Snort mailing list archives
Re: Local rules with same sids and snort works!
From: "Joel Esler (jesler)" <jesler () cisco com>
Date: Wed, 9 Nov 2016 18:28:26 +0000
You can have duplicate SIDS. The rule with the highest rev will override the lower rev rule, otherwise Snort will take the first rule it gets to, and ignore the other one. It’s been this way for several years. -- Joel Esler | Talos: Manager | jesler () cisco com<mailto:jesler () cisco com> On Nov 9, 2016, at 1:19 PM, fatema bannatwala <fatema.bannatwala () gmail com<mailto:fatema.bannatwala () gmail com>> wrote: Hi All, Just realized that I have two rules in my local.rules file with same sid, and snort works just fine!! I always had in my head that sids should have to be unique, but today when I was going through the local.rules file, I realized that someone from our team had created a new rule and assigned it a same sid that a previous rule had. I couldn't catch it before because snort was running just fine without any complains on duplicate sids. Have I missed this change in the current (or 2.9 version) of snort or is it something else? Quick points: I have local.rules enabled in snort.conf and pulled pork is not modifying anything regarding local rules so they should get loaded as it is, and above all I am getting alerts for one of the rules having duplicate sid, but no alerts for the other rule having same sid. Snort version - 2.9.8.3 barnyard version - 2-1.9 pulledpork - 0.7.0 Thanks, Fatema. ------------------------------------------------------------------------------ Developer Access Program for Intel Xeon Phi Processors Access to Intel Xeon Phi processor-based developer platforms. With one year of Intel Parallel Studio XE. Training and support from Colfax. Order your platform today. http://sdm.link/xeonphi_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net> Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Developer Access Program for Intel Xeon Phi Processors Access to Intel Xeon Phi processor-based developer platforms. With one year of Intel Parallel Studio XE. Training and support from Colfax. Order your platform today. http://sdm.link/xeonphi
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Local rules with same sids and snort works! fatema bannatwala (Nov 09)
- Re: Local rules with same sids and snort works! Joel Esler (jesler) (Nov 09)
- Re: Local rules with same sids and snort works! fatema bannatwala (Nov 09)
- Re: Local rules with same sids and snort works! Joel Esler (jesler) (Nov 09)
- Re: Local rules with same sids and snort works! fatema bannatwala (Nov 09)
- Re: Local rules with same sids and snort works! Joel Esler (jesler) (Nov 09)
- Re: Local rules with same sids and snort works! fatema bannatwala (Nov 09)
- Re: Local rules with same sids and snort works! fatema bannatwala (Nov 09)
- Re: Local rules with same sids and snort works! Joel Esler (jesler) (Nov 09)