Home page logo
/

snort logo Snort mailing list archives

Re: [Emerging-Sigs] Multiple rule issues after upgrade
From: "Lay, James" <james.lay () wincofoods com>
Date: Wed, 29 Dec 2010 08:51:00 -0700

Thanks for the quick responses all.  I extracted both snortrules-snapshot-2901 and latest emerging-threats files, nuked 
all rules files from my snort dir, copied the latest rules files, then completed redid my rules section in my 
snort.conf file.  All is running good now…thanks again…guess it pays to clean these out every so often.

 

James

 

From: Matthew Jonkman [mailto:jonkman () jonkmans com] 
Sent: Wednesday, December 29, 2010 8:44 AM
To: Lay, James
Cc: <emerging-sigs () emergingthreats net>; <snort-sigs () lists sourceforge net>
Subject: Re: [Emerging-Sigs] Multiple rule issues after upgrade

 

 

        See below:

         

        Dec 29 08:12:01 10.21.10.2 snort[21149]: FATAL ERROR: /usr/local/etc/snort/rules/porn.rules(24) Unknown 
ClassType: kickass-porn

 

 

You're using the VRT porn rules, you need to add their classifications in there too then.



Dec 29 08:13:42 10.21.10.2 snort[21166]: FATAL ERROR: /usr/local/etc/snort/rules/emerging-botcc.rules(41) threshold (in 
rule): could not create threshold - only one per sig_id=2404000.

Dec 29 08:15:27 10.21.10.2 snort[21171]: FATAL ERROR: /usr/local/etc/snort/rules/emerging-compromised.rules(49) 
threshold (in rule): could not create threshold - only one per sig_id=2500000.

Dec 29 08:23:54 10.21.10.2 snort[21222]: FATAL ERROR: /usr/local/etc/snort/rules/emerging-drop.rules(41) threshold (in 
rule): could not create threshold - only one per sig_id=2400000.

Dec 29 08:24:20 10.21.10.2 snort[21224]: FATAL ERROR: /usr/local/etc/snort/rules/emerging-rbn.rules(44) threshold (in 
rule): could not create threshold - only one per sig_id=2406000.

Dec 29 08:24:34 10.21.10.2 snort[21226]: FATAL ERROR: /usr/local/etc/snort/rules/emerging-tor.rules(44) threshold (in 
rule): could not create threshold - only one per sig_id=2520000.

 

 

These are all likely because of the duped tor and rbn rulesets in the Dir. Can you clear it and update?



I’ve had to disable the above rulesets to get snort running again, which is not a really great option currently.  Using 
the latest 2.9.0 ET rules, and registered 2.9.0.1 snort ruleset.

 

 

You'll have signature double coverage going this way. Highly recommend using one or the other.

 

Matt





James Lay

IT Security Analyst

WinCo Foods

208-672-2014 Office

208-559-1855 Cell

650 N Armstrong Pl.

Boise, Idaho 83704

 

        _______________________________________________
        Emerging-sigs mailing list
        Emerging-sigs () emergingthreats net
        http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
        
        Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
        The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!

------------------------------------------------------------------------------
Learn how Oracle Real Application Clusters (RAC) One Node allows customers
to consolidate database storage, standardize their database environment, and, 
should the need arise, upgrade to a full multi-node Oracle RAC database 
without downtime or disruption
http://p.sf.net/sfu/oracle-sfdevnl
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault