[Snort-users] SO rules and pulledpork
frederriffic at ...4554...
Fri Feb 21 11:23:44 EST 2014
So far I understand that SO rules should have a .rules counterpart to enable/disable them. Is that right ?
*If* that's the case, I do not get the corresponding .rules files to the .so files.
This is using pulledpork 0.7.0 and the 2955 version of the rules snapshot. Since there's a big *if* here, I'l make the description short.
The error from pp is:
An error occurred: ERROR:
[...]/tmp/etc/snort/rules/local.rules(0) Unable to open rules
file "[...]/tmp/etc/snort/rules/local.rules": No such file or
directory. An error occurred: Fatal Error, Quitting..
/tmp/ is the temp_path. The 2955 archived snapshot is in there also. So I presume that the local.rules file that pp does not find should be included in the 2955 snapshot from snort.org.
pp is called, apart fron the config file, with the following: '-n -P -k -D Debian-6-0' and works from an already downloaded 2995 archive and md5 file in it's temp_path.
Apart from this puzzlement, lots of rules gets written in the out_path, and possibly all .so files gets created/moved at the right location defined by sorule_path.
At this stage there are two questions basically:
1) Should each SO .so file have a corresponding .rules file ?
2) Why does pp expects to find a local.rules file at that location ? There is no local_rules defined in pp's config.
I'd like to sort this out: any help will be greatly appreciated - thanks.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users