x1ZGUgJFJVTEVfUEFUSC93ZWIt bWlzYy5ydWxlcwotaW5jbHVkZSAkUlVMRV9QQVRIL3dlYi1jbGllbnQucnVsZXMKLWluY2x1ZGUg JFJVTEVfUEFUSC93ZWItcGhwLnJ1bGVzCi0KLWluY2x1ZGUgJFJVTEVfUEFUSC9zcWwucnVsZXMK LWluY2x1ZGUgJFJVTEVfUEFUSC94MTEucnVsZXMKLWluY2x1ZGUgJFJVTEVfUEFUSC9pY21wLnJ1 bGVzCi1pbmNsdWRlICRSVUxFX1BBVEgvbmV0Ymlvcy5ydWxlcwotaW5jbHVkZSAkUlVMRV9QQVRI L21pc2MucnVsZXMKLWluY2x1ZGUgJFJVTEVfUEFUSC9hdHRhY2stcmVzcG9uc2VzLnJ1bGVzCi1p bmNsdWRlICRSVUxFX1BBVEgvb3JhY2xlLnJ1bGVzCi1pbmNsdWRlICRSVUxFX1BBVEgvbXlzcWwu cnVsZXMKLWluY2x1ZGUgJFJVTEVfUEFUSC9zbm1wLnJ1bGVzCi0KLWluY2x1ZGUgJFJVTEVfUEFU SC9zbXRwLnJ1bGVzCi1pbmNsdWRlICRSVUxFX1BBVEgvaW1hcC5ydWxlcwotaW5jbHVkZSAkUlVM RV9QQVRIL3BvcDIucnVsZXMKLWluY2x1ZGUgJFJVTEVfUEFUSC9wb3AzLnJ1bGVzCisjIGluY2x1 ZGUgJFJVTEVfUEFUSC9sb2NhbC5ydWxlcworIyBpbmNsdWRlICRSVUxFX1BBVEgvYmFkLXRyYWZm aWMucnVsZXMKKyMgaW5jbHVkZSAkUlVMRV9QQVRIL2V4cGxvaXQucnVsZXMKKyMgaW5jbHVkZSAk UlVMRV9QQVRIL3NjYW4ucnVsZXMKKyMgaW5jbHVkZSAkUlVMRV9QQVRIL2Zpbmdlci5ydWxlcwor IyBpbmNsdWRlICRSVUxFX1BBVEgvZnRwLnJ1bGVzCisjIGluY2x1ZGUgJFJVTEVfUEFUSC90ZWxu ZXQucnVsZXMKKyMgaW5jbHVkZSAkUlVMRV9QQVRIL3JwYy5ydWxlcworIyBpbmNsdWRlICRSVUxF X1BBVEgvcnNlcnZpY2VzLnJ1bGVzCisjIGluY2x1ZGUgJFJVTEVfUEFUSC9kb3MucnVsZXMKKyMg aW5jbHVkZSAkUlVMRV9QQVRIL2Rkb3MucnVsZXMKKyMgaW5jbHVkZSAkUlVMRV9QQVRIL2Rucy5y dWxlcworIyBpbmNsdWRlICRSVUxFX1BBVEgvdGZ0cC5ydWxlcworCisjIGluY2x1ZGUgJFJVTEVf UEFUSC93ZWItY2dpLnJ1bGVzCisjIGluY2x1ZGUgJFJVTEVfUEFUSC93ZWItY29sZGZ1c2lvbi5y dWxlcworIyBpbmNsdWRlICRSVUxFX1BBVEgvd2ViLWlpcy5ydWxlcworIyBpbmNsdWRlICRSVUxF X1BBVEgvd2ViLWZyb250cGFnZS5ydWxlcworIyBpbmNsdWRlICRSVUxFX1BBVEgvd2ViLW1pc2Mu cnVsZXMKKyMgaW5jbHVkZSAkUlVMRV9QQVRIL3dlYi1jbGllbnQucnVsZXMKKyMgaW5jbHVkZSAk UlVMRV9QQVRIL3dlYi1waHAucnVsZXMKKworIyBpbmNsdWRlICRSVUxFX1BBVEgvc3FsLnJ1bGVz CisjIGluY2x1ZGUgJFJVTEVfUEFUSC94MTEucnVsZXMKKyMgaW5jbHVkZSAkUlVMRV9QQVRIL2lj bXAucnVsZXMKKyMgaW5jbHVkZSAkUlVMRV9QQVRIL25ldGJpb3MucnVsZXMKKyMgaW5jbHVkZSAk UlVMRV9QQVRIL21pc2MucnVsZXMKKyMgaW5jbHVkZSAkUlVMRV9QQVRIL2F0dGFjay1yZXNwb25z ZXMucnVsZXMKKyMgaW5jbHVkZSAkUlVMRV9QQVRIL29yYWNsZS5ydWxlcworIyBpbmNsdWRlICRS VUxFX1BBVEgvbXlzcWwucnVsZXMKKyMgaW5jbHVkZSAkUlVMRV9QQVRIL3NubXAucnVsZXMKKwor IyBpbmNsdWRlICRSVUxFX1BBVEgvc210cC5ydWxlcworIyBpbmNsdWRlICRSVUxFX1BBVEgvaW1h cC5ydWxlcworIyBpbmNsdWRlICRSVUxFX1BBVEgvcG9wMi5ydWxlcworIyBpbmNsdWRlICRSVUxF X1BBVEgvcG9wMy5ydWxlcwogCi1pbmNsdWRlICRSVUxFX1BBVEgvbm50cC5ydWxlcwotaW5jbHVk ZSAkUlVMRV9QQVRIL290aGVyLWlkcy5ydWxlcworIyBpbmNsdWRlICRSVUxFX1BBVEgvbm50cC5y dWxlcworIyBpbmNsdWRlICRSVUxFX1BBVEgvb3RoZXItaWRzLnJ1bGVzCiAjIGluY2x1ZGUgJFJV TEVfUEFUSC93ZWItYXR0YWNrcy5ydWxlcwogIyBpbmNsdWRlICRSVUxFX1BBVEgvYmFja2Rvb3Iu cnVsZXMKICMgaW5jbHVkZSAkUlVMRV9QQVRIL3NoZWxsY29kZS5ydWxlcwpAQCAtNzQ3LDExICs3 NDcsMTEgQEAKICMgaW5jbHVkZSAkUlVMRV9QQVRIL3Bvcm4ucnVsZXMKICMgaW5jbHVkZSAkUlVM RV9QQVRIL2luZm8ucnVsZXMKICMgaW5jbHVkZSAkUlVMRV9QQVRIL2ljbXAtaW5mby5ydWxlcwot IGluY2x1ZGUgJFJVTEVfUEFUSC92aXJ1cy5ydWxlcworIyBpbmNsdWRlICRSVUxFX1BBVEgvdmly dXMucnVsZXMKICMgaW5jbHVkZSAkUlVMRV9QQVRIL2NoYXQucnVsZXMKICMgaW5jbHVkZSAkUlVM RV9QQVRIL211bHRpbWVkaWEucnVsZXMKICMgaW5jbHVkZSAkUlVMRV9QQVRIL3AycC5ydWxlcwot aW5jbHVkZSAkUlVMRV9QQVRIL2V4cGVyaW1lbnRhbC5ydWxlcworIyBpbmNsdWRlICRSVUxFX1BB VEgvZXhwZXJpbWVudGFsLnJ1bGVzCiAKICMgSW5jbHVkZSBhbnkgdGhyZXNob2xkaW5nIG9yIHN1 cHByZXNzaW9uIGNvbW1hbmRzLiBTZWUgdGhyZXNob2xkLmNvbmYgaW4gdGhlCiAjIDxzbm9ydCBz cmM+L2V0YyBkaXJlY3RvcnkgZm9yIGRldGFpbHMuIENvbW1hbmRzIGRvbid0IG5lY2Vzc2FyaWx5 IG5lZWQgdG8gYmUKQEAgLTc2MCwzICs3NjAsMTkgQEAKICMgc3VjaCBhczogIGM6XHNub3J0XGV0 Y1x0aHJlc2hvbGQuY29uZgogIyBVbmNvbW1lbnQgaWYgbmVlZGVkLgogIyBpbmNsdWRlIHRocmVz aG9sZC5jb25mCisKKworIyBJbmNsdWRlIGJhc2ljIGNvbW11bml0eSBydWxlcy4KKworICBpbmNs dWRlICRSVUxFX1BBVEgvY29tbXVuaXR5LWV4cGxvaXQucnVsZXMKKyAgaW5jbHVkZSAkUlVMRV9Q QVRIL2NvbW11bml0eS1mdHAucnVsZXMKKyAgaW5jbHVkZSAkUlVMRV9QQVRIL2NvbW11bml0eS1n YW1lLnJ1bGVzCisgIGluY2x1ZGUgJFJVTEVfUEFUSC9jb21tdW5pdHktaW5hcHByb3ByaWF0ZS5y dWxlcworICBpbmNsdWRlICRSVUxFX1BBVEgvY29tbXVuaXR5LW1haWwtY2xpZW50LnJ1bGVzCisg IGluY2x1ZGUgJFJVTEVfUEFUSC9jb21tdW5pdHktbWlzYy5ydWxlcworICBpbmNsdWRlICRSVUxF X1BBVEgvY29tbXVuaXR5LXNxbC1pbmplY3Rpb24ucnVsZXMKKyAgaW5jbHVkZSAkUlVMRV9QQVRI L2NvbW11bml0eS12aXJ1cy5ydWxlcworICBpbmNsdWRlICRSVUxFX1BBVEgvY29tbXVuaXR5LXdl Yi1jZ2kucnVsZXMKKyAgaW5jbHVkZSAkUlVMRV9QQVRIL2NvbW11bml0eS13ZWItY2xpZW50LnJ1 bGVzCisgIGluY2x1ZGUgJFJVTEVfUEFUSC9jb21tdW5pdHktd2ViLWRvcy5ydWxlcworICBpbmNs dWRlICRSVUxFX1BBVEgvY29tbXVuaXR5LXdlYi1taXNjLnJ1bGVzCg==