Re: [Emerging-Sigs] Multiple rule issues after upgrade

[L0rd Ch0de1m0rt <l0rdch0de1m0rt () gmail com>]

It's a Christmas Miracle!  Glad to hear that WinCo Foods is protected
again.  I was worried there for a second that I wouldn't have a place
to securely get SPAM.

-L0rd C.

P.S. Please tell me the "Win" in "WinCo" has nothing to do with Windows. ;)

On Wed, Dec 29, 2010 at 9:51 AM, Lay, James <james.lay () wincofoods com> wrote:
> Thanks for the quick responses all.  I extracted both
> snortrules-snapshot-2901 and latest emerging-threats files, nuked all rules
> files from my snort dir, copied the latest rules files, then completed redid
> my rules section in my snort.conf file.  All is running good now…thanks
> again…guess it pays to clean these out every so often.
>
>
>
> James
>
>
>
> From: Matthew Jonkman [mailto:jonkman () jonkmans com]
> Sent: Wednesday, December 29, 2010 8:44 AM
> To: Lay, James
> Cc: <emerging-sigs () emergingthreats net>; <snort-sigs () lists sourceforge net>
> Subject: Re: [Emerging-Sigs] Multiple rule issues after upgrade
>
>
>
>
>
> See below:
>
>
>
> Dec 29 08:12:01 10.21.10.2 snort[21149]: FATAL ERROR:
> /usr/local/etc/snort/rules/porn.rules(24) Unknown ClassType: kickass-porn
>
>
>
>
>
> You're using the VRT porn rules, you need to add their classifications in
> there too then.
>
> Dec 29 08:13:42 10.21.10.2 snort[21166]: FATAL ERROR:
> /usr/local/etc/snort/rules/emerging-botcc.rules(41) threshold (in rule):
> could not create threshold - only one per sig_id=2404000.
>
> Dec 29 08:15:27 10.21.10.2 snort[21171]: FATAL ERROR:
> /usr/local/etc/snort/rules/emerging-compromised.rules(49) threshold (in
> rule): could not create threshold - only one per sig_id=2500000.
>
> Dec 29 08:23:54 10.21.10.2 snort[21222]: FATAL ERROR:
> /usr/local/etc/snort/rules/emerging-drop.rules(41) threshold (in rule):
> could not create threshold - only one per sig_id=2400000.
>
> Dec 29 08:24:20 10.21.10.2 snort[21224]: FATAL ERROR:
> /usr/local/etc/snort/rules/emerging-rbn.rules(44) threshold (in rule): could
> not create threshold - only one per sig_id=2406000.
>
> Dec 29 08:24:34 10.21.10.2 snort[21226]: FATAL ERROR:
> /usr/local/etc/snort/rules/emerging-tor.rules(44) threshold (in rule): could
> not create threshold - only one per sig_id=2520000.
>
>
>
>
>
> These are all likely because of the duped tor and rbn rulesets in the Dir.
> Can you clear it and update?
>
> I’ve had to disable the above rulesets to get snort running again, which is
> not a really great option currently.  Using the latest 2.9.0 ET rules, and
> registered 2.9.0.1 snort ruleset.
>
>
>
>
>
> You'll have signature double coverage going this way. Highly recommend using
> one or the other.
>
>
>
> Matt
>
> James Lay
>
> IT Security Analyst
>
> WinCo Foods
>
> 208-672-2014 Office
>
> 208-559-1855 Cell
>
> 650 N Armstrong Pl.
>
> Boise, Idaho 83704
>
>
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs () emergingthreats net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreatspro.com
> The ONLY place to get complete premium rulesets for Snort 2.4.0 through
> Current!
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs () emergingthreats net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreatspro.com
> The ONLY place to get complete premium rulesets for Snort 2.4.0 through
> Current!

------------------------------------------------------------------------------
Learn how Oracle Real Application Clusters (RAC) One Node allows customers
to consolidate database storage, standardize their database environment, and, 
should the need arise, upgrade to a full multi-node Oracle RAC database 
without downtime or disruption
http://p.sf.net/sfu/oracle-sfdevnl
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs