[Snort-users] Local rules with same sids and snort works!

fatema bannatwala fatema.bannatwala at ...11827...
Wed Nov 9 13:40:40 EST 2016

Well, the rules have same rev numbers, and the order is like this:

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"HTTP Proxy
client detected"; flow: to_server,established; content:"X-Forwarded-";
http_header; reference:url,http:/           /
www.forensicswiki.org/wiki/Proxy_server; classtype:policy-violation;
sid:10001030; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Custom Likely
Successful Generic Phish 2016-09-23"; flow:to_server,established;
content:"POST"; http_method; content:".php"; http_uri; content:"netid=";
depth:10; fast_pattern; http_client_body; content:"&pword="; distance:0;
classtype:trojan-activity; sid:10001030; rev:1;)

I only get alerts from the second one now, i.e phishing one, and haven't
gotten any alert triggered for the first rule.
Previously, when I had only the first rule, I used to get lot of alerts for
people using proxy, but ever since the second alert got added I realized
that the first rule stopped triggering anymore.

On Wed, Nov 9, 2016 at 1:28 PM, Joel Esler (jesler) <jesler at ...589...>

> You can have duplicate SIDS.  The rule with the highest rev will override
> the lower rev rule, otherwise Snort will take the first rule it gets to,
> and ignore the other one.
> It’s been this way for several years.
> *--*
> *Joel Esler *| *Talos:* Manager | jesler at ...589...
> On Nov 9, 2016, at 1:19 PM, fatema bannatwala <fatema.bannatwala at ...13704......>
> wrote:
> Hi All,
> Just realized that I have two rules in my local.rules file with same sid,
> and snort works just fine!!
> I always had in my head that sids should have to be unique, but today when
> I was going through the local.rules file, I realized that someone from our
> team had created a new rule and assigned it a same sid that a previous rule
> had.
> I couldn't catch it before because snort was running just fine without any
> complains on duplicate sids.
> Have I missed this change in the current (or 2.9 version) of snort or is
> it something else?
> Quick points: I have local.rules enabled in snort.conf and pulled pork is
> not modifying anything regarding local rules so they should get loaded as
> it is, and above all I am getting alerts for one of the rules having
> duplicate sid, but no alerts for the other rule having same sid.
> Snort version -
> barnyard version - 2-1.9
> pulledpork - 0.7.0
> Thanks,
> Fatema.
> ------------------------------------------------------------
> ------------------
> Developer Access Program for Intel Xeon Phi Processors
> Access to Intel Xeon Phi processor-based developer platforms.
> With one year of Intel Parallel Studio XE.
> Training and support from Colfax.
> Order your platform today. http://sdm.link/xeonphi_______
> ________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20161109/bdb83939/attachment.html>

More information about the Snort-users mailing list