[Snort-sigs] Rule oddities in 1.8.1
bmc at ...8...
Tue Aug 21 14:17:58 EDT 2001
Mike Baptiste wrote:
> A number of rules have duplicate options, often for nocase, flags, and
> offset (my understanding from the docs is these are unique options) I
> quick check showed they were often set to the same thing anyway:
No, these are unique to each content (or uricontent) field.
Each content can have its own nocase, offset, depth, and regex.
The multiple flags part is broken, and thanks for letting us know.
> I also found a couple rules with duplicate Snort IDs - It was my
> understanding these should be unique...
> Error: DBD::mysql::db do failed: Duplicate entry '1228-1.8.1' for key 1
> at ./rule_parse line 250, <RULES> line 189.
> Error: DBD::mysql::db do failed: Duplicate entry '1257-1.8.1' for key 1
> at ./rule_parse line 250, <RULES> line 21.
Yes they should be. This is because 2 different methods for generating
SIDs were being used by 2 different people. this should be fixed for
the future, but I'll fix these in about 10 minutes.
Thanks for the info. fixes commited to CVS.
The MITRE Corporation
More information about the Snort-sigs