[Snort-users] Snort 2.8 and SID on pass- and alert-rules

Vidar Hoel vho at ...14224...
Thu Oct 18 07:38:48 EDT 2007


We have just tried Snort 2.8 on one of our test-sensors, and discovered
a new "feature" not mentioned in the release notes:

As an example: In our ruleset, we have one alert-rule with SID 1234. But
for this rule, we create some pass-rules, also with SID 1234. This way
it's easy to keep tracking of which pass-rules an alert-rule have, and
vice versa.

But with Snort 2.8, this is not possible. Snort 2.8 will not start, and
complain that we already have a rule with SID 1234.

What is the reason for this change, since it's not mentioned in the
release notes? Or is it just a bug?

Best regards,
Vidar Hoel
Telenor SOC

More information about the Snort-users mailing list