[Snort-sigs] Changes in rules - some not really changed.

Imran William Smith iwsmith at ...500...
Wed Jun 5 17:55:02 EDT 2002


Quite often it seems that a huge number of rules are changed,
yet analysis often reveals it's only the revision ID that has changed,
and nothing else.

We try to analyse all rules changes before implementing them
in our live rulesets.  These massive changes play havoc with
that policy, and we just have to implement all the changes blindly.

For example, our 'what's changed script' picked up the following
change within the last 24 hours:


Changes found to file icmp.rules :
Line(s) deleted:
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"IMCP Large ICMP Packet"; dsize: >800; reference:arachnids,246;
classtype:bad-unknown; sid:499; rev:2;)

Line(s) added:
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Large ICMP Packet"; dsize: >800; reference:arachnids,246;
classtype:bad-unknown; sid:499; rev:3;)


Is there any way to weed out these 'no change' changes in future?

Thanks


--
Imran William Smith
Security Products Development
Mimos Bhd, Malaysia








More information about the Snort-sigs mailing list