[Snort-sigs] Bleeding rules virus and threshold issue

James Lay jlay at ...2844...
Mon Feb 21 16:20:06 EST 2005


The latest bleeding-rules.tar.gz has:

[17:14:02 jlay at ...2996...:~/temp/rules$] ls -l
total 364
-rw-r--r--  1 jlay users  7981 Feb 21 14:07 bleeding-attack_response.rules
-rw-r--r--  1 jlay users 10341 Feb 21 14:07 bleeding-custom.rules
-rw-r--r--  1 jlay users  5367 Feb 21 14:07 bleeding-dos.rules
-rw-r--r--  1 jlay users 35208 Feb 21 14:07 bleeding-exploit.rules
-rw-r--r--  1 jlay users  6170 Feb 21 14:07 bleeding-inappropriate.rules
-rw-r--r--  1 jlay users 92935 Feb 21 14:07 bleeding-malware.rules
-rw-r--r--  1 jlay users  9530 Feb 21 14:07 bleeding-p2p.rules
-rw-r--r--  1 jlay users 31019 Feb 21 14:07 bleeding-policy.rules
-rw-r--r--  1 jlay users  5856 Feb 21 14:07 bleeding-scan.rules
-rw-r--r--  1 jlay users 72015 Feb 21 14:07 bleeding-sid-msg.map
-rw-r--r--  1 jlay users 46488 Feb 21 14:07 bleeding-virus.rules
-rw-r--r--  1 jlay users 15317 Feb 21 14:07 bleeding-web.rules
-rw-r--r--  1 jlay users  2117 Feb 21 14:07 bleeding.rules

Didn't see an *all* rules file, so I don't think that's my issue.  Thanks
though =)

James


-----Original Message-----
From: Frank Knobbe [mailto:frank at ...1978...]
Sent: Monday, February 21, 2005 10:22 AM
To: James Lay
Cc: 'Snort-Sigs (E-mail)
Subject: Re: [Snort-sigs] Bleeding rules virus and threshold issue


On Mon, 2005-02-21 at 10:27 -0500, Matt Jonkman wrote:
> Do you have the ruleset mentioned twice in your snort.conf?
> 
> Snort will load it twice if you do.

Make sure you either include bleeding-all.rules OR the other
bleeding-*.rules, but not both. If you include all separate rules AND
bleeding-all.rules, you will include all bleeding rules twice.

Regards,
Frank





More information about the Snort-sigs mailing list