[Snort-users] Snort 2.8 and SID on pass- and alert-rules
vho at ...14224...
Thu Oct 18 07:38:48 EDT 2007
We have just tried Snort 2.8 on one of our test-sensors, and discovered
a new "feature" not mentioned in the release notes:
As an example: In our ruleset, we have one alert-rule with SID 1234. But
for this rule, we create some pass-rules, also with SID 1234. This way
it's easy to keep tracking of which pass-rules an alert-rule have, and
But with Snort 2.8, this is not possible. Snort 2.8 will not start, and
complain that we already have a rule with SID 1234.
What is the reason for this change, since it's not mentioned in the
release notes? Or is it just a bug?
More information about the Snort-users