[Snort-sigs] [Emerging-Sigs] Multiple rule issues after upgrade
james.lay at ...3513...
Wed Dec 29 10:51:00 EST 2010
Thanks for the quick responses all. I extracted both snortrules-snapshot-2901 and latest emerging-threats files, nuked all rules files from my snort dir, copied the latest rules files, then completed redid my rules section in my snort.conf file. All is running good now…thanks again…guess it pays to clean these out every so often.
From: Matthew Jonkman [mailto:jonkman at ...829...]
Sent: Wednesday, December 29, 2010 8:44 AM
To: Lay, James
Cc: <emerging-sigs at ...3335...>; <snort-sigs at lists.sourceforge.net>
Subject: Re: [Emerging-Sigs] Multiple rule issues after upgrade
Dec 29 08:12:01 10.21.10.2 snort: FATAL ERROR: /usr/local/etc/snort/rules/porn.rules(24) Unknown ClassType: kickass-porn
You're using the VRT porn rules, you need to add their classifications in there too then.
Dec 29 08:13:42 10.21.10.2 snort: FATAL ERROR: /usr/local/etc/snort/rules/emerging-botcc.rules(41) threshold (in rule): could not create threshold - only one per sig_id=2404000.
Dec 29 08:15:27 10.21.10.2 snort: FATAL ERROR: /usr/local/etc/snort/rules/emerging-compromised.rules(49) threshold (in rule): could not create threshold - only one per sig_id=2500000.
Dec 29 08:23:54 10.21.10.2 snort: FATAL ERROR: /usr/local/etc/snort/rules/emerging-drop.rules(41) threshold (in rule): could not create threshold - only one per sig_id=2400000.
Dec 29 08:24:20 10.21.10.2 snort: FATAL ERROR: /usr/local/etc/snort/rules/emerging-rbn.rules(44) threshold (in rule): could not create threshold - only one per sig_id=2406000.
Dec 29 08:24:34 10.21.10.2 snort: FATAL ERROR: /usr/local/etc/snort/rules/emerging-tor.rules(44) threshold (in rule): could not create threshold - only one per sig_id=2520000.
These are all likely because of the duped tor and rbn rulesets in the Dir. Can you clear it and update?
I’ve had to disable the above rulesets to get snort running again, which is not a really great option currently. Using the latest 2.9.0 ET rules, and registered 18.104.22.168 snort ruleset.
You'll have signature double coverage going this way. Highly recommend using one or the other.
IT Security Analyst
650 N Armstrong Pl.
Boise, Idaho 83704
Emerging-sigs mailing list
Emerging-sigs at ...3335...
Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-sigs