[Snort-sigs] Changes in rules - some not really changed.

David Kurtz dkurtz at ...165...
Thu Jun 6 08:20:02 EDT 2002


Looks like there was a typo in the msg portion of the first one: IMCP vs
ICMP in the second.

-Dave

-----Original Message-----
From: Imran William Smith [mailto:iwsmith at ...500...]
Sent: Wednesday, June 05, 2002 7:54 PM
To: snort-sigs at lists.sourceforge.net
Subject: [Snort-sigs] Changes in rules - some not really changed.


Quite often it seems that a huge number of rules are changed,
yet analysis often reveals it's only the revision ID that has changed,
and nothing else.

We try to analyse all rules changes before implementing them
in our live rulesets.  These massive changes play havoc with
that policy, and we just have to implement all the changes blindly.

For example, our 'what's changed script' picked up the following
change within the last 24 hours:


Changes found to file icmp.rules :
Line(s) deleted:
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"IMCP Large ICMP Packet";
dsize: >800; reference:arachnids,246;
classtype:bad-unknown; sid:499; rev:2;)

Line(s) added:
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Large ICMP Packet";
dsize: >800; reference:arachnids,246;
classtype:bad-unknown; sid:499; rev:3;)


Is there any way to weed out these 'no change' changes in future?

Thanks


--
Imran William Smith
Security Products Development
Mimos Bhd, Malaysia





_______________________________________________________________

Don't miss the 2002 Sprint PCS Application Developer's Conference
August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm

_______________________________________________
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs




More information about the Snort-sigs mailing list