[Snort-sigs] Bleeding rules virus and threshold issue

James Lay jlay at ...2844...
Mon Feb 21 16:44:28 EST 2005


Ok so mystery solved.  First let's go with what we know:

1.  I suck =D
2.  It WAS in snort.conf twice.
3.  Reference #1 for any additional information =D

Thanks for the QUICKness of support that only open source can bring.  Thanks
again gentlemen!!

James

-----Original Message-----
From: James Lay [mailto:jlay at ...2844...]
Sent: Monday, February 21, 2005 5:41 PM
To: 'Frank Knobbe'
Cc: 'Snort-Sigs (E-mail)
Subject: RE: [Snort-sigs] Bleeding rules virus and threshold issue


Frank,

Yep...dig it:

[17:36:53 jlay at ...2996...:/etc/snort$] grep 2001578 *| wc -l
1
[17:37:02 jlay at ...2996...:/etc/snort$] cd rules
[17:37:05 jlay at ...2996...:/etc/snort/rules$] grep 2001578 *| wc -l
1
[17:37:06 jlay at ...2996...:/etc/snort/rules$]

In a word, ouchies.

James

-----Original Message-----
From: Frank Knobbe [mailto:frank at ...1978...]
Sent: Monday, February 21, 2005 5:33 PM
To: James Lay
Cc: 'Snort-Sigs (E-mail)
Subject: RE: [Snort-sigs] Bleeding rules virus and threshold issue


On Mon, 2005-02-21 at 17:33 -0700, James Lay wrote:
> FATAL ERROR: Rule-Threshold-Parse: could not create a threshold object --
> only one per sid, sid = 2001578

That's insane...

What does

  grep "sid:2001578" *|wc -l    

show? Only 1???




More information about the Snort-sigs mailing list