[Snort-users] More problems with pulledpork 0.6.0

JJC cummingsj at ...11827...
Fri Apr 1 12:14:59 EDT 2011


The reasoning is simple, there is no reliable way, other than using a known
trusted url identification to determine the source of the rules.  Consider
the case of ETPRO rules vs VRT rules, there are sids that match, the
contained filenames match exactly, and you  may have changed the source
tarball name when you put it on your custom server url...  I will likely (in
the next major release) make that a configurable option.. such as
rule_url=<url>|<filename>|<oinkcode>|<prependname> or something...

Oh, 0.6.1 is up and has your fix in it...

JJC

On Fri, Apr 1, 2011 at 9:57 AM, carlopmart <carlopmart at ...11827...> wrote:

> On 04/01/2011 05:26 PM, JJC wrote:
>
>> Ok, I see the problem... PP has no way of knowing that the rules you are
>> putting on your custom-url-server are ET rules (it determines if it's
>> VRT or ET based on the source url), thus the other errors (in your bug)
>> that you are reporting and the behavior that you see.  If you remove the
>> ET- from your dropsid and disablesid config.  I will be publishing a
>> bugfix today for that (0.6.1) that will fix both issues, but require you
>> to use Custom-<category> when retrieving from a purely custom url, such
>> as you are doing.
>>
>> JJC
>>
>>
> Ok. All works as expected now disabling ET- . But, why not to use in the
> new version "Custom-ET-" and "Custom-VRT-" instead of "Custom-"? With this
> mode you can prevent that VRT and ET release a .rules file with the same
> name.
>
>
> Thanks JJC.
>
>
> --
> CL Martinez
> carlopmart {at} gmail {d0t} com
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20110401/dc2e8089/attachment.html>


More information about the Snort-users mailing list