[Snort-users] Local rules with same sids and snort works!
fatema.bannatwala at ...11827...
Wed Nov 9 13:40:40 EST 2016
Well, the rules have same rev numbers, and the order is like this:
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"HTTP Proxy
client detected"; flow: to_server,established; content:"X-Forwarded-";
http_header; reference:url,http:/ /
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Custom Likely
Successful Generic Phish 2016-09-23"; flow:to_server,established;
content:"POST"; http_method; content:".php"; http_uri; content:"netid=";
depth:10; fast_pattern; http_client_body; content:"&pword="; distance:0;
classtype:trojan-activity; sid:10001030; rev:1;)
I only get alerts from the second one now, i.e phishing one, and haven't
gotten any alert triggered for the first rule.
Previously, when I had only the first rule, I used to get lot of alerts for
people using proxy, but ever since the second alert got added I realized
that the first rule stopped triggering anymore.
On Wed, Nov 9, 2016 at 1:28 PM, Joel Esler (jesler) <jesler at ...589...>
> You can have duplicate SIDS. The rule with the highest rev will override
> the lower rev rule, otherwise Snort will take the first rule it gets to,
> and ignore the other one.
> It’s been this way for several years.
> *Joel Esler *| *Talos:* Manager | jesler at ...589...
> On Nov 9, 2016, at 1:19 PM, fatema bannatwala <fatema.bannatwala at ...13704......>
> Hi All,
> Just realized that I have two rules in my local.rules file with same sid,
> and snort works just fine!!
> I always had in my head that sids should have to be unique, but today when
> I was going through the local.rules file, I realized that someone from our
> team had created a new rule and assigned it a same sid that a previous rule
> I couldn't catch it before because snort was running just fine without any
> complains on duplicate sids.
> Have I missed this change in the current (or 2.9 version) of snort or is
> it something else?
> Quick points: I have local.rules enabled in snort.conf and pulled pork is
> not modifying anything regarding local rules so they should get loaded as
> it is, and above all I am getting alerts for one of the rules having
> duplicate sid, but no alerts for the other rule having same sid.
> Snort version - 220.127.116.11
> barnyard version - 2-1.9
> pulledpork - 0.7.0
> Developer Access Program for Intel Xeon Phi Processors
> Access to Intel Xeon Phi processor-based developer platforms.
> With one year of Intel Parallel Studio XE.
> Training and support from Colfax.
> Order your platform today. http://sdm.link/xeonphi_______
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users