[Snort-sigs] Duplicate sids (again)

Lay, James james.lay at ...3513...
Wed Dec 29 10:23:38 EST 2010


So...I'm using the rulesets from what I thought was the repo:

 

http://rules.emergingthreats.net/open-nogpl/snort-2.9.0/emerging.rules.t
ar.gz

 

Was this the right one to not get duplicate sids?  Just snagged this and
still seeing dup sids:

 

grep 2520144 *

emerging-tor.rules:alert tcp
[87.119.103.37,87.123.26.143,87.143.251.238,87.147.11.67,87.157.91.50,87
.171.103.26,87.194.125.162,87.21.39.166,87.220.58.85,87.227.83.103] any
-> $HOME_NET any (msg:"ET TOR Known Tor Exit Node TCP Traffic (73)";
flags:S; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules;
threshold: type limit, track by_src, seconds 60, count 1;
classtype:misc-attack; sid:2520144; rev:704;)

 

tor.rules:alert tcp
[87.119.103.37,87.123.26.143,87.143.251.238,87.147.11.67,87.157.91.50,87
.171.103.26,87.194.125.162,87.21.39.166,87.220.58.85,87.227.83.103] any
-> $HOME_NET any (msg:"ET TOR Known Tor Exit Node TCP Traffic (73)";
flags:S; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules;
threshold: type limit, track by_src, seconds 60, count 1;
classtype:misc-attack; sid:2520144; rev:704;)

 

Did something change while I slept?  Thanks.

 

James Lay

IT Security Analyst

WinCo Foods

208-672-2014 Office

208-559-1855 Cell

650 N Armstrong Pl.

Boise, Idaho 83704

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20101229/b8afb19a/attachment.html>


More information about the Snort-sigs mailing list