RE: [Snort-sigs] snort-rules STABLE update @ Fri Feb 7 17:33:38 2003

From: Belthrop, Tony <tony.belthrop(at)Peopleclick.com>
Date: Fri Feb 14 2003 - 09:20:50 EST

Why is it that every time I try to add a sig that snort won't run? I crete the xxxx.rules file, and then edit the snort.conf file to add the # include $RULE_PATH/xxxx.rules.... I am missing a step here? The snort will not start on the sensors unless I go back and comment the new include line in the snort.conf file.

Thanks

-----Original Message-----
From: Brian [mailto:bmc@snort.org]
Sent: Monday, February 10, 2003 10:07 AM To: Michael.Advani@Asia.ING.com
Cc: snort-sigs@lists.sourceforge.net
Subject: Re: [Snort-sigs] snort-rules STABLE update @ Fri Feb 7 17:33:38 2003

On Mon, Feb 10, 2003 at 05:12:16PM +0800, Michael.Advani@Asia.ING.com wrote:
> alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"MS-SQL Slammer

> sid:9998; rev:1;)

> reference:url,vil.nai.com/vil/content/v_99992.htm; sid:2003; rev:2;)
>
> alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"MS-SQL Slammer

> How come there are so many versions ? Though the header part is
> identical, the 'meat' is totally different !

Because one is an "official" rule, the others are not. (sid:2003 is the official rule, in case you didn't notice...)

-brian

---

This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com

---

Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

---

This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven.
http://thinkgeek.com/sf

---

Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs Received on Sat Feb 15 09:30:24 2003