[Snort-users] Duplicate downloaded rules

Lay, James james.lay at ...15009...
Tue Oct 19 11:10:34 EDT 2010


....so let me understand this.  My current setup is:

 

/usr/local/bin/oinkmaster.pl -C /usr/local/etc/snort/oinkmaster.conf -o
/usr/local/etc/snort/rules

/usr/local/bin/create-sidmap.pl /usr/local/etc/snort/rules >
/usr/local/etc/snort/sid-msg.map

 

I need to:

Create separate directories for the two rulesets

Change the above to reflect:

 

        /usr/local/bin/oinkmaster.pl -C /usr/local/etc/vrt.conf -o
/etc/snort/rules/vrt

        /usr/local/bin/oinkmaster.pl -C /usr/local/etc/et.conf -o
/etc/snort/rules/et

 

        cp /etc/snort/rules/vrt/*.* /etc/snort/rules

        cp /etc/snort/rules/et/*.* /etc/snort/rules

Create two new oinkmaster conf files, the vrt.conf containing what's in
the attachment in the original post of the 410 rules.

Modify create-sidmap.pl line 101 to reflect:

 

        next if ($single =~ /^\#/);

 

Have I missed anything?  Thanks Jason

 

 

From: Weir, Jason [mailto:jason.weir at ...14916...] 
Sent: Tuesday, October 19, 2010 8:19 AM
To: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Duplicate downloaded rules

 

ET and VRT are publishing duplicate rules.

 

Read the "The New Rulesets are Ready!!" thread here

 

http://lists.emergingthreats.net/pipermail/emerging-sigs/2010-October/th
read.html

 

Not sure if you use Oinkmaster but I posted a solution in that thread.

 

-J

	-----Original Message-----
	From: Lay, James [mailto:james.lay at ...15009...] 
	Sent: Tuesday, October 19, 2010 10:05 AM
	To: snort-users at lists.sourceforge.net
	Subject: [Snort-users] Duplicate downloaded rules

	I sent this to snort-sigs a few days ago, but it got moderated
into oblivion.  Here's a pruned down one in hopes it will make it:

	 

	I am seeing the below with grabbing these rulesets:

	 

	Downloading file from
http://www.snort.org/pub-bin/oinkmaster.cgi/*oinkcode*/snortrules-snapsh
ot-2900.tar.gz

	Downloading file from
http://rules.emergingthreats.net/open/snort-2.8.6/emerging.rules.tar.gz

	 

	WARNING: duplicate SID in downloaded archive, SID=498, only
keeping rule with highest 'rev'

	WARNING: duplicate SID in downloaded archive, SID=494, only
keeping rule with highest 'rev'

	WARNING: duplicate SID in downloaded archive, SID=495, only
keeping rule with highest 'rev'

	WARNING: duplicate SID in downloaded archive, SID=497, only
keeping rule with highest 'rev'

	<snip> many more of these

	WARNING: duplicate SID in downloaded archive, SID=1666, only
keeping rule with highest 'rev'

	WARNING: duplicate SID in downloaded archive, SID=1988, only
keeping rule with highest 'rev'

	WARNING: duplicate SID in downloaded archive, SID=1989, only
keeping rule with highest 'rev'

	 

	A grand total of 409 dup messages are seen even as of this
morning.  Maybe this one will make it through...

	 

	James

	 

________________________________________________________________________
_____________________
 
Please visit www.nhrs.org to subscribe to NHRS email announcements and
updates.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20101019/e67ca8f3/attachment.html>


More information about the Snort-users mailing list