[Snort-users] Local rules with same sids and snort works!

fatema bannatwala fatema.bannatwala at ...11827...
Wed Nov 9 13:19:48 EST 2016


Hi All,

Just realized that I have two rules in my local.rules file with same sid,
and snort works just fine!!
I always had in my head that sids should have to be unique, but today when
I was going through the local.rules file, I realized that someone from our
team had created a new rule and assigned it a same sid that a previous rule
had.
I couldn't catch it before because snort was running just fine without any
complains on duplicate sids.

Have I missed this change in the current (or 2.9 version) of snort or is it
something else?

Quick points: I have local.rules enabled in snort.conf and pulled pork is
not modifying anything regarding local rules so they should get loaded as
it is, and above all I am getting alerts for one of the rules having
duplicate sid, but no alerts for the other rule having same sid.

Snort version - 2.9.8.3
barnyard version - 2-1.9
pulledpork - 0.7.0

Thanks,
Fatema.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20161109/f44d0631/attachment.html>


More information about the Snort-users mailing list