[Snort-users] [Snort-sigs] Snort down

James Lay jlay at ...13475...
Wed Jun 15 08:49:42 EDT 2016


Ya good call...Waldo is on the right track.
James
On Wed, 2016-06-15 at 08:38 -0400, wkitty42 at ...14940... wrote:
> On 06/15/2016 04:47 AM, ARUN LAL wrote:
> > 
> > =====================
> > ERROR: /etc/snort/rules/snort.rules(6053) threshold (in rule):
> > could not
> > create threshold - only one per sig_id=2014141.
> > =====================
> > After uncommenting the rule in snort.rule the snort service is
> > running fine.
> > 
> >             *Why it happens always?? Can some explain it to me?*
> it appears that that rule has in-rule thresholding
> (detection_filter:track 
> by_src, count 10, seconds 60;) and you are trying to threshold it
> again in 
> threshold.conf?? you cannot threshold already thresholded rules... if
> you want 
> to threshold it in threshold.conf, you have to remove the
> thresholding from the 
> rule itself...
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20160615/0a96eb25/attachment.html>


More information about the Snort-users mailing list