[Snort-users] Question on new rules naming

Lay, James james.lay at ...15009...
Thu Oct 25 10:12:52 EDT 2012


Thanks Joel.

 

James

 

From: Joel Esler [mailto:jesler at ...1935...] 
Sent: Wednesday, October 24, 2012 9:05 PM
To: Lay, James
Cc: <snort-users at lists.sourceforge.net>
Subject: Re: [Snort-users] Question on new rules naming

 

Let me check. I think I know the issue.  

Sent from my iPhone


On Oct 24, 2012, at 5:30 PM, "Lay, James" <james.lay at ...15009...> wrote:

	Team,

	 

	Are the new rule names new or are the replacing old name rulesets?  I ask due to:

	Oct 24 15:25:31 10.10.254.110 snort[6176]: /opt/etc/snort/rules/VRT-shellcode.rules(11) GID 1 SID 14986 duplicates previous rule. Using higher revision.

	<a bunch more snipped>

	Oct 24 15:25:31 10.10.254.110 snort[6176]: /opt/etc/snort/rules/VRT-shellcode.rules(63) GID 1 SID 23236 duplicates previous rule. Using higher revision.

	 

	VRT-indicator-shellcode.rules:alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE x86 fldz get eip shellcode"; content:"|D9 EE D9|t|24 F4|X"; metadata:policy balanced-ips drop, policy security-ips drop; classtype:shellcode-detect; sid:14986; rev:5;)

	 

	VRT-shellcode.rules:alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"SHELLCODE x86 fldz get eip shellcode"; content:"|D9 EE D9|t|24 F4|X"; metadata:policy balanced-ips drop, policy security-ips drop; classtype:shellcode-detect; sid:14986; rev:4;)

	 

	Should I remove shellcode.rules and just use indicator-shellcode.rules?  Thanks all.

	 

	James

	------------------------------------------------------------------------------
	Everyone hates slow websites. So do we.
	Make your web apps faster with AppDynamics
	Download AppDynamics Lite for free today:
	http://p.sf.net/sfu/appdyn_sfd2d_oct

	_______________________________________________
	Snort-users mailing list
	Snort-users at lists.sourceforge.net
	Go to this URL to change user options or unsubscribe:
	https://lists.sourceforge.net/lists/listinfo/snort-users
	Snort-users list archive:
	http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
	
	Please visit http://blog.snort.org to stay current on all the latest Snort news!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20121025/eae8f1f2/attachment.html>


More information about the Snort-users mailing list