[Snort-users] massive amounts of "duplicate previous rule. Ignoring old rule"

Document Retention document.retention at ...11827...
Fri Mar 5 13:14:53 EST 2010


Hello All,

After adding Snort so_rules to my snort.conf I am getting massive amounts of
this:

...
/etc/snort/rules/so_rules/web-client.rules(103): GID 3 SID 13469 in rule
duplicates previous rule. Ignoring old rule.
/etc/snort/rules/so_rules/web-client.rules(104): GID 3 SID 13466 in rule
duplicates previous rule. Ignoring old rule.
/etc/snort/rules/so_rules/web-client.rules(105): GID 3 SID 13569 in rule
duplicates previous rule. Ignoring old rule.
/etc/snort/rules/so_rules/web-client.rules(106): GID 3 SID 13457 in rule
duplicates previous rule. Ignoring old rule.
...

Is this normal?

Also... I had to comment out:

so_rules/bad-tarffic.rules
so_rules/dos.rules

Since i was getting the error message:

ERROR: /etc/snort/rules/so_rules/bad-traffic.rules(8) threshold (in rule):
could not create threshold - only one per sig_id=15474.
Fatal Error, Quitting..

When i look for SID 15474 in both the* rules* and *so_rules* directory I
only find one rule with this SID ( in so_rules/bad-traffic.rules ).

Any help is appreciated greatly...

Thanks,
~Doc
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20100305/ec7222b8/attachment.html>


More information about the Snort-users mailing list