[Snort-sigs] Snort not updating any .rules except snort.rules in /rules directory

Joel Esler (jesler) jesler at cisco.com
Thu May 23 14:45:18 EDT 2019


Are you a Subscriber to the rule set?



From: Michael Shkolnik <michael.shkolnik at webcasts.com>
Date: Thursday, May 23, 2019 at 2:33 PM
To: "Joel Esler (jesler)" <jesler at cisco.com>
Cc: "snort-sigs at lists.snort.org" <snort-sigs at lists.snort.org>
Subject: Re: [Snort-sigs] Snort not updating any .rules except snort.rules in /rules directory

Hi Joel,

Thank you for getting back to me so promptly. I took a look inside the snort.rules before I reached out to you and did not see the latest threats being added despite what appears to be a successful rule pulldown, which is why I became concerned and reached out. If you could kindly look at the provided screenshot, you will notice that the pulled down rules do not match what is on the release notes for May 20th: https://snort.org/advisories/talos-rules-2019-05-20

Also, if all rules files are consolidated into a single snort.rules files, why do Snort release notes show modifications to other .rules files per the url I provided earlier?

"Talos has added and modified multiple rules in the deleted, file-flash, file-other, file-pdf, malware-cnc, os-windows and server-webapp rule sets to provide coverage for emerging threats from these technologies."

If it helps, I am running Snort Version 2.9.9.0 GRE (Build 56) FreeBSD


Best,



Michael Shkolnik | Engineering | PGi<http://www.pgi.com/> | New York, NY

________________________________
From: "Joel Esler (jesler)" <jesler at cisco.com>
To: "Michael Shkolnik" <michael.shkolnik at webcasts.com>, snort-sigs at lists.snort.org
Sent: Thursday, May 23, 2019 2:18:37 PM
Subject: Re: [Snort-sigs] Snort not updating any .rules except snort.rules in /rules directory

Hey Michael,

PulledPork consolidates the rules files down to one file (snort.rules).  If you take a look inside that file, you will see the multiple categories of rules all consolidated.


--
Joel Esler
Manager, Communities Division
Cisco Talos Intelligence Group
http://www.talosintelligence.com

From: Snort-sigs <snort-sigs-bounces at lists.snort.org> on behalf of Michael Shkolnik <michael.shkolnik at webcasts.com>
Date: Thursday, May 23, 2019 at 2:14 PM
To: "snort-sigs at lists.snort.org" <snort-sigs at lists.snort.org>
Subject: [Snort-sigs] Snort not updating any .rules except snort.rules in /rules directory

Good afternoon,

I've noticed that during weekly updates only snort.rules files get updated within the /usr/local/etc/snort/rules directory and not any other .rules files within that directory.

This is what I have in my pulledpork.conf file, do I need to revise any entries to fix this?

rule_path=/usr/local/etc/snort/rules/snort.rules
out_path=/usr/local/etc/snort/rules/


Michael S

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20190523/c8ab47ec/attachment-0001.html>


More information about the Snort-sigs mailing list