Snort mailing list archives
Re: Question on new rules naming
From: Joel Esler <jesler () sourcefire com>
Date: Wed, 24 Oct 2012 23:04:57 -0400
Let me check. I think I know the issue. Sent from my iPhone On Oct 24, 2012, at 5:30 PM, "Lay, James" <james.lay () wincofoods com> wrote:
Team, Are the new rule names new or are the replacing old name rulesets? I ask due to: Oct 24 15:25:31 10.10.254.110 snort[6176]: /opt/etc/snort/rules/VRT-shellcode.rules(11) GID 1 SID 14986 duplicates previous rule. Using higher revision. <a bunch more snipped> Oct 24 15:25:31 10.10.254.110 snort[6176]: /opt/etc/snort/rules/VRT-shellcode.rules(63) GID 1 SID 23236 duplicates previous rule. Using higher revision. VRT-indicator-shellcode.rules:alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE x86 fldz get eip shellcode"; content:"|D9 EE D9|t|24 F4|X"; metadata:policy balanced-ips drop, policy security-ips drop; classtype:shellcode-detect; sid:14986; rev:5;) VRT-shellcode.rules:alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"SHELLCODE x86 fldz get eip shellcode"; content:"|D9 EE D9|t|24 F4|X"; metadata:policy balanced-ips drop, policy security-ips drop; classtype:shellcode-detect; sid:14986; rev:4;) Should I remove shellcode.rules and just use indicator-shellcode.rules? Thanks all. James ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_sfd2d_oct _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_sfd2d_oct
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Question on new rules naming Lay, James (Oct 24)
- Re: Question on new rules naming Joel Esler (Oct 24)
- Re: Question on new rules naming Lay, James (Oct 25)
- Re: Question on new rules naming Joel Esler (Oct 25)
- Re: Question on new rules naming Lay, James (Oct 25)
- Re: Question on new rules naming Lay, James (Oct 25)
- Re: Question on new rules naming Joel Esler (Oct 24)