Snort mailing list archives

Previous By Date Next
Previous By Thread Next

massive amounts of "duplicate previous rule. Ignoring old rule"

From: Document Retention <document.retention () gmail com>
Date: Fri, 5 Mar 2010 13:14:53 -0500
Hello All,

After adding Snort so_rules to my snort.conf I am getting massive amounts of
this:

...
/etc/snort/rules/so_rules/web-client.rules(103): GID 3 SID 13469 in rule
duplicates previous rule. Ignoring old rule.
/etc/snort/rules/so_rules/web-client.rules(104): GID 3 SID 13466 in rule
duplicates previous rule. Ignoring old rule.
/etc/snort/rules/so_rules/web-client.rules(105): GID 3 SID 13569 in rule
duplicates previous rule. Ignoring old rule.
/etc/snort/rules/so_rules/web-client.rules(106): GID 3 SID 13457 in rule
duplicates previous rule. Ignoring old rule.
...

Is this normal?

Also... I had to comment out:

so_rules/bad-tarffic.rules
so_rules/dos.rules

Since i was getting the error message:

ERROR: /etc/snort/rules/so_rules/bad-traffic.rules(8) threshold (in rule):
could not create threshold - only one per sig_id=15474.
Fatal Error, Quitting..

When i look for SID 15474 in both the* rules* and *so_rules* directory I
only find one rule with this SID ( in so_rules/bad-traffic.rules ).

Any help is appreciated greatly...

Thanks,
~Doc

------------------------------------------------------------------------------
Download Intel&#174; Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: