<html><head></head><body><div>Ya good call...Waldo is on the right track.</div><div><br></div><div>James</div><div><br></div><div>On Wed, 2016-06-15 at 08:38 -0400, wkitty42@...14940... wrote:</div><blockquote type="cite"><pre>On 06/15/2016 04:47 AM, ARUN LAL wrote:
ERROR: /etc/snort/rules/snort.rules(6053) threshold (in rule): could not
create threshold - only one per sig_id=2014141.
After uncommenting the rule in snort.rule the snort service is running fine.
*Why it happens always?? Can some explain it to me?*
it appears that that rule has in-rule thresholding (detection_filter:track
by_src, count 10, seconds 60;) and you are trying to threshold it again in
threshold.conf?? you cannot threshold already thresholded rules... if you want
to threshold it in threshold.conf, you have to remove the thresholding from the