[Snort-users] The same GID and SID in rule duplicates previous rule in Snort-2.8.5.2

Joel Esler jesler at ...1935...
Wed Mar 10 10:08:28 EST 2010


Bai,

Each rule must have it's own sid.  This changed, I think, back in 2.7.x

Joel

On Wed, Mar 10, 2010 at 9:59 AM, bai haoquan <baihaoquan at ...11827...> wrote:

> Hi,
>
> I had already update my snort from 2.6.1 to 2.8.5.2, my old snort is used
> in a web project, and in this project, the user's rules is generated
> automatically. In these rules, there are some rules with the same sid, for
> example :
>
>     alert TCP 192.168.123.110 any -> 192.168.123.113 1111 (msg:"tcp";
> content:"tcp";sid:1000001;)
>     alert UDP 192.168.123.110 any -> 192.168.123.113 1234 (msg:"udp";
> content:"udp";sid:1000001;)
>
> these rules cause errors in the new version 2.8.5.2 when start the snort
> but not in the old version 2.6.1. Of cause I know that  I should make the
> rules generate different sid (1000001, 1000002 ...), but now for some
> reasons difficult to do this,* I want to know if there are some way to
> make "the same sid in rules" also work, and not cause errors in the version
> 2.8.5.2,*  please help me to fix this problem if there is someway to do
> this. Tkank you very much.
>
>


-- 
Joel Esler
302-223-5974
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20100310/711159ea/attachment.html>


More information about the Snort-users mailing list