[Snort-sigs] [Emerging-Sigs] Duplicate sids (again)

Weir, Jason jason.weir at ...3410...
Wed Dec 29 10:30:30 EST 2010


James,
 
There was a problem with this last week.  How often do you update your
rules?  In the archive you list - there is no tor.rules file and sid
2520144 only occurs once in emerging-tor.rules.  Maybe you need to clean
out your rules folder and your snort.conf file..
 
-Jason

-----Original Message-----
From: emerging-sigs-bounces at ...3335...
[mailto:emerging-sigs-bounces at ...3335...] On Behalf Of Lay,
James
Sent: Wednesday, December 29, 2010 10:24 AM
To: snort-sigs at lists.sourceforge.net; emerging-sigs at ...3335...
Subject: [Emerging-Sigs] Duplicate sids (again)



So...I'm using the rulesets from what I thought was the repo:

 

http://rules.emergingthreats.net/open-nogpl/snort-2.9.0/emerging.rules.t
ar.gz

 

Was this the right one to not get duplicate sids?  Just snagged this and
still seeing dup sids:

 

grep 2520144 *

emerging-tor.rules:alert tcp
[87.119.103.37,87.123.26.143,87.143.251.238,87.147.11.67,87.157.91.50,87
.171.103.26,87.194.125.162,87.21.39.166,87.220.58.85,87.227.83.103] any
-> $HOME_NET any (msg:"ET TOR Known Tor Exit Node TCP Traffic (73)";
flags:S; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules;
threshold: type limit, track by_src, seconds 60, count 1;
classtype:misc-attack; sid:2520144; rev:704;)

 

tor.rules:alert tcp
[87.119.103.37,87.123.26.143,87.143.251.238,87.147.11.67,87.157.91.50,87
.171.103.26,87.194.125.162,87.21.39.166,87.220.58.85,87.227.83.103] any
-> $HOME_NET any (msg:"ET TOR Known Tor Exit Node TCP Traffic (73)";
flags:S; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules;
threshold: type limit, track by_src, seconds 60, count 1;
classtype:misc-attack; sid:2520144; rev:704;)

 

Did something change while I slept?  Thanks.

 

James Lay

IT Security Analyst

WinCo Foods

208-672-2014 Office

208-559-1855 Cell

650 N Armstrong Pl.

Boise, Idaho 83704

_____________________________________________________________________________________________

Please visit www.nhrs.org to subscribe to NHRS email announcements and updates.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20101229/d9e73960/attachment.html>


More information about the Snort-sigs mailing list