Snort mailing list archives
Re: Local Rule Error
From: "Jones, Christopher (Chris) (Maj)" <cajones1 () nps edu>
Date: Mon, 20 Feb 2017 02:03:30 +0000
All, I found one of my mistakes. I had a local rules path in the config file twice so that explains why snort was giving me the error. Now it runs with no errors but is not logging my packet that I know has the "chmod" text string. Do I need to include some wildcard placeholders like "*chmod*"? Does this rule look to have the required components? alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"LOCAL RULE-chmod command attempt"; content:"chmod"; sid:500001; rev:1;) Thanks again. -----Original Message----- From: Jones, Christopher (Chris) (Maj) [mailto:cajones1 () nps edu] Sent: Sunday, February 19, 2017 5:44 PM To: snort-users () lists sourceforge net Subject: Re: [Snort-users] Local Rule Error Thanks for the reply. I added the two extra zeros as you suggested and am still getting the error. I'm using the community rules and don't have any other local rules. I've attached a screenshot so you can see the error. There must be something else in the rule that is confusing snort. Chris -----Original Message----- From: wkitty42 () windstream net [mailto:wkitty42 () windstream net] Sent: Sunday, February 19, 2017 5:31 PM To: snort-users () lists sourceforge net Subject: Re: [Snort-users] Local Rule Error On 02/19/2017 07:16 PM, Jones, Christopher (Chris) (Maj) wrote:
I’m working on writing some simple local rules but Snort is giving me the error: “SID 5000001 in rule duplicates previous rule. Ignoring old rule.”
what other rules do you have installed and configured? it appears, based on what you've written, that you have other rules installed and configured for use... try adding a few more zeros to your local base SID range... i use 100000000 to start my local rules specifically to get their SIDs up and away from the others currently available by distribution... yours: 5000001 mine : 100000000 -- NOTE: No off-list assistance is given without prior approval. *Please keep mailing list traffic on the list* unless private contact is specifically requested and granted. ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Local Rule Error Jones, Christopher (Chris) (Maj) (Feb 19)
- Re: Local Rule Error wkitty42 (Feb 19)
- Re: Local Rule Error Jones, Christopher (Chris) (Maj) (Feb 19)
- Re: Local Rule Error Jones, Christopher (Chris) (Maj) (Feb 19)
- Re: Local Rule Error wkitty42 (Feb 19)
- Re: Local Rule Error Jones, Christopher (Chris) (Maj) (Feb 19)
- Re: Local Rule Error Jones, Christopher (Chris) (Maj) (Feb 19)
- Re: Local Rule Error wkitty42 (Feb 19)