Re: The same GID and SID in rule duplicates previous rule in Snort-2.8.5.2

[Joel Esler <jesler () sourcefire com>]

Bai,

Each rule must have it's own sid.  This changed, I think, back in 2.7.x

Joel

On Wed, Mar 10, 2010 at 9:59 AM, bai haoquan <baihaoquan () gmail com> wrote:

> Hi,
>
> I had already update my snort from 2.6.1 to 2.8.5.2, my old snort is used
> in a web project, and in this project, the user's rules is generated
> automatically. In these rules, there are some rules with the same sid, for
> example :
>
>     alert TCP 192.168.123.110 any -> 192.168.123.113 1111 (msg:"tcp";
> content:"tcp";sid:1000001;)
>     alert UDP 192.168.123.110 any -> 192.168.123.113 1234 (msg:"udp";
> content:"udp";sid:1000001;)
>
> these rules cause errors in the new version 2.8.5.2 when start the snort
> but not in the old version 2.6.1. Of cause I know that  I should make the
> rules generate different sid (1000001, 1000002 ...), but now for some
> reasons difficult to do this,* I want to know if there are some way to
> make "the same sid in rules" also work, and not cause errors in the version
> 2.8.5.2,*  please help me to fix this problem if there is someway to do
> this. Tkank you very much.


-- 
Joel Esler
302-223-5974

------------------------------------------------------------------------------
Download Intel&#174; Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users