Nevermind - Duplicate icmp SID 482?

[xaz129 <michaelm14 () gmail com>]

Ugh....nevermind..I finally found my typo in oinkmaster.  I had
changed sid 483 to 482...


---------- Forwarded message ----------
From: xaz129 <michaelm14 () gmail com>
Date: Wed, 2 Feb 2005 09:30:03 -0500
Subject: Duplicate icmp SID 482?
To: snort-users () lists sourceforge net


I noticed an alert using Oinkmaster and I verified it in my rules
file.  I have two SIDs numbered 482 under icmp.rules.  They are shown
below:

/etc/snort/rules/icmp.rules:alert icmp $EXTERNAL_NET any -> $HOME_NET
any (msg:"ICMP PING WhatsupGold Windows";itype:8;content:"WhatsUp - A
Netw";depth:32;reference:arachnids,168;classtype:misc-activity;sid:482;rev:5;)

and

/etc/snort/rules/icmp.rules:alert icmp $EXTERNAL_NET any -> $HOME_NET
any (msg:"ICMP PING CyberKit 2.2 Windows";itype:8;content:"|AA AA AA
AA AA AA AA AA AA AA AA AA AA AA AA
AA|";depth:32;reference:arachnids,154;classtype:misc-attack;sid:482;priority:2;rev:5;)

I didn't see anything in the archived history regarding this.  Has
anyone else noticed it?


-------------------------------------------------------
This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting
Tool for open source databases. Create drag-&-drop reports. Save time
by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc.
Download a FREE copy at http://www.intelliview.com/go/osdn_nl
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users