Pulledpork error

[xinland66 () gmail com]

I used Pulledpork 0.7.2 with the "-k" option to put rules in separate files. I use etpro rules.
When I ran Pulledpork the second time, I got the following error. It seems the second time added duplicate entries. How 
does Pulledpork work? Does it add the difference only? Do I need to remove the existing rules before running Pulledpork?


FATAL ERROR: /etc/snort/rules/ET-attack_response.rules(164) threshold (in rule): could not create threshold - only one 
per sig_id=2011668.

[root@]# grep 2011668 /etc/snort/rules/ET-attack_response.rules
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET ATTACK_RESPONSE Backdoor reDuh http tunnel"; 
flow:to_server,established; content:"?action=getData&servicePort="; http_uri; content:"Java/"; http_header; 
threshold:type limit, track by_src, count 1, seconds 300; reference:url,www.sensepost.com/labs/tools/pentest/reduh; 
reference:url,doc.emergingthreats.net/2011668; classtype:trojan-activity; sid:2011668; rev:6;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET ATTACK_RESPONSE Backdoor reDuh http tunnel"; 
flow:to_server,established; content:"?action=getData&servicePort="; http_uri; content:"Java/"; http_header; 
threshold:type limit, track by_src, count 1, seconds 300; reference:url,www.sensepost.com/labs/tools/pentest/reduh; 
reference:url,doc.emergingthreats.net/2011668; classtype:trojan-activity; sid:2011668; rev:6;)

Thanks,
KL

------------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!