[Snort-users] Duplicate downloaded rules

Weir, Jason jason.weir at ...14916...
Tue Oct 19 11:44:04 EDT 2010


Counterproductive indeed....
 
you might ask the same question over on the ET list.. They can give a
better explanation that I can..
 
-J  

	-----Original Message-----
	From: Lay, James [mailto:james.lay at ...15009...] 
	Sent: Tuesday, October 19, 2010 11:28 AM
	To: snort-users at lists.sourceforge.net
	Subject: Re: [Snort-users] Duplicate downloaded rules
	
	

	Ok...thanks again Jason.  Also....I guess there's something I do
not understand as it relates to ET & VRT rules.  As I understand it:

	 

	Snort VRT support 2.8.6.1 and 2.9.0

	ET support 2.4-2.8.6

	 

	Is it just me or does this not make sense?  Why are ET rules
even bothering with unsupported versions of Snort, and not putting out
rules that are in line with supported versions of Snort?  I have to be
honest...from a home and business user, going from what used to be a
relatively easy rule management system, to what it is now has been
extremely time consuming and frustrating.  And, coming from someone who
has little knowledge of how the ET and VRT rulesets are
developed/maintained, I have to think that duplicate SID's seems to be
counterproductive.  I'll keep plodding along...thank you.

	 

	James  

	 

	From: Weir, Jason [mailto:jason.weir at ...14916...] 
	Sent: Tuesday, October 19, 2010 9:20 AM
	To: snort-users at lists.sourceforge.net
	Subject: Re: [Snort-users] Duplicate downloaded rules

	 

	looks good - let me know if you have any problems..

	 

	FYI - this might change if ET & VRT come up with a better
solution..

	 

	-J

		-----Original Message-----
		From: Lay, James [mailto:james.lay at ...15009...] 
		Sent: Tuesday, October 19, 2010 11:11 AM
		To: snort-users at lists.sourceforge.net
		Subject: Re: [Snort-users] Duplicate downloaded rules

		....so let me understand this.  My current setup is:

		 

		/usr/local/bin/oinkmaster.pl -C
/usr/local/etc/snort/oinkmaster.conf -o /usr/local/etc/snort/rules

		/usr/local/bin/create-sidmap.pl
/usr/local/etc/snort/rules > /usr/local/etc/snort/sid-msg.map

		 

		I need to:

		Create separate directories for the two rulesets

		Change the above to reflect:

		 

		        /usr/local/bin/oinkmaster.pl -C
/usr/local/etc/vrt.conf -o /etc/snort/rules/vrt

		        /usr/local/bin/oinkmaster.pl -C
/usr/local/etc/et.conf -o /etc/snort/rules/et

		 

		        cp /etc/snort/rules/vrt/*.* /etc/snort/rules

		        cp /etc/snort/rules/et/*.* /etc/snort/rules

		Create two new oinkmaster conf files, the vrt.conf
containing what's in the attachment in the original post of the 410
rules.

		Modify create-sidmap.pl line 101 to reflect:

		 

		        next if ($single =~ /^\#/);

		 

		Have I missed anything?  Thanks Jason

		 

		 

		From: Weir, Jason [mailto:jason.weir at ...14916...] 
		Sent: Tuesday, October 19, 2010 8:19 AM
		To: snort-users at lists.sourceforge.net
		Subject: Re: [Snort-users] Duplicate downloaded rules

		 

		ET and VRT are publishing duplicate rules.

		 

		Read the "The New Rulesets are Ready!!" thread here

		 

	
http://lists.emergingthreats.net/pipermail/emerging-sigs/2010-October/th
read.html

		 

		Not sure if you use Oinkmaster but I posted a solution
in that thread.

		 

		-J

			-----Original Message-----
			From: Lay, James
[mailto:james.lay at ...15009...] 
			Sent: Tuesday, October 19, 2010 10:05 AM
			To: snort-users at lists.sourceforge.net
			Subject: [Snort-users] Duplicate downloaded
rules

			I sent this to snort-sigs a few days ago, but it
got moderated into oblivion.  Here's a pruned down one in hopes it will
make it:

			 

			I am seeing the below with grabbing these
rulesets:

			 

			Downloading file from
http://www.snort.org/pub-bin/oinkmaster.cgi/*oinkcode*/snortrules-snapsh
ot-2900.tar.gz

			Downloading file from
http://rules.emergingthreats.net/open/snort-2.8.6/emerging.rules.tar.gz

			 

			WARNING: duplicate SID in downloaded archive,
SID=498, only keeping rule with highest 'rev'

			WARNING: duplicate SID in downloaded archive,
SID=494, only keeping rule with highest 'rev'

			WARNING: duplicate SID in downloaded archive,
SID=495, only keeping rule with highest 'rev'

			WARNING: duplicate SID in downloaded archive,
SID=497, only keeping rule with highest 'rev'

			<snip> many more of these

			WARNING: duplicate SID in downloaded archive,
SID=1666, only keeping rule with highest 'rev'

			WARNING: duplicate SID in downloaded archive,
SID=1988, only keeping rule with highest 'rev'

			WARNING: duplicate SID in downloaded archive,
SID=1989, only keeping rule with highest 'rev'

			 

			A grand total of 409 dup messages are seen even
as of this morning.  Maybe this one will make it through...

			 

			James

_____________________________________________________________________________________________

Please visit www.nhrs.org to subscribe to NHRS email announcements and updates.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20101019/4a559f2d/attachment.html>


More information about the Snort-users mailing list