[Snort-users] Question on new rules naming

Lay, James james.lay at ...15009...
Wed Oct 24 17:30:01 EDT 2012


Team,

 

Are the new rule names new or are the replacing old name rulesets?  I
ask due to:

Oct 24 15:25:31 10.10.254.110 snort[6176]:
/opt/etc/snort/rules/VRT-shellcode.rules(11) GID 1 SID 14986 duplicates
previous rule. Using higher revision.

<a bunch more snipped>

Oct 24 15:25:31 10.10.254.110 snort[6176]:
/opt/etc/snort/rules/VRT-shellcode.rules(63) GID 1 SID 23236 duplicates
previous rule. Using higher revision.

 

VRT-indicator-shellcode.rules:alert ip $EXTERNAL_NET any -> $HOME_NET
any (msg:"INDICATOR-SHELLCODE x86 fldz get eip shellcode"; content:"|D9
EE D9|t|24 F4|X"; metadata:policy balanced-ips drop, policy security-ips
drop; classtype:shellcode-detect; sid:14986; rev:5;)

 

VRT-shellcode.rules:alert ip $EXTERNAL_NET any -> $HOME_NET any
(msg:"SHELLCODE x86 fldz get eip shellcode"; content:"|D9 EE D9|t|24
F4|X"; metadata:policy balanced-ips drop, policy security-ips drop;
classtype:shellcode-detect; sid:14986; rev:4;)

 

Should I remove shellcode.rules and just use indicator-shellcode.rules?
Thanks all.

 

James

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20121024/da579647/attachment.html>


More information about the Snort-users mailing list