[Snort-users] Preprocessor and decoder rules

Joel Esler jesler at ...1935...
Mon May 7 17:23:16 EDT 2012


If you are using pulledpork, they are probably in your snort.rules file.

On May 7, 2012, at 12:29 PM, Jefferson, Shawn wrote:

> Hi,
>  
> I’m trying to use the pre-processor and decoder rule files to comment out some of the pre-processer and decoder rules I’m not interested in seeing alerts for.  I compiled with –enable-sourcefire and the rules are being loaded in my snort.conf.  However, during the load of snort I am getting these messages (for each GID/SID):
>  
> WARNING: /etc/snort/rules/preprocessor.rules(2) GID 105 SID 1 in rule duplicates previous rule. Ignoring old rule.#012
>  
> So, what am I doing wrong?  Commenting out the rules doesn’t work, since it seems they are being defined somewhere else.
>  
>  
>  
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and 
> threat landscape has changed and how IT managers can respond. Discussions 
> will include endpoint security, mobile security and the latest in malware 
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/_______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!





More information about the Snort-users mailing list