Snort unexpectedly terminates / signal 11 error

slim0801

Hello, It's not a hardware issue, I tested on several pc-s Intel and AMD processors, It seems to be a rule issue, When I put these two rules

#tcp
alert tcp !$HOME_NET any -> $HOME_NET ![27000:30000,9987] (flags: S; msg:"Possible TCP DoS"; flow: stateless; threshold: type both, track by_src, count 200, seconds 1; sid:10001;rev:1;)

#udp
alert udp !$HOME_NET any -> $HOME_NET ![27000:30000,9987] (msg:"Possible UDP DoS"; flow: stateless; threshold: type both, track by_src, count 300, seconds 1; sid:10002;rev:1;)

when the alert is triggered snort is exiting on signal 11.

Those 2 rules were very important to me, can you plese tell me an alternative to them or can you please solve this problem?

I tried also with gid in rules, but still not working

With the old snort package in pfsense those 2 rules worked just fine.

Thank you.

LiamH

Try adding a classtype to the rule.

slim0801

Thank you very much, It works when I added "classtype:attempted-dos; priority:1;", I was looking for a solution for this problem for like 2 months and you nailed it :)

I`m so glad it works, thank you again.

LiamH

Took me some time to figure it out myself - couldn't find anything on the web. At least now it can be found on the web  ;)
Is it a bug? I thought that classtype is not mandatory. Actually all goes well until snort try to output to the alert log.