[Snort-users] The same GID and SID in rule duplicates previous rule in Snort-2.8.5.2

Matt Olney molney at ...1935...
Wed Mar 10 15:19:04 EST 2010


er......I'd get in the source code and muck around.

But honestly, this is silly.  Don't do this.

Matt

On Wed, Mar 10, 2010 at 9:59 AM, bai haoquan <baihaoquan at ...11827...> wrote:
> Hi,
> I had already update my snort from 2.6.1 to 2.8.5.2, my old snort is used in
> a web project, and in this project, the user's rules is generated
> automatically. In these rules, there are some rules with the same sid, for
> example :
>
>     alert TCP 192.168.123.110 any -> 192.168.123.113 1111 (msg:"tcp";
> content:"tcp";sid:1000001;)
>     alert UDP 192.168.123.110 any -> 192.168.123.113 1234 (msg:"udp";
> content:"udp";sid:1000001;)
> these rules cause errors in the new version 2.8.5.2 when start the snort but
> not in the old version 2.6.1. Of cause I know that  I should make the rules
> generate different sid (1000001, 1000002 ...), but now for some reasons
> difficult to do this, I want to know if there are some way to make "the same
> sid in rules" also work, and not cause errors in the version
> 2.8.5.2,  please help me to fix this problem if there is someway to do this.
> Tkank you very much.
>
> ------------------------------------------------------------------------------
> Download Intel® Parallel Studio Eval
> Try the new software tools for yourself. Speed compiling, find bugs
> proactively, and fine-tune applications for parallel performance.
> See why Intel Parallel Studio got high marks during beta.
> http://p.sf.net/sfu/intel-sw-dev
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>




More information about the Snort-users mailing list