[Snort-sigs] Large amount of signature changes - only rev: changed!

Imran William Smith iwsmith at ...500...
Tue Apr 9 20:40:10 EDT 2002


We have a script to monitor changes to the snort rules,
and download them every day to keep our live rulesets
up to date, whilst making sure we know why they have
changed.

About 3 or 4 hours ago, large numbers of the rules changed,
yet many of them only changed their revision id, and
nothing else (I have tried checking for whitespace changes
etc).

Example from exploit.rules :

alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"EXPLOIT ssh CRC32 overflow /bin/sh"; flags:A+; content:"/bin/sh";
reference:bugtraq,2347; reference:cve,CVE-2001-0144; classtype:shellcode-detect; sid:1324; rev:1;)


changed to:

alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"EXPLOIT ssh CRC32 overflow /bin/sh"; flags:A+;  content:"/bin/sh";
reference:bugtraq,2347; reference:cve,CVE-2001-0144; classtype:shellcode-detect; sid:1324; rev:2;)


Is there some revisioning problem with the rules?  We download
from http://www.snort.org/downloads/snortrules.tar.gz

Thanks


--
Imran William Smith
Security Products Development
Mimos Bhd, Malaysia








More information about the Snort-sigs mailing list