[Snort-sigs] [Emerging-Sigs] Multiple rule issues after upgrade

Matthew Jonkman jonkman at ...829...
Wed Dec 29 10:44:29 EST 2010


> See below:
> 
>  
> 
> Dec 29 08:12:01 10.21.10.2 snort[21149]: FATAL ERROR: /usr/local/etc/snort/rules/porn.rules(24) Unknown ClassType: kickass-porn
> 


You're using the VRT porn rules, you need to add their classifications in there too then.
> Dec 29 08:13:42 10.21.10.2 snort[21166]: FATAL ERROR: /usr/local/etc/snort/rules/emerging-botcc.rules(41) threshold (in rule): could not create threshold - only one per sig_id=2404000.
> 
> Dec 29 08:15:27 10.21.10.2 snort[21171]: FATAL ERROR: /usr/local/etc/snort/rules/emerging-compromised.rules(49) threshold (in rule): could not create threshold - only one per sig_id=2500000.
> 
> Dec 29 08:23:54 10.21.10.2 snort[21222]: FATAL ERROR: /usr/local/etc/snort/rules/emerging-drop.rules(41) threshold (in rule): could not create threshold - only one per sig_id=2400000.
> 
> Dec 29 08:24:20 10.21.10.2 snort[21224]: FATAL ERROR: /usr/local/etc/snort/rules/emerging-rbn.rules(44) threshold (in rule): could not create threshold - only one per sig_id=2406000.
> 
> Dec 29 08:24:34 10.21.10.2 snort[21226]: FATAL ERROR: /usr/local/etc/snort/rules/emerging-tor.rules(44) threshold (in rule): could not create threshold - only one per sig_id=2520000.
> 
>  
> 

These are all likely because of the duped tor and rbn rulesets in the Dir. Can you clear it and update?
> I’ve had to disable the above rulesets to get snort running again, which is not a really great option currently.  Using the latest 2.9.0 ET rules, and registered 2.9.0.1 snort ruleset.
> 
>  
> 

You'll have signature double coverage going this way. Highly recommend using one or the other.

Matt

> James Lay
> 
> IT Security Analyst
> 
> WinCo Foods
> 
> 208-672-2014 Office
> 
> 208-559-1855 Cell
> 
> 650 N Armstrong Pl.
> 
> Boise, Idaho 83704
> 
>  
> 
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at ...3335...
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> 
> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
> The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20101229/7cac32c4/attachment.html>


More information about the Snort-sigs mailing list