RE: [Snort-sigs] Bleeding rules virus and threshold issue

The latest bleeding-rules.tar.gz has:

[17:14:02 jlay@homebox:~/temp/rules$] ls -l
total 364
-rw-r--r--  1 jlay users  7981 Feb 21 14:07 bleeding-attack_response.rules
-rw-r--r--  1 jlay users 10341 Feb 21 14:07 bleeding-custom.rules
-rw-r--r--  1 jlay users  5367 Feb 21 14:07 bleeding-dos.rules
-rw-r--r--  1 jlay users 35208 Feb 21 14:07 bleeding-exploit.rules
-rw-r--r--  1 jlay users  6170 Feb 21 14:07 bleeding-inappropriate.rules
-rw-r--r--  1 jlay users 92935 Feb 21 14:07 bleeding-malware.rules
-rw-r--r--  1 jlay users  9530 Feb 21 14:07 bleeding-p2p.rules
-rw-r--r--  1 jlay users 31019 Feb 21 14:07 bleeding-policy.rules
-rw-r--r--  1 jlay users  5856 Feb 21 14:07 bleeding-scan.rules
-rw-r--r--  1 jlay users 72015 Feb 21 14:07 bleeding-sid-msg.map
-rw-r--r--  1 jlay users 46488 Feb 21 14:07 bleeding-virus.rules
-rw-r--r--  1 jlay users 15317 Feb 21 14:07 bleeding-web.rules
-rw-r--r--  1 jlay users  2117 Feb 21 14:07 bleeding.rules

Didn't see an *all* rules file, so I don't think that's my issue.  Thanks
though =)

James


-----Original Message-----
From: Frank Knobbe [mailto:frank@knobbe.us]
Sent: Monday, February 21, 2005 10:22 AM
To: James Lay
Cc: 'Snort-Sigs (E-mail)
Subject: Re: [Snort-sigs] Bleeding rules virus and threshold issue


On Mon, 2005-02-21 at 10:27 -0500, Matt Jonkman wrote:
> Do you have the ruleset mentioned twice in your snort.conf?
>
> Snort will load it twice if you do.

Make sure you either include bleeding-all.rules OR the other
bleeding-*.rules, but not both. If you include all separate rules AND
bleeding-all.rules, you will include all bleeding rules twice.

Regards,
Frank



-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs