Snort mailing list archives
Re: Pulledpork error
From: Shirkdog <shirkdog () gmail com>
Date: Thu, 1 Oct 2015 23:35:10 -0400
That is a duplicate rule. I would make sure you have a fresh ruleset first, then see how pulledpork runs. If it is still an issue, open a ticket on github for it. On Oct 1, 2015 10:36 PM, <xinland66 () gmail com> wrote:
I used Pulledpork 0.7.2 with the "-k" option to put rules in separate files. I use etpro rules. When I ran Pulledpork the second time, I got the following error. It seems the second time added duplicate entries. How does Pulledpork work? Does it add the difference only? Do I need to remove the existing rules before running Pulledpork? FATAL ERROR: /etc/snort/rules/ET-attack_response.rules(164) threshold (in rule): could not create threshold - only one per sig_id=2011668. [root@]# grep 2011668 /etc/snort/rules/ET-attack_response.rules alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET ATTACK_RESPONSE Backdoor reDuh http tunnel"; flow:to_server,established; content:"?action=getData&servicePort="; http_uri; content:"Java/"; http_header; threshold:type limit, track by_src, count 1, seconds 300; reference:url,www.sensepost.com/labs/tools/pentest/reduh; reference:url, doc.emergingthreats.net/2011668; classtype:trojan-activity; sid:2011668; rev:6;) alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET ATTACK_RESPONSE Backdoor reDuh http tunnel"; flow:to_server,established; content:"?action=getData&servicePort="; http_uri; content:"Java/"; http_header; threshold:type limit, track by_src, count 1, seconds 300; reference:url,www.sensepost.com/labs/tools/pentest/reduh; reference:url, doc.emergingthreats.net/2011668; classtype:trojan-activity; sid:2011668; rev:6;) Thanks, KL ------------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Pulledpork error xinland66 (Oct 01)
- Re: Pulledpork error Shirkdog (Oct 01)