Re: [Snort-sigs] Snort down

[wkitty42 () windstream net]

On 06/15/2016 04:47 AM, ARUN LAL wrote:
> =====================
> ERROR: /etc/snort/rules/snort.rules(6053) threshold (in rule): could not
> create threshold - only one per sig_id=2014141.
> =====================
> After uncommenting the rule in snort.rule the snort service is running fine.
>
>             *Why it happens always?? Can some explain it to me?*

it appears that that rule has in-rule thresholding (detection_filter:track 
by_src, count 10, seconds 60;) and you are trying to threshold it again in 
threshold.conf?? you cannot threshold already thresholded rules... if you want 
to threshold it in threshold.conf, you have to remove the thresholding from the 
rule itself...

-- 
  NOTE: No off-list assistance is given without prior approval.
        *Please keep mailing list traffic on the list* unless
        private contact is specifically requested and granted.

------------------------------------------------------------------------------
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are 
consuming the most bandwidth. Provides multi-vendor support for NetFlow, 
J-Flow, sFlow and other flows. Make informed decisions using capacity planning
reports. http://pubads.g.doubleclick.net/gampad/clk?id=1444514421&iu=/41014381
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!