Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Pulledpork error

From: Shirkdog <shirkdog () gmail com>
Date: Thu, 1 Oct 2015 23:35:10 -0400
That is a duplicate rule. I would make sure you have a fresh ruleset first,
then see how pulledpork runs.

If it is still an issue, open a ticket on github for it.
On Oct 1, 2015 10:36 PM, <xinland66 () gmail com> wrote:


I used Pulledpork 0.7.2 with the "-k" option to put rules in separate
files. I use etpro rules.
When I ran Pulledpork the second time, I got the following error. It seems
the second time added duplicate entries. How does Pulledpork work? Does it
add the difference only? Do I need to remove the existing rules before
running Pulledpork?


FATAL ERROR: /etc/snort/rules/ET-attack_response.rules(164) threshold (in
rule): could not create threshold - only one per sig_id=2011668.

[root@]# grep 2011668 /etc/snort/rules/ET-attack_response.rules
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET
ATTACK_RESPONSE Backdoor reDuh http tunnel"; flow:to_server,established;
content:"?action=getData&servicePort="; http_uri; content:"Java/";
http_header; threshold:type limit, track by_src, count 1, seconds 300;
reference:url,www.sensepost.com/labs/tools/pentest/reduh; reference:url,
doc.emergingthreats.net/2011668; classtype:trojan-activity; sid:2011668;
rev:6;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET
ATTACK_RESPONSE Backdoor reDuh http tunnel"; flow:to_server,established;
content:"?action=getData&servicePort="; http_uri; content:"Java/";
http_header; threshold:type limit, track by_src, count 1, seconds 300;
reference:url,www.sensepost.com/labs/tools/pentest/reduh; reference:url,
doc.emergingthreats.net/2011668; classtype:trojan-activity; sid:2011668;
rev:6;)

Thanks,
KL


------------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest
Snort news!


------------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: