[Snort-users] Duplicate downloaded rules

Weir, Jason jason.weir at ...14916...
Tue Oct 19 11:19:38 EDT 2010


looks good - let me know if you have any problems..
 
FYI - this might change if ET & VRT come up with a better solution..
 
-J

	-----Original Message-----
	From: Lay, James [mailto:james.lay at ...15009...] 
	Sent: Tuesday, October 19, 2010 11:11 AM
	To: snort-users at lists.sourceforge.net
	Subject: Re: [Snort-users] Duplicate downloaded rules
	
	

	....so let me understand this.  My current setup is:

	 

	/usr/local/bin/oinkmaster.pl -C
/usr/local/etc/snort/oinkmaster.conf -o /usr/local/etc/snort/rules

	/usr/local/bin/create-sidmap.pl /usr/local/etc/snort/rules >
/usr/local/etc/snort/sid-msg.map

	 

	I need to:

	Create separate directories for the two rulesets

	Change the above to reflect:

	 

	        /usr/local/bin/oinkmaster.pl -C /usr/local/etc/vrt.conf
-o /etc/snort/rules/vrt

	        /usr/local/bin/oinkmaster.pl -C /usr/local/etc/et.conf
-o /etc/snort/rules/et

	 

	        cp /etc/snort/rules/vrt/*.* /etc/snort/rules

	        cp /etc/snort/rules/et/*.* /etc/snort/rules

	Create two new oinkmaster conf files, the vrt.conf containing
what's in the attachment in the original post of the 410 rules.

	Modify create-sidmap.pl line 101 to reflect:

	 

	        next if ($single =~ /^\#/);

	 

	Have I missed anything?  Thanks Jason

	 

	 

	From: Weir, Jason [mailto:jason.weir at ...14916...] 
	Sent: Tuesday, October 19, 2010 8:19 AM
	To: snort-users at lists.sourceforge.net
	Subject: Re: [Snort-users] Duplicate downloaded rules

	 

	ET and VRT are publishing duplicate rules.

	 

	Read the "The New Rulesets are Ready!!" thread here

	 

	
http://lists.emergingthreats.net/pipermail/emerging-sigs/2010-October/th
read.html

	 

	Not sure if you use Oinkmaster but I posted a solution in that
thread.

	 

	-J

		-----Original Message-----
		From: Lay, James [mailto:james.lay at ...15009...] 
		Sent: Tuesday, October 19, 2010 10:05 AM
		To: snort-users at lists.sourceforge.net
		Subject: [Snort-users] Duplicate downloaded rules

		I sent this to snort-sigs a few days ago, but it got
moderated into oblivion.  Here's a pruned down one in hopes it will make
it:

		 

		I am seeing the below with grabbing these rulesets:

		 

		Downloading file from
http://www.snort.org/pub-bin/oinkmaster.cgi/*oinkcode*/snortrules-snapsh
ot-2900.tar.gz

		Downloading file from
http://rules.emergingthreats.net/open/snort-2.8.6/emerging.rules.tar.gz

		 

		WARNING: duplicate SID in downloaded archive, SID=498,
only keeping rule with highest 'rev'

		WARNING: duplicate SID in downloaded archive, SID=494,
only keeping rule with highest 'rev'

		WARNING: duplicate SID in downloaded archive, SID=495,
only keeping rule with highest 'rev'

		WARNING: duplicate SID in downloaded archive, SID=497,
only keeping rule with highest 'rev'

		<snip> many more of these

		WARNING: duplicate SID in downloaded archive, SID=1666,
only keeping rule with highest 'rev'

		WARNING: duplicate SID in downloaded archive, SID=1988,
only keeping rule with highest 'rev'

		WARNING: duplicate SID in downloaded archive, SID=1989,
only keeping rule with highest 'rev'

		 

		A grand total of 409 dup messages are seen even as of
this morning.  Maybe this one will make it through...

		 

		James

_____________________________________________________________________________________________

Please visit www.nhrs.org to subscribe to NHRS email announcements and updates.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20101019/14e1d076/attachment.html>


More information about the Snort-users mailing list