Re: (no subject)

[Russ via Snort-users <snort-users () lists snort org>]

That is saying there is already another one for that rule.  Is there 
another event_filter for that rule in your conf?  Or does that rule have 
an in-rule threshold?  That also counts.

On 10/2/17 10:35 AM, Paul O'Brien wrote:
> Could not create threshold - only one per sig_id=2002878.
>
> I only have one rule, the one in question, for sig Id 2002878.
>
> Thanks,
> Dan
>
> "Better is a poor man who walks in his integrity than a rich man who is crooked in his ways." - Proverbs 28:6
>
> Sent from my iPhone
>
> > On Oct 2, 2017, at 9:15 AM, Russ <rucombs () cisco com> wrote:
> >
> > That looks OK.  Please send the error you are seeing.
> >
> > > On 9/30/17 6:13 PM, Paul O'Brien via Snort-users wrote:
> > > Why is this causing an error and keeping snort from starting?  I want to suppress all errors under a 2 count per minute 
> > > per ip
> > >
> > > event_filter gen_id 1, sig_id 2002878, type both, track by_src, count 2, seconds 60
> > >
> > > Thanks,
> > > Dan
> > >
> > >
> > > "Better is a poor man who walks in his integrity than a rich man who is crooked in his ways." - Proverbs 28:6
> > >
> > > Sent from my iPhone
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users () lists snort org
> > > Go to this URL to change user options or unsubscribe:
> > > https://lists.snort.org/mailman/listinfo/snort-users
> > >
> > > Please visit http://blog.snort.org to stay current on all the latest Snort news!

_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!