Snort mailing list archives

Re: The same GID and SID in rule duplicates previous rule in Snort-2.8.5.2

From: Matt Olney <molney () sourcefire com>
Date: Wed, 10 Mar 2010 15:19:04 -0500

er......I'd get in the source code and muck around.

But honestly, this is silly.  Don't do this.

Matt

On Wed, Mar 10, 2010 at 9:59 AM, bai haoquan <baihaoquan () gmail com> wrote:

Hi,
I had already update my snort from 2.6.1 to 2.8.5.2, my old snort is used in
a web project, and in this project, the user's rules is generated
automatically. In these rules, there are some rules with the same sid, for
example :

    alert TCP 192.168.123.110 any -> 192.168.123.113 1111 (msg:"tcp";
content:"tcp";sid:1000001;)
    alert UDP 192.168.123.110 any -> 192.168.123.113 1234 (msg:"udp";
content:"udp";sid:1000001;)
these rules cause errors in the new version 2.8.5.2 when start the snort but
not in the old version 2.6.1. Of cause I know that  I should make the rules
generate different sid (1000001, 1000002 ...), but now for some reasons
difficult to do this, I want to know if there are some way to make "the same
sid in rules" also work, and not cause errors in the version
2.8.5.2,  please help me to fix this problem if there is someway to do this.
Tkank you very much.

------------------------------------------------------------------------------
Download Intel&#174; Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


------------------------------------------------------------------------------
Download Intel&#174; Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

The same GID and SID in rule duplicates previous rule in Snort-2.8.5.2 bai haoquan (Mar 10)
- Re: The same GID and SID in rule duplicates previous rule in Snort-2.8.5.2 Joel Esler (Mar 10)
- Re: The same GID and SID in rule duplicates previous rule in Snort-2.8.5.2 Matt Olney (Mar 10)