[Emerging-Sigs] duplicate rules -- sort of...
r.fulton at auckland.ac.nz
Tue Sep 23 17:55:10 EDT 2014
On 24/09/2014, at 4:52 am, Francis Trudeau <ftrudeau at emergingthreats.net> wrote:
> Thanks for pointing that out.
> I am pretty sure we can make those into one sig. Or at least make
> them not flag on the same traffic.
Ah! my bad I missed the one character difference in the message! Yes I would say combine them — if I really want to know which version I will look at the payload!
> I am wondering why your ruleset has the Snort version rule for 2006435
> and the Suricata version for 2018689.
Good question! Again it would appear to be a case of mea culpa. After carefully looking at the real rule file I get same results as you. heaven knows where I pulled that from :(
Thanks, as always!
More information about the Emerging-sigs