Snort mailing list archives
Re: Duplicate rules & rule parser
From: Joel Esler <jesler () sourcefire com>
Date: Tue, 22 Oct 2013 12:15:55 -0400
On Oct 22, 2013, at 10:26 AM, Anshuman Anil Deshmukh <anshuman () cybage com> wrote:
Hi, There are many SID’s that are duplicated. See this extract (http://pastebin.com/jKpBXLdv) taken from the snort output using –T switch.
Looks like you are using the community ruleset and the registered/subscriber set at the same time (nothing wrong with this). Duplicate SIDS will be found if you are using the community ruleset and the registered/subscriber set, as the community ruleset is inside the subscriber (and thusly the registered set) set. Snort will always take the highest rev of a rule upon start up, and community may be more up to date than the subscriber/registered pack since the community ruleset is cut daily, whereas the other set is at least twice-a-week. So what you are seeing is correct. Here is a bit more information on the community ruleset: http://blog.snort.org/2013/03/the-sourcefire-vrt-community-ruleset-is.html and here is where it is: http://www.snort.org/snort-rules/#community Thanks -- Joel Esler AEGIS Intelligence Lead OpenSource Community Manager Vulnerability Research Team, Sourcefire
------------------------------------------------------------------------------ October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Duplicate rules & rule parser Anshuman Anil Deshmukh (Oct 22)
- Re: Duplicate rules & rule parser JJ Cummings (Oct 22)
- Re: Duplicate rules & rule parser Anshuman Anil Deshmukh (Oct 22)
- Re: Duplicate rules & rule parser Joel Esler (Oct 22)
- Re: Duplicate rules & rule parser Anshuman Anil Deshmukh (Oct 22)
- Re: Duplicate rules & rule parser Peter Bates (Oct 22)
- Re: Duplicate rules & rule parser Anshuman Anil Deshmukh (Oct 22)
- Re: Duplicate rules & rule parser Peter Bates (Oct 22)
- Re: Duplicate rules & rule parser Anshuman Anil Deshmukh (Oct 23)
- Re: Duplicate rules & rule parser JJ Cummings (Oct 23)
- Re: Duplicate rules & rule parser Anshuman Anil Deshmukh (Oct 23)
- Re: Duplicate rules & rule parser Anshuman Anil Deshmukh (Oct 24)
- Re: Duplicate rules & rule parser Joel Esler (Oct 25)
- Re: Duplicate rules & rule parser JJC (Oct 25)
- Re: Duplicate rules & rule parser Anshuman Anil Deshmukh (Oct 26)
- Re: Duplicate rules & rule parser Anshuman Anil Deshmukh (Oct 22)
- Re: Duplicate rules & rule parser JJ Cummings (Oct 22)