Re: Question on new rules naming

[Joel Esler <jesler () sourcefire com>]

Actually, I don't show an issue.  Shellcode.rules is empty now. 

You should remove it locally if your rule update system is not.

Many of the old categories are now empty, so if you could double check, that'd be great.  Our rule pack today will also 
contain a bunch of further-emptied categories.

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire

On Oct 25, 2012, at 10:12 AM, "Lay, James" <james.lay () wincofoods com> wrote:

> Thanks Joel.
>  
> James
>  
> From: Joel Esler [mailto:jesler () sourcefire com] 
> Sent: Wednesday, October 24, 2012 9:05 PM
> To: Lay, James
> Cc: <snort-users () lists sourceforge net>
> Subject: Re: [Snort-users] Question on new rules naming
>  
> Let me check. I think I know the issue.  
>
> Sent from my iPhone
>
> On Oct 24, 2012, at 5:30 PM, "Lay, James" <james.lay () wincofoods com> wrote:
>
> Team,
>  
> Are the new rule names new or are the replacing old name rulesets?  I ask due to:
> Oct 24 15:25:31 10.10.254.110 snort[6176]: /opt/etc/snort/rules/VRT-shellcode.rules(11) GID 1 SID 14986 duplicates 
> previous rule. Using higher revision.
> <a bunch more snipped>
> Oct 24 15:25:31 10.10.254.110 snort[6176]: /opt/etc/snort/rules/VRT-shellcode.rules(63) GID 1 SID 23236 duplicates 
> previous rule. Using higher revision.
>  
> VRT-indicator-shellcode.rules:alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE x86 fldz get eip 
> shellcode"; content:"|D9 EE D9|t|24 F4|X"; metadata:policy balanced-ips drop, policy security-ips drop; 
> classtype:shellcode-detect; sid:14986; rev:5;)
>  
> VRT-shellcode.rules:alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"SHELLCODE x86 fldz get eip shellcode"; 
> content:"|D9 EE D9|t|24 F4|X"; metadata:policy balanced-ips drop, policy security-ips drop; 
> classtype:shellcode-detect; sid:14986; rev:4;)
>  
> Should I remove shellcode.rules and just use indicator-shellcode.rules?  Thanks all.
>  
> James
> ------------------------------------------------------------------------------
> Everyone hates slow websites. So do we.
> Make your web apps faster with AppDynamics
> Download AppDynamics Lite for free today:
> http://p.sf.net/sfu/appdyn_sfd2d_oct
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
> ------------------------------------------------------------------------------
> Everyone hates slow websites. So do we.
> Make your web apps faster with AppDynamics
> Download AppDynamics Lite for free today:
> http://p.sf.net/sfu/appdyn_sfd2d_oct_______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_sfd2d_oct

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!