[Snort-users] SO rules and pulledpork

Fred Maillou frederriffic at ...4554...
Fri Feb 21 11:23:44 EST 2014



So far I understand that SO rules should have a .rules counterpart to enable/disable them.  Is that right ?

*If* that's the case, I do not get the corresponding .rules files to the .so files.  

This is using pulledpork 0.7.0 and the 2955 version of the rules snapshot.  Since there's a big *if* here, I'l make the description short.

The error from pp is:

 An error occurred: ERROR:
 [...]/tmp/etc/snort/rules/local.rules(0) Unable to open rules
 file "[...]/tmp/etc/snort/rules/local.rules": No such file or
 directory.  An error occurred: Fatal Error, Quitting..

/tmp/ is the temp_path.  The 2955 archived snapshot is in there also.  So I presume that the local.rules file that pp does not find should be included in the 2955 snapshot from snort.org.

pp is called, apart fron the config file, with the following: '-n -P -k -D Debian-6-0' and works from an already downloaded 2995 archive and md5 file in it's temp_path.

Apart from this puzzlement, lots of rules gets written in the out_path, and possibly all .so files gets created/moved at the right location defined by sorule_path.

At this stage there are two questions basically:

1) Should each SO .so file have a corresponding .rules file ?

2) Why does pp expects to find a local.rules file at that location ?  There is no local_rules defined in pp's config.

I'd like to sort this out: any help will be greatly appreciated - thanks.  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140221/c35d8fe8/attachment.html>


More information about the Snort-users mailing list