[Snort-users] pulledpork V0.7.0 not updating the ../rules/*.rules files

Charlie ForFun2000 at ...125...
Sat Aug 8 05:29:01 EDT 2015


Hi

When I run pulledpork, this is what happens:

Prepping rules from snortrules-snapshot-2975.tar.gz for work....
         extracting contents of /tmp/snortrules-snapshot-2975.tar.gz...
         Ignoring plaintext rules: deleted.rules
         Extracted: /tha_rules/VRT-indicator-compromise.rules
         Extracted: /tha_rules/VRT-file-executable.rules
  ...
         Extracted: /tha_rules/VRT-server-iis.rules
         Reading rules...
         Reading rules...
Cleanup....
         removed 170 temporary snort files or directories from 
/tmp/tha_rules!
Blacklist version is unchanged, not updating!
Setting Flowbit State....
         Enabled 57 flowbits
         Done
Writing /usr/local/snort/rules/snort.rules....
         Done
Generating sid-msg.map....
         Done
Writing v1 /usr/local/snort/etc/sid-msg.map....
         Done
Writing /var/log/sid_changes.log....
         Done
Rule Stats...
         New:-------47
         Deleted:---16
         Enabled Rules:----26218
         Dropped Rules:----0
         Disabled Rules:---21141
         Total Rules:------47359
No IP Blacklist Changes

Done
<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<

I can see that in the ../snort/rules directory, the snort.rules files 
has been updated
BUT
none of the smaller *.rules files like app-detect.rules, 
attack-responses.rules and so on are.

Is this correct as I was expecting the snort.rules to be broken down in 
its many *.rules files?

If this is correct, should the snort.conf file have a:
include $RULE_PATH/snort.rules
rather than
include $RULE_PATH/app-detect.rules
include $RULE_PATH/attack-responses.rules
...

Thanks in advance






More information about the Snort-users mailing list