[Snort-users] @snort alert
wkitty42 at ...14940...
Thu Nov 28 22:11:30 EST 2013
On 11/28/2013 2:44 AM, anagha b wrote:
> I havenot specified any rule just stated snort.
> Barnyard giving follwing o/p
> I have to specify my rule for detection ? Snort must have signature to detecet
> this then why this kind of o/p?
you have a local rule with SID 1000002 but that rule contains no revision
number... you should add a revision number to all rules you write and make sure
you increment that revision number any time* you modify the rule...
eg: alert tcp any any -> any any (msg: "TCP packet detected!"; sid: 1; rev: 1;)
* "any time" meaning any time the rule has major changes in the detection
portion... many systems use a CSV/SVN to keep their rules in for tracking
changes... the revision number in the rule helps those working with the alerts
to know exactly which version of the rule they are dealing with...
NOTE: No off-list assistance is given without prior approval.
Please keep mailing list traffic on the list unless
private contact is specifically requested and granted.
More information about the Snort-users