[Snort-users] @snort alert

waldo kitty wkitty42 at ...14940...
Thu Nov 28 22:11:30 EST 2013


On 11/28/2013 2:44 AM, anagha b wrote:
> I havenot specified any rule just stated snort.
>
> Barnyard giving follwing o/p
[trim]
> I have to specify my rule for detection ? Snort must have signature to detecet
> this then why this kind of o/p?

you have a local rule with SID 1000002 but that rule contains no revision 
number... you should add a revision number to all rules you write and make sure 
you increment that revision number any time* you modify the rule...

eg: alert tcp any any -> any any (msg: "TCP packet detected!"; sid: 1; rev: 1;)


* "any time" meaning any time the rule has major changes in the detection 
portion... many systems use a CSV/SVN to keep their rules in for tracking 
changes... the revision number in the rule helps those working with the alerts 
to know exactly which version of the rule they are dealing with...

-- 
NOTE: No off-list assistance is given without prior approval.
       Please keep mailing list traffic on the list unless
       private contact is specifically requested and granted.




More information about the Snort-users mailing list