Snort mailing list archives
Re: The same GID and SID in rule duplicates previous rule in Snort-2.8.5.2
From: Joel Esler <jesler () sourcefire com>
Date: Wed, 10 Mar 2010 10:08:28 -0500
Bai, Each rule must have it's own sid. This changed, I think, back in 2.7.x Joel On Wed, Mar 10, 2010 at 9:59 AM, bai haoquan <baihaoquan () gmail com> wrote:
Hi, I had already update my snort from 2.6.1 to 2.8.5.2, my old snort is used in a web project, and in this project, the user's rules is generated automatically. In these rules, there are some rules with the same sid, for example : alert TCP 192.168.123.110 any -> 192.168.123.113 1111 (msg:"tcp"; content:"tcp";sid:1000001;) alert UDP 192.168.123.110 any -> 192.168.123.113 1234 (msg:"udp"; content:"udp";sid:1000001;) these rules cause errors in the new version 2.8.5.2 when start the snort but not in the old version 2.6.1. Of cause I know that I should make the rules generate different sid (1000001, 1000002 ...), but now for some reasons difficult to do this,* I want to know if there are some way to make "the same sid in rules" also work, and not cause errors in the version 2.8.5.2,* please help me to fix this problem if there is someway to do this. Tkank you very much.
-- Joel Esler 302-223-5974
------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- The same GID and SID in rule duplicates previous rule in Snort-2.8.5.2 bai haoquan (Mar 10)
- Re: The same GID and SID in rule duplicates previous rule in Snort-2.8.5.2 Joel Esler (Mar 10)
- Re: The same GID and SID in rule duplicates previous rule in Snort-2.8.5.2 Matt Olney (Mar 10)