[Snort-devel] sd_pattern question

Jason Wallace jason.r.wallace at ...2499...
Thu Apr 29 14:15:44 EDT 2010


I have two rules...

alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"SSN with dashes
sent over email"; gid:138; sid:400000002; sd_pattern:1,us_social;
classtype:policy-violation; metadata:service smtp; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SSN with
dashes sent over web ports"; gid:138; sid:400000005;
sd_pattern:1,us_social; classtype:policy-violation; metadata:service
smtp; rev:1;)

When snort-2.8.6 starts with both those rules I get the following error...

snort[5551]: FATAL ERROR: Sensitive Data rule 138:400000005 uses a
pattern that duplicates rule 138:400000002.


Is this by design?




More information about the Snort-devel mailing list