Snort mailing list archives
Re: FATAL ERROR - Preproc Rule Help - rule duplicates
From: "Al Lewis (allewi)" <allewi () cisco com>
Date: Wed, 25 May 2016 17:50:49 +0000
The Snorby UI is outside our scope so maybe someone else can chime in. Putting the # in front of the rule disables it. Snort will have to be restarted for the changes to take effect. Good luck. Albert Lewis QA SNORT/Sourcefire SOURCEfire, Inc. now part of Cisco 9780 Patuxent Woods Drive Columbia, MD 21046 Phone: (office) 443.430.7112 Email: allewi () cisco com From: Matthew White [mailto:on3moda () gmail com] Sent: Wednesday, May 25, 2016 1:27 PM To: Al Lewis (allewi) Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] FATAL ERROR - Preproc Rule Help - rule duplicates Line 29 pass ( msg: "HI_CLIENT_OVERSIZE_DIR"; sid: 15; gid: 119; rev: 1; metadata: rule-type preproc, service http ; classtype:bad-unknown; reference:cve,2007-0774; reference:bugtraq,22791; reference:cve,2010-3281; reference:bugtraq,43338; reference:cve,2011-5007; ) When I put # in front of it. It was still showing in Snorby. On Wed, May 25, 2016 at 11:24 AM, Al Lewis (allewi) <allewi () cisco com<mailto:allewi () cisco com>> wrote: What does line 29 in your preprocessor.rules file look like? To disable the rule you need to put a ‘#’ in front of the line. Albert Lewis QA SNORT/Sourcefire SOURCEfire, Inc. now part of Cisco 9780 Patuxent Woods Drive Columbia, MD 21046 Phone: (office) 443.430.7112<tel:443.430.7112> Email: allewi () cisco com<mailto:allewi () cisco com> From: Matthew White [mailto:on3moda () gmail com<mailto:on3moda () gmail com>] Sent: Wednesday, May 25, 2016 12:18 PM To: snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net> Subject: [Snort-users] FATAL ERROR - Preproc Rule Help - rule duplicates I am trying to tune Snort at the processor level in the flow before info is processed to lighten the CPU usage. Steps I have tried to no avail 1. Commenting the rule out using #. 2. Changing alert to pass instead of alert to get the following error. FATAL ERROR: /etc/snort/preproc_rules/preprocessor.rules(29) GID 119 SID 15 in rule duplicates previous rule, with different type. Instructions I am following https://www.snort.org/faq/readme-decoder_preproc_rules Is there something else I am missing? Thanks, Matthew
------------------------------------------------------------------------------ Mobile security can be enabling, not merely restricting. Employees who bring their own devices (BYOD) to work are irked by the imposition of MDM restrictions. Mobile Device Manager Plus allows you to control only the apps on BYO-devices by containerizing them, leaving personal data untouched! https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- FATAL ERROR - Preproc Rule Help - rule duplicates Matthew White (May 25)
- Re: FATAL ERROR - Preproc Rule Help - rule duplicates Al Lewis (allewi) (May 25)
- Re: FATAL ERROR - Preproc Rule Help - rule duplicates Matthew White (May 25)
- Re: FATAL ERROR - Preproc Rule Help - rule duplicates Al Lewis (allewi) (May 25)
- Re: FATAL ERROR - Preproc Rule Help - rule duplicates Matthew White (May 25)
- Re: FATAL ERROR - Preproc Rule Help - rule duplicates Matthew White (May 25)
- Re: FATAL ERROR - Preproc Rule Help - rule duplicates Matthew White (May 25)
- Re: FATAL ERROR - Preproc Rule Help - rule duplicates Matthew White (May 25)
- Re: FATAL ERROR - Preproc Rule Help - rule duplicates Al Lewis (allewi) (May 25)
- Re: FATAL ERROR - Preproc Rule Help - rule duplicates Matthew White (May 25)
- Re: FATAL ERROR - Preproc Rule Help - rule duplicates Al Lewis (allewi) (May 25)