[Snort-users] pulledpork V0.7.0 not updating the ../rules/*.rules files

Michael Steele michaels at ...9077...
Sat Aug 8 11:22:54 EDT 2015


Pulled pork can either leave the original rule groups intact, or by default
place all the rules (categorized) into one file.

You might try looking at this tutorial and it should give you an idea of how
to setup Pulledpork on UNIX, even though its written for Windows.

http://www.winsnort.com/tutorials/article/8-installing-automated-rule-manage
ment-using-pulledpork/

Kindest regards,
Michael...

WINSNORT.com Management Team Member
--
****************** Established ~ 2001 *******************
*          Visit Us @ http://www.winsnort.com           *
*      ~~ FREE WinIDS Snort installation guides ~~      *
*               ~~ FREE support forums ~~               *
* Snort: Open Source Network IDS - http://www.snort.org *
*********************************************************

-----Original Message-----
From: Charlie [mailto:ForFun2000 at ...125...] 
Sent: Saturday, August 8, 2015 5:29 AM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] pulledpork V0.7.0 not updating the ../rules/*.rules
files

Hi

When I run pulledpork, this is what happens:

Prepping rules from snortrules-snapshot-2975.tar.gz for work....
         extracting contents of /tmp/snortrules-snapshot-2975.tar.gz...
         Ignoring plaintext rules: deleted.rules
         Extracted: /tha_rules/VRT-indicator-compromise.rules
         Extracted: /tha_rules/VRT-file-executable.rules
  ...
         Extracted: /tha_rules/VRT-server-iis.rules
         Reading rules...
         Reading rules...
Cleanup....
         removed 170 temporary snort files or directories from
/tmp/tha_rules!
Blacklist version is unchanged, not updating!
Setting Flowbit State....
         Enabled 57 flowbits
         Done
Writing /usr/local/snort/rules/snort.rules....
         Done
Generating sid-msg.map....
         Done
Writing v1 /usr/local/snort/etc/sid-msg.map....
         Done
Writing /var/log/sid_changes.log....
         Done
Rule Stats...
         New:-------47
         Deleted:---16
         Enabled Rules:----26218
         Dropped Rules:----0
         Disabled Rules:---21141
         Total Rules:------47359
No IP Blacklist Changes

Done
<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<

I can see that in the ../snort/rules directory, the snort.rules files has
been updated BUT none of the smaller *.rules files like app-detect.rules,
attack-responses.rules and so on are.

Is this correct as I was expecting the snort.rules to be broken down in its
many *.rules files?

If this is correct, should the snort.conf file have a:
include $RULE_PATH/snort.rules
rather than
include $RULE_PATH/app-detect.rules
include $RULE_PATH/attack-responses.rules ...

Thanks in advance



----------------------------------------------------------------------------
--
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort
news!







More information about the Snort-users mailing list