Re: Duplicate rules & rule parser

[Joel Esler <jesler () sourcefire com>]

On Oct 22, 2013, at 10:26 AM, Anshuman Anil Deshmukh <anshuman () cybage com> wrote:

> Hi,
>  
> There are many SID’s that are duplicated. See this extract (http://pastebin.com/jKpBXLdv) taken from the snort output 
> using –T switch.
>  

Looks like you are using the community ruleset and the registered/subscriber set at the same time (nothing wrong with 
this).

Duplicate SIDS will be found if you are using the community ruleset and the registered/subscriber set, as the community 
ruleset is inside the subscriber (and thusly the registered set) set.  Snort will always take the highest rev of a rule 
upon start up, and community may be more up to date than the subscriber/registered pack since the community ruleset is 
cut daily, whereas the other set is at least twice-a-week.

So what you are seeing is correct.

Here is a bit more information on the community ruleset:
http://blog.snort.org/2013/03/the-sourcefire-vrt-community-ruleset-is.html

and here is where it is:

http://www.snort.org/snort-rules/#community

Thanks

--
Joel Esler
AEGIS Intelligence Lead
OpenSource Community Manager
Vulnerability Research Team, Sourcefire

------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from 
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!