[Snort-users] massive amounts of "duplicate previous rule. Ignoring old rule"

Joel Esler jesler at ...1935...
Fri Mar 5 17:54:13 EST 2010


On Mar 5, 2010, at 1:14 PM, Document Retention wrote:

> After adding Snort so_rules to my snort.conf I am getting massive amounts of this:
> 
> ...
> /etc/snort/rules/so_rules/web-client.rules(103): GID 3 SID 13469 in rule duplicates previous rule. Ignoring old rule.
> /etc/snort/rules/so_rules/web-client.rules(104): GID 3 SID 13466 in rule duplicates previous rule. Ignoring old rule.
> /etc/snort/rules/so_rules/web-client.rules(105): GID 3 SID 13569 in rule duplicates previous rule. Ignoring old rule.
> /etc/snort/rules/so_rules/web-client.rules(106): GID 3 SID 13457 in rule duplicates previous rule. Ignoring old rule.
> ...
> 
> Is this normal?
> 
> Also... I had to comment out:
> 
> so_rules/bad-tarffic.rules
> so_rules/dos.rules
> 
> Since i was getting the error message:
> 
> ERROR: /etc/snort/rules/so_rules/bad-traffic.rules(8) threshold (in rule): could not create threshold - only one per sig_id=15474.
> Fatal Error, Quitting..
> 
> When i look for SID 15474 in both the rules and so_rules directory I only find one rule with this SID ( in so_rules/bad-traffic.rules ).
> 
> Any help is appreciated greatly...

It looks like you may be loading the rules twice.  Otherwise this shouldn't happen.  

Joel
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20100305/a2c97d82/attachment.html>


More information about the Snort-users mailing list