[Snort-sigs] Bleeding rules virus and threshold issue

James Lay jlay at ...2844...
Mon Feb 21 07:00:35 EST 2005


I thought the same thing so I grepped 2001578 in /etc/snort and

[07:58:07 jlay at ...2996...:/etc/snort$] grep 2001578 *
sid-msg.map:2001578 || BLEEDING-EDGE Sober.I Worm outbound detected
[07:58:17 jlay at ...2996...:/etc/snort$] cd rules
[07:58:26 jlay at ...2996...:/etc/snort/rules$] grep 2001578 *
bleeding-virus.rules:#alert tcp $HOME_NET any -> $EXTERNAL_NET 25
(msg:"BLEEDING-EDGE Sober *nuked the rest so I don't set off the rule* ;)

Any other thoughts?

-----Original Message-----
From: Matt Jonkman [mailto:matt at ...2436...]
Sent: Saturday, February 19, 2005 11:43 AM
To: James Lay
Cc: 'Snort-Sigs (E-mail)
Subject: Re: [Snort-sigs] Bleeding rules virus and threshold issue

This isn't unusual, you can only have one threshold entry per sid. I'd 
guess you're loading the sigs twice for some reason? Maybe for dual http 
ports or smtp ports variables or something?

At any rate, if you remove the duplicate signatures this'll go away. if 
you need to run with several variables I'd recommend a second instance 
of snort with a a pcap expression limiting to just that port, and 
running just the rules relevant. Lots more efficient I think.


James Lay wrote:
> Hey folks!
> Just upgraded to 2.3.0 and here's what I get with 
> Feb 19 08:22:43 ns1 snort: FATAL ERROR: Rule-Threshold-Parse: could not
> create a threshold object -- only one per sid, sid = 2001578
> Feb 19 08:24:19 ns1 snort: FATAL ERROR: Rule-Threshold-Parse: could not
> create a threshold object -- only one per sid, sid = 2001573
> after nuking all entries in bleeding-virus.rules with "threshold: type
> limit" in them snort would fire up.  Any thoughts on this?
> James Lay
> Network Manager/Security Officer
> AmeriBen Solutions/IEC Group
> Semper Vigilans!!!
> -------------------------------------------------------
> SF email is sponsored by - The IT Product Guide
> Read honest & candid reviews on hundreds of IT Products from real users.
> Discover which products truly live up to the hype. Start reading now.
> http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs

Matthew Jonkman, CISSP
Senior Security Engineer
765-429-0398 Direct Anytime
765-448-6847 Office
866-679-5177 24x7 NOC

NOTICE: The information contained in this email is confidential
and intended solely for the intended recipient. Any use,
distribution, transmittal or retransmittal of information
contained in this email by persons who are not intended
recipients may be a violation of law and is strictly prohibited.
If you are not the intended recipient, please contact the sender
and delete all copies.

More information about the Snort-sigs mailing list