[Snort-users] Local Rule Error

Jones, Christopher (Chris) (Maj) cajones1 at ...17771...
Sun Feb 19 19:16:39 EST 2017


All,

I'm working on writing some simple local rules but Snort is giving me the error: "SID 5000001 in rule duplicates previous rule.  Ignoring old rule."

My local rule is this:

#-------------
# LOCAL RULES
#-------------

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"LOCAL RULE-chmod command attempt"; content:"chmod"; sid:5000001; rev:1;)

It's the only local rule I'm using so I'm confused about the error.  I've seen "chmod" used in scrips and I'd like Snort to pull it out for me.  I'm not sure why other rules haven't picked up on it but I figure I can start to improve my rule writing with some basic string searches.

Thanks for your help.

Chris
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20170220/f1a9588a/attachment.html>


More information about the Snort-users mailing list