Anyone upgrade their snort to the 01-Mar-2001 rules? If so, did you loose your IDS links in the reports from ACID? Looking at the new rules I see this: # UPDATED 02/21/2001 # alert tcp $EXTERNAL_NET any -> $HOME_NET 111,32771 (msg:"RPC portmap listing"; flags: A+; rpc: 100000,*,*;reference:arachnids,429;) alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request rstatd"; content: "|01 86 A0 00 00|"; reference:arachnids,10;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC EXPLOIT statdx"; flags: A+; content: "/bin|c74604|/sh";reference:arachnids,442;) alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request ttdbserv"; content:"|01 86 F3 00 00|";offset:40;depth:8; reference:arachnids,24;) Notice there are no reference to the IDS. Looking at the old rules: # $Id: rpc-lib,v 1.2 2000/11/18 08:25:04 roesch Exp $ alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC Info Query"; content:"|00 01 86 A0 00 00 00 02 00 00 00 04|";) alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"IDS025 - RPC - portmap-request-selection_svc"; content:"|01 86 AF 00 00|";offset:40;depth:8;) alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"IDS019 - RPC - portmap-request-amountd"; content:"|01 87 03 00 00|";offset:40;depth:8;) alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"IDS016 - RPC - portmap-request-bootparam"; content:"|01 86 BA 00 00|";offset:40;depth:8;) alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"IDS017 - RPC - portmap-request-cmsd"; content:"|01 86 E4 00 00|";offset:40;depth:8;) You can see the IDS numbers in the rules. -- Bob Tanner <tanner at real-time.com> | Phone : (952)943-8700 http://www.mn-linux.org | Fax : (952)943-8500 Key fingerprint = 02E0 2734 A1A1 DBA1 0E15 623D 0036 7327 93D9 7DA3 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 232 bytes Desc: not available Url : http://shadowknight.real-time.com/pipermail/tclug-list/attachments/20010306/e63c7d98/attachment.pgp