[Snort-users] pulledpork V0.7.0 not updating the ../rules/*.rules files

James Lay jlay at ...13475...
Sat Aug 8 07:52:36 EDT 2015


On Sat, 2015-08-08 at 10:29 +0100, Charlie wrote:

> Hi
> 
> When I run pulledpork, this is what happens:
> 
> Prepping rules from snortrules-snapshot-2975.tar.gz for work....
>          extracting contents of /tmp/snortrules-snapshot-2975.tar.gz...
>          Ignoring plaintext rules: deleted.rules
>          Extracted: /tha_rules/VRT-indicator-compromise.rules
>          Extracted: /tha_rules/VRT-file-executable.rules
>   ...
>          Extracted: /tha_rules/VRT-server-iis.rules
>          Reading rules...
>          Reading rules...
> Cleanup....
>          removed 170 temporary snort files or directories from 
> /tmp/tha_rules!
> Blacklist version is unchanged, not updating!
> Setting Flowbit State....
>          Enabled 57 flowbits
>          Done
> Writing /usr/local/snort/rules/snort.rules....
>          Done
> Generating sid-msg.map....
>          Done
> Writing v1 /usr/local/snort/etc/sid-msg.map....
>          Done
> Writing /var/log/sid_changes.log....
>          Done
> Rule Stats...
>          New:-------47
>          Deleted:---16
>          Enabled Rules:----26218
>          Dropped Rules:----0
>          Disabled Rules:---21141
>          Total Rules:------47359
> No IP Blacklist Changes
> 
> Done
> <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
> 
> I can see that in the ../snort/rules directory, the snort.rules files 
> has been updated
> BUT
> none of the smaller *.rules files like app-detect.rules, 
> attack-responses.rules and so on are.
> 
> Is this correct as I was expecting the snort.rules to be broken down in 
> its many *.rules files?
> 
> If this is correct, should the snort.conf file have a:
> include $RULE_PATH/snort.rules
> rather than
> include $RULE_PATH/app-detect.rules
> include $RULE_PATH/attack-responses.rules
> ...
> 
> Thanks in advance
> 
> 
> 
> ------------------------------------------------------------------------------
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!


By default pulledpork merges all the rules into one large snort.rules
file. 

James
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150808/80523410/attachment.html>


More information about the Snort-users mailing list