Snort mailing list archives

Re: [Emerging-Sigs] Duplicate sids (again)

From: Matthew Jonkman <jonkman () jonkmans com>
Date: Wed, 29 Dec 2010 10:41:17 -0500

These are the same rules, but the tor.rules are distributed in a different tar ball. Could you have the remains of a 
previous download in the directory? 

Just checked and only the emerging-tor.rules is in the open-nogpl tarball.

Can you see if that might be the case? Thanks!


----------------------------------------------------
Matthew Jonkman
Emerging Threats
Open Information Security Foundation (OISF)
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
http://www.openinfosecfoundation.org
----------------------------------------------------

On Dec 29, 2010, at 10:23 AM, "Lay, James" <james.lay () wincofoods com> wrote:

So…I’m using the rulesets from what I thought was the repo:

 

http://rules.emergingthreats.net/open-nogpl/snort-2.9.0/emerging.rules.tar.gz

 

Was this the right one to not get duplicate sids?  Just snagged this and still seeing dup sids:

 

grep 2520144 *

emerging-tor.rules:alert tcp 
[87.119.103.37,87.123.26.143,87.143.251.238,87.147.11.67,87.157.91.50,87.171.103.26,87.194.125.162,87.21.39.166,87.220.58.85,87.227.83.103]
 any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node TCP Traffic (73)"; flags:S; 
reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 
1; classtype:misc-attack; sid:2520144; rev:704;)

 

tor.rules:alert tcp 
[87.119.103.37,87.123.26.143,87.143.251.238,87.147.11.67,87.157.91.50,87.171.103.26,87.194.125.162,87.21.39.166,87.220.58.85,87.227.83.103]
 any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node TCP Traffic (73)"; flags:S; 
reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 
1; classtype:misc-attack; sid:2520144; rev:704;)

 

Did something change while I slept?  Thanks.

 

James Lay

IT Security Analyst

WinCo Foods

208-672-2014 Office

208-559-1855 Cell

650 N Armstrong Pl.

Boise, Idaho 83704

 

_______________________________________________
Emerging-sigs mailing list
Emerging-sigs () emergingthreats net
http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs

Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!

------------------------------------------------------------------------------
Learn how Oracle Real Application Clusters (RAC) One Node allows customers
to consolidate database storage, standardize their database environment, and, 
should the need arise, upgrade to a full multi-node Oracle RAC database 
without downtime or disruption
http://p.sf.net/sfu/oracle-sfdevnl

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

Current thread:

Duplicate sids (again) Lay, James (Dec 29)
- Re: [Emerging-Sigs] Duplicate sids (again) Weir, Jason (Dec 29)
- Re: [Emerging-Sigs] Duplicate sids (again) Matthew Jonkman (Dec 29)