Snort mailing list archives

Re: [Emerging-Sigs] Duplicate sids (again)

From: "Weir, Jason" <jason.weir () nhrs org>
Date: Wed, 29 Dec 2010 10:30:30 -0500

James,
 
There was a problem with this last week.  How often do you update your
rules?  In the archive you list - there is no tor.rules file and sid
2520144 only occurs once in emerging-tor.rules.  Maybe you need to clean
out your rules folder and your snort.conf file..
 
-Jason

-----Original Message-----
From: emerging-sigs-bounces () emergingthreats net
[mailto:emerging-sigs-bounces () emergingthreats net] On Behalf Of Lay,
James
Sent: Wednesday, December 29, 2010 10:24 AM
To: snort-sigs () lists sourceforge net; emerging-sigs () emergingthreats net
Subject: [Emerging-Sigs] Duplicate sids (again)



So...I'm using the rulesets from what I thought was the repo:

 

http://rules.emergingthreats.net/open-nogpl/snort-2.9.0/emerging.rules.t
ar.gz

 

Was this the right one to not get duplicate sids?  Just snagged this and
still seeing dup sids:

 

grep 2520144 *

emerging-tor.rules:alert tcp
[87.119.103.37,87.123.26.143,87.143.251.238,87.147.11.67,87.157.91.50,87
.171.103.26,87.194.125.162,87.21.39.166,87.220.58.85,87.227.83.103] any
-> $HOME_NET any (msg:"ET TOR Known Tor Exit Node TCP Traffic (73)";
flags:S; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules;
threshold: type limit, track by_src, seconds 60, count 1;
classtype:misc-attack; sid:2520144; rev:704;)

 

tor.rules:alert tcp
[87.119.103.37,87.123.26.143,87.143.251.238,87.147.11.67,87.157.91.50,87
.171.103.26,87.194.125.162,87.21.39.166,87.220.58.85,87.227.83.103] any
-> $HOME_NET any (msg:"ET TOR Known Tor Exit Node TCP Traffic (73)";
flags:S; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules;
threshold: type limit, track by_src, seconds 60, count 1;
classtype:misc-attack; sid:2520144; rev:704;)

 

Did something change while I slept?  Thanks.

 

James Lay

IT Security Analyst

WinCo Foods

208-672-2014 Office

208-559-1855 Cell

650 N Armstrong Pl.

Boise, Idaho 83704

_____________________________________________________________________________________________

Please visit www.nhrs.org to subscribe to NHRS email announcements and updates.

------------------------------------------------------------------------------
Learn how Oracle Real Application Clusters (RAC) One Node allows customers
to consolidate database storage, standardize their database environment, and, 
should the need arise, upgrade to a full multi-node Oracle RAC database 
without downtime or disruption
http://p.sf.net/sfu/oracle-sfdevnl

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

Current thread:

Duplicate sids (again) Lay, James (Dec 29)
- Re: [Emerging-Sigs] Duplicate sids (again) Weir, Jason (Dec 29)
- Re: [Emerging-Sigs] Duplicate sids (again) Matthew Jonkman (Dec 29)