[Snort-sigs] Duplicate info in rules

Chris Green cmg at ...26...
Wed Feb 13 11:00:15 EST 2002


"Kreimendahl, Chad J" <Chad.Kreimendahl at ...361...> writes:

> The following rules have duplicate info within the flags area '()'...  May
> be a good idea to eliminate the dupes.
>
> SID,REV,Flag:Value
>

[reordered]

> 588,3,reference:cve,CAN-2001-0717
> 1274,3,reference:cve,CAN-2001-0717
> 1298,4,reference:cve,CAN-2001-0717
> 1299,4,reference:cve,CAN-2001-0717

Good catch - there are indude duplicate CAN ids of the same thing in
the same rule.


> 1283,4,nocase:
> 900,2,nocase:
> 1405,1,nocase:
> 978,4,nocase:
> 1158,2,nocase:
> 805,1,nocase:
> 848,2,nocase:
> 1381,1,nocase:
> 1381,1,nocase:
> 1399,1,nocase:
> 899,2,nocase:
> 1051,3,nocase:
> 1052,2,nocase:
> 1053,3,nocase:
> 1079,3,nocase:

nocase applies to the previous content option.  It's normal for it to
appear multiple times in the same rules.

AFAICT from grep -e 'nocase.*nocase' *.rules, it seems its used
properly in all places.


> 569,3,depth:4
> 256,1,offset:12
> 257,1,offset:12

These are also modifiers correctly used against the previous content
-- 
Chris Green <cmg at ...26...>
You now have 14 minutes to reach minimum safe distance.




More information about the Snort-sigs mailing list