Snort mailing list archives

Re: Question on new rules naming

From: "Lay, James" <james.lay () wincofoods com>
Date: Thu, 25 Oct 2012 08:48:13 -0600

Thanks Joel..just checked now and none of my rule sets are
empty...guessing this is a pp thing, so I'll head down that path.

 

James

 

From: Joel Esler [mailto:jesler () sourcefire com] 
Sent: Thursday, October 25, 2012 8:45 AM
To: Lay, James
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] Question on new rules naming

 

Actually, I don't show an issue.  Shellcode.rules is empty now. 

 

You should remove it locally if your rule update system is not.

 

Many of the old categories are now empty, so if you could double check,
that'd be great.  Our rule pack today will also contain a bunch of
further-emptied categories.

 

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire

 

On Oct 25, 2012, at 10:12 AM, "Lay, James" <james.lay () wincofoods com>
wrote:





Thanks Joel.

 

James

 

From: Joel Esler [mailto:jesler () sourcefire com] 
Sent: Wednesday, October 24, 2012 9:05 PM
To: Lay, James
Cc: <snort-users () lists sourceforge net>
Subject: Re: [Snort-users] Question on new rules naming

 

Let me check. I think I know the issue.  

Sent from my iPhone


On Oct 24, 2012, at 5:30 PM, "Lay, James" <james.lay () wincofoods com
<mailto:james.lay () wincofoods com> > wrote:

        Team,

         

        Are the new rule names new or are the replacing old name
rulesets?  I ask due to:

        Oct 24 15:25:31 10.10.254.110 snort[6176]:
/opt/etc/snort/rules/VRT-shellcode.rules(11) GID 1 SID 14986 duplicates
previous rule. Using higher revision.

        <a bunch more snipped>

        Oct 24 15:25:31 10.10.254.110 snort[6176]:
/opt/etc/snort/rules/VRT-shellcode.rules(63) GID 1 SID 23236 duplicates
previous rule. Using higher revision.

         

        VRT-indicator-shellcode.rules:alert ip $EXTERNAL_NET any ->
$HOME_NET any (msg:"INDICATOR-SHELLCODE x86 fldz get eip shellcode";
content:"|D9 EE D9|t|24 F4|X"; metadata:policy balanced-ips drop, policy
security-ips drop; classtype:shellcode-detect; sid:14986; rev:5;)

         

        VRT-shellcode.rules:alert ip $EXTERNAL_NET any -> $HOME_NET any
(msg:"SHELLCODE x86 fldz get eip shellcode"; content:"|D9 EE D9|t|24
F4|X"; metadata:policy balanced-ips drop, policy security-ips drop;
classtype:shellcode-detect; sid:14986; rev:4;)

         

        Should I remove shellcode.rules and just use
indicator-shellcode.rules?  Thanks all.

         

        James

        
------------------------------------------------------------------------
------
        Everyone hates slow websites. So do we.
        Make your web apps faster with AppDynamics
        Download AppDynamics Lite for free today:
        http://p.sf.net/sfu/appdyn_sfd2d_oct
<http://p.sf.net/sfu/appdyn_sfd2d_oct> 

        _______________________________________________
        Snort-users mailing list
        Snort-users () lists sourceforge net
<mailto:Snort-users () lists sourceforge net> 
        Go to this URL to change user options or unsubscribe:
        https://lists.sourceforge.net/lists/listinfo/snort-users
<https://lists.sourceforge.net/lists/listinfo/snort-users> 
        Snort-users list archive:
        
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
<http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users> 
        
        Please visit http://blog.snort.org <http://blog.snort.org>  to
stay current on all the latest Snort news!

------------------------------------------------------------------------
------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_sfd2d_oct____________________________________
___________
<http://p.sf.net/sfu/appdyn_sfd2d_oct___________________________________
____________> 
Snort-users mailing list
Snort-users () lists sourceforge net
<mailto:Snort-users () lists sourceforge net> 
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
<https://lists.sourceforge.net/lists/listinfo/snort-users> 
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
<http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users> 

Please visit http://blog.snort.org <http://blog.snort.org>  to stay
current on all the latest Snort news!

------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_sfd2d_oct

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Question on new rules naming Lay, James (Oct 24)
- Re: Question on new rules naming Joel Esler (Oct 24)
  - Re: Question on new rules naming Lay, James (Oct 25)
    - Re: Question on new rules naming Joel Esler (Oct 25)
    - Re: Question on new rules naming Lay, James (Oct 25)