[Snort-sigs] [Emerging-Sigs] Duplicate sids (again)

Matthew Jonkman jonkman at ...829...
Wed Dec 29 10:41:17 EST 2010


These are the same rules, but the tor.rules are distributed in a different tar ball. Could you have the remains of a previous download in the directory? 

Just checked and only the emerging-tor.rules is in the open-nogpl tarball.

Can you see if that might be the case? Thanks!


----------------------------------------------------
Matthew Jonkman
Emerging Threats
Open Information Security Foundation (OISF)
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
http://www.openinfosecfoundation.org
----------------------------------------------------

On Dec 29, 2010, at 10:23 AM, "Lay, James" <james.lay at ...3513...> wrote:

> So…I’m using the rulesets from what I thought was the repo:
> 
>  
> 
> http://rules.emergingthreats.net/open-nogpl/snort-2.9.0/emerging.rules.tar.gz
> 
>  
> 
> Was this the right one to not get duplicate sids?  Just snagged this and still seeing dup sids:
> 
>  
> 
> grep 2520144 *
> 
> emerging-tor.rules:alert tcp [87.119.103.37,87.123.26.143,87.143.251.238,87.147.11.67,87.157.91.50,87.171.103.26,87.194.125.162,87.21.39.166,87.220.58.85,87.227.83.103] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node TCP Traffic (73)"; flags:S; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2520144; rev:704;)
> 
>  
> 
> tor.rules:alert tcp [87.119.103.37,87.123.26.143,87.143.251.238,87.147.11.67,87.157.91.50,87.171.103.26,87.194.125.162,87.21.39.166,87.220.58.85,87.227.83.103] any -> $HOME_NET any (msg:"ET TOR Known Tor Exit Node TCP Traffic (73)"; flags:S; reference:url,doc.emergingthreats.net/bin/view/Main/TorRules; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2520144; rev:704;)
> 
>  
> 
> Did something change while I slept?  Thanks.
> 
>  
> 
> James Lay
> 
> IT Security Analyst
> 
> WinCo Foods
> 
> 208-672-2014 Office
> 
> 208-559-1855 Cell
> 
> 650 N Armstrong Pl.
> 
> Boise, Idaho 83704
> 
>  
> 
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at ...3335...
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> 
> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
> The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20101229/47d672d9/attachment.html>


More information about the Snort-sigs mailing list