[Snort-users] Question on new rules naming

Lay, James james.lay at ...15009...
Thu Oct 25 10:48:13 EDT 2012


Thanks Joel..just checked now and none of my rule sets are
empty...guessing this is a pp thing, so I'll head down that path.

 

James

 

From: Joel Esler [mailto:jesler at ...1935...] 
Sent: Thursday, October 25, 2012 8:45 AM
To: Lay, James
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Question on new rules naming

 

Actually, I don't show an issue.  Shellcode.rules is empty now. 

 

You should remove it locally if your rule update system is not.

 

Many of the old categories are now empty, so if you could double check,
that'd be great.  Our rule pack today will also contain a bunch of
further-emptied categories.

 

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire

 

On Oct 25, 2012, at 10:12 AM, "Lay, James" <james.lay at ...15009...>
wrote:





Thanks Joel.

 

James

 

From: Joel Esler [mailto:jesler at ...1935...] 
Sent: Wednesday, October 24, 2012 9:05 PM
To: Lay, James
Cc: <snort-users at lists.sourceforge.net>
Subject: Re: [Snort-users] Question on new rules naming

 

Let me check. I think I know the issue.  

Sent from my iPhone


On Oct 24, 2012, at 5:30 PM, "Lay, James" <james.lay at ...15009...
<mailto:james.lay at ...15009...> > wrote:

	Team,

	 

	Are the new rule names new or are the replacing old name
rulesets?  I ask due to:

	Oct 24 15:25:31 10.10.254.110 snort[6176]:
/opt/etc/snort/rules/VRT-shellcode.rules(11) GID 1 SID 14986 duplicates
previous rule. Using higher revision.

	<a bunch more snipped>

	Oct 24 15:25:31 10.10.254.110 snort[6176]:
/opt/etc/snort/rules/VRT-shellcode.rules(63) GID 1 SID 23236 duplicates
previous rule. Using higher revision.

	 

	VRT-indicator-shellcode.rules:alert ip $EXTERNAL_NET any ->
$HOME_NET any (msg:"INDICATOR-SHELLCODE x86 fldz get eip shellcode";
content:"|D9 EE D9|t|24 F4|X"; metadata:policy balanced-ips drop, policy
security-ips drop; classtype:shellcode-detect; sid:14986; rev:5;)

	 

	VRT-shellcode.rules:alert ip $EXTERNAL_NET any -> $HOME_NET any
(msg:"SHELLCODE x86 fldz get eip shellcode"; content:"|D9 EE D9|t|24
F4|X"; metadata:policy balanced-ips drop, policy security-ips drop;
classtype:shellcode-detect; sid:14986; rev:4;)

	 

	Should I remove shellcode.rules and just use
indicator-shellcode.rules?  Thanks all.

	 

	James

	
------------------------------------------------------------------------
------
	Everyone hates slow websites. So do we.
	Make your web apps faster with AppDynamics
	Download AppDynamics Lite for free today:
	http://p.sf.net/sfu/appdyn_sfd2d_oct
<http://p.sf.net/sfu/appdyn_sfd2d_oct> 

	_______________________________________________
	Snort-users mailing list
	Snort-users at lists.sourceforge.net
<mailto:Snort-users at lists.sourceforge.net> 
	Go to this URL to change user options or unsubscribe:
	https://lists.sourceforge.net/lists/listinfo/snort-users
<https://lists.sourceforge.net/lists/listinfo/snort-users> 
	Snort-users list archive:
	
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
<http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users> 
	
	Please visit http://blog.snort.org <http://blog.snort.org>  to
stay current on all the latest Snort news!

------------------------------------------------------------------------
------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_sfd2d_oct____________________________________
___________
<http://p.sf.net/sfu/appdyn_sfd2d_oct___________________________________
____________> 
Snort-users mailing list
Snort-users at lists.sourceforge.net
<mailto:Snort-users at lists.sourceforge.net> 
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
<https://lists.sourceforge.net/lists/listinfo/snort-users> 
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
<http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users> 

Please visit http://blog.snort.org <http://blog.snort.org>  to stay
current on all the latest Snort news!

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20121025/daa3ab80/attachment.html>


More information about the Snort-users mailing list