[Snort-users] pulledpork re-organizing rules?

Joel Esler jesler at ...1935...
Tue Aug 10 12:31:21 EDT 2010

On Aug 10, 2010, at 12:06 PM, Billy Marshall wrote:

> Hi all,
> I noticed that Pulled_Pork v0.4.2 is writing the rules to two large files now so there are only 2 rule files;
> snort.rules and so_rules.rules


> Doesn't this defeat the organization of the rules that snort.org has set forth?

The rules are arranged into categories, you can arrange them however you want.  PulledPork does it in two files.

> Why is a third party support application re-structuring rule sets and not conforming to snort?
> Have I misunderstood something?

Yes.  Management of rules is then turned over to pulledpork and you cease to manage your rules manually.

> Is snort restructuring its configuration file?

> With pulledpork:
> I can not exclude a rule set with the snort.conf without running pulledpork.

Correct.  You can't make changes to a rule set with using the thing that manages the rules.

> The files snort.rules and so_rules.rules are not in the snort.conf file. If I add them (logically) I will have duplicate rules unless I comment out the rules I want to keep that are organized. However, when I really do add the files, snort.rules and so_rules.rules , Snort does not initialize.

Well, that's a different problem, and it seems like we need to fix that.

> Furthermore; logically, when I do update with pulledpork and if I was unaware of the changes I would never get the new rules because they are stuffed in files that are never looked at by the snort engine without adding them to the snort.conf file.

That's why pulledpork logs all of it's changes in a file called sid-changes.log

> This is confusing, poses many future issues, and forces snort being dependent on pulledpork.

It keeps you from having to make changes in multiple places.  Now you make changes in one place (pulledpork) and let pulledpork handle the rest.

> If I remove all rules from the rules directory and run pulled pork it only creates the afore mentioned files and none of the others.

Correct.  You'll need to add them into the snort.conf

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20100810/86878b81/attachment.html>

More information about the Snort-users mailing list