[Emerging-Sigs] duplicate rules -- sort of...

Russell Fulton r.fulton at auckland.ac.nz
Tue Sep 23 17:55:10 EDT 2014


On 24/09/2014, at 4:52 am, Francis Trudeau <ftrudeau at emergingthreats.net> wrote:

> Thanks for pointing that out.
> 
> I am pretty sure we can make those into one sig.  Or at least make
> them not flag on the same traffic.
> 

Ah! my bad I missed the one character difference in the message!  Yes I would say combine them — if I really want to know which version I will look at the payload!

> I am wondering why your ruleset has the Snort version rule for 2006435
> and the Suricata version for 2018689.
> 
Good question!  Again it would appear to be a case of mea culpa.  After carefully looking at the real rule file I get same results as you.  heaven knows where I pulled that from :(

Thanks, as always!

Russell 



More information about the Emerging-sigs mailing list