Snort mailing list archives
Re: [Emerging-Sigs] Duplicate sids (again)
From: Matthew Jonkman <jonkman () jonkmans com>
Date: Wed, 29 Dec 2010 10:41:17 -0500
These are the same rules, but the tor.rules are distributed in a different tar ball. Could you have the remains of a previous download in the directory? Just checked and only the emerging-tor.rules is in the open-nogpl tarball. Can you see if that might be the case? Thanks! ---------------------------------------------------- Matthew Jonkman Emerging Threats Open Information Security Foundation (OISF) Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net http://www.openinfosecfoundation.org ---------------------------------------------------- On Dec 29, 2010, at 10:23 AM, "Lay, James" <james.lay () wincofoods com> wrote:
So…I’m using the rulesets from what I thought was the repo: http://rules.emergingthreats.net/open-nogpl/snort-2.9.0/emerging.rules.tar.gz Was this the right one to not get duplicate sids? Just snagged this and still seeing dup sids: grep 2520144 * emerging-tor.rules:alert tcp [87.119.103.37,87.123.26.143,87.143.251.238,87.147.11.67,87.157.91.50,87.171.103.26,87.194.125.162,87.21.39.166,87.220.58.85,87.227.83.103] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node TCP Traffic (73)"; flags:S; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2520144; rev:704;) tor.rules:alert tcp [87.119.103.37,87.123.26.143,87.143.251.238,87.147.11.67,87.157.91.50,87.171.103.26,87.194.125.162,87.21.39.166,87.220.58.85,87.227.83.103] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node TCP Traffic (73)"; flags:S; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2520144; rev:704;) Did something change while I slept? Thanks. James Lay IT Security Analyst WinCo Foods 208-672-2014 Office 208-559-1855 Cell 650 N Armstrong Pl. Boise, Idaho 83704 _______________________________________________ Emerging-sigs mailing list Emerging-sigs () emergingthreats net http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!
------------------------------------------------------------------------------ Learn how Oracle Real Application Clusters (RAC) One Node allows customers to consolidate database storage, standardize their database environment, and, should the need arise, upgrade to a full multi-node Oracle RAC database without downtime or disruption http://p.sf.net/sfu/oracle-sfdevnl
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
Current thread:
- Duplicate sids (again) Lay, James (Dec 29)
- Re: [Emerging-Sigs] Duplicate sids (again) Weir, Jason (Dec 29)
- Re: [Emerging-Sigs] Duplicate sids (again) Matthew Jonkman (Dec 29)