[Snort-users] Pulledpork missing VRT rules

xinland66 at ...11827... xinland66 at ...11827...
Fri Sep 11 21:54:07 EDT 2015


Hi,
When I ran pulledpork with the -k option. I noticed the many VRT rules were missing compared to the downloaded tar ball. 69 out of about 120 rules.
Please advise.

Below is what I got from the pulledpork.
> 
> # ls -l rules
> -rw-r--r-- 1 root root   55257 Sep 11 21:40 rules/VRT-app-detect.rules
> -rw-r--r-- 1 root root 1121333 Sep 11 21:40 rules/VRT-blacklist.rules
> -rw-r--r-- 1 root root   16024 Sep 11 21:40 rules/VRT-browser-chrome.rules
> -rw-r--r-- 1 root root   95146 Sep 11 21:40 rules/VRT-browser-firefox.rules
> -rw-r--r-- 1 root root  828124 Sep 11 21:40 rules/VRT-browser-ie.rules
> -rw-r--r-- 1 root root   16272 Sep 11 21:40 rules/VRT-browser-other.rules
> -rw-r--r-- 1 root root 1354654 Sep 11 21:40 rules/VRT-browser-plugins.rules
> -rw-r--r-- 1 root root   34306 Sep 11 21:40 rules/VRT-browser-webkit.rules
> -rw-r--r-- 1 root root    7089 Sep 11 21:40 rules/VRT-content-replace.rules
> -rw-r--r-- 1 root root   20189 Sep 11 21:40 rules/VRT-decoder.rules
> -rw-r--r-- 1 root root  331442 Sep 11 21:40 rules/VRT-exploit-kit.rules
> -rw-r--r-- 1 root root   30151 Sep 11 21:40 rules/VRT-file-executable.rules
> -rw-r--r-- 1 root root  560740 Sep 11 21:40 rules/VRT-file-flash.rules
> -rw-r--r-- 1 root root  434117 Sep 11 21:40 rules/VRT-file-identify.rules
> -rw-r--r-- 1 root root   99884 Sep 11 21:40 rules/VRT-file-image.rules
> -rw-r--r-- 1 root root  105022 Sep 11 21:40 rules/VRT-file-java.rules
> -rw-r--r-- 1 root root  158159 Sep 11 21:40 rules/VRT-file-multimedia.rules
> -rw-r--r-- 1 root root  500635 Sep 11 21:40 rules/VRT-file-office.rules
> -rw-r--r-- 1 root root  387176 Sep 11 21:40 rules/VRT-file-other.rules
> -rw-r--r-- 1 root root  316067 Sep 11 21:40 rules/VRT-file-pdf.rules
> -rw-r--r-- 1 root root   95366 Sep 11 21:40 rules/VRT-indicator-compromise.rules
> -rw-r--r-- 1 root root   56770 Sep 11 21:40 rules/VRT-indicator-obfuscation.rules
> -rw-r--r-- 1 root root    9341 Sep 11 21:40 rules/VRT-indicator-scan.rules
> -rw-r--r-- 1 root root   88907 Sep 11 21:40 rules/VRT-indicator-shellcode.rules
> -rw-r--r-- 1 root root  288729 Sep 11 21:40 rules/VRT-malware-backdoor.rules
> -rw-r--r-- 1 root root 1519406 Sep 11 21:40 rules/VRT-malware-cnc.rules
> -rw-r--r-- 1 root root  287455 Sep 11 21:40 rules/VRT-malware-other.rules
> -rw-r--r-- 1 root root   58827 Sep 11 21:40 rules/VRT-malware-tools.rules
> -rw-r--r-- 1 root root  130212 Sep 11 21:40 rules/VRT-netbios.rules
> -rw-r--r-- 1 root root    8550 Sep 11 21:40 rules/VRT-os-linux.rules
> -rw-r--r-- 1 root root   51658 Sep 11 21:40 rules/VRT-os-mobile.rules
> -rw-r--r-- 1 root root   16695 Sep 11 21:40 rules/VRT-os-other.rules
> -rw-r--r-- 1 root root    3757 Sep 11 21:40 rules/VRT-os-solaris.rules
> -rw-r--r-- 1 root root  413157 Sep 11 21:40 rules/VRT-os-windows.rules
> -rw-r--r-- 1 root root    2129 Sep 11 21:40 rules/VRT-policy-multimedia.rules
> -rw-r--r-- 1 root root   47030 Sep 11 21:40 rules/VRT-policy-other.rules
> -rw-r--r-- 1 root root   24937 Sep 11 21:40 rules/VRT-policy-social.rules
> -rw-r--r-- 1 root root   64486 Sep 11 21:40 rules/VRT-policy-spam.rules
> -rw-r--r-- 1 root root   42858 Sep 11 21:40 rules/VRT-preprocessor.rules
> -rw-r--r-- 1 root root   15577 Sep 11 21:40 rules/VRT-protocol-dns.rules
> -rw-r--r-- 1 root root    3551 Sep 11 21:40 rules/VRT-protocol-finger.rules
> -rw-r--r-- 1 root root   38795 Sep 11 21:40 rules/VRT-protocol-ftp.rules
> -rw-r--r-- 1 root root   33541 Sep 11 21:40 rules/VRT-protocol-icmp.rules
> -rw-r--r-- 1 root root   19809 Sep 11 21:40 rules/VRT-protocol-imap.rules
> -rw-r--r-- 1 root root    4633 Sep 11 21:40 rules/VRT-protocol-nntp.rules
> -rw-r--r-- 1 root root    8209 Sep 11 21:40 rules/VRT-protocol-pop.rules
> -rw-r--r-- 1 root root   94762 Sep 11 21:40 rules/VRT-protocol-rpc.rules
> -rw-r--r-- 1 root root   96899 Sep 11 21:40 rules/VRT-protocol-scada.rules
> -rw-r--r-- 1 root root    5381 Sep 11 21:40 rules/VRT-protocol-services.rules
> -rw-r--r-- 1 root root   14120 Sep 11 21:40 rules/VRT-protocol-snmp.rules
> -rw-r--r-- 1 root root   10746 Sep 11 21:40 rules/VRT-protocol-telnet.rules
> -rw-r--r-- 1 root root    7035 Sep 11 21:40 rules/VRT-protocol-tftp.rules
> -rw-r--r-- 1 root root   96851 Sep 11 21:40 rules/VRT-protocol-voip.rules
> -rw-r--r-- 1 root root  358411 Sep 11 21:40 rules/VRT-pua-adware.rules
> -rw-r--r-- 1 root root    9310 Sep 11 21:40 rules/VRT-pua-other.rules
> -rw-r--r-- 1 root root    7135 Sep 11 21:40 rules/VRT-pua-p2p.rules
> -rw-r--r-- 1 root root   90999 Sep 11 21:40 rules/VRT-pua-toolbars.rules
> -rw-r--r-- 1 root root    1405 Sep 11 21:40 rules/VRT-sensitive-data.rules
> -rw-r--r-- 1 root root   44364 Sep 11 21:40 rules/VRT-server-apache.rules
> -rw-r--r-- 1 root root   76723 Sep 11 21:40 rules/VRT-server-iis.rules
> -rw-r--r-- 1 root root   66046 Sep 11 21:40 rules/VRT-server-mail.rules
> -rw-r--r-- 1 root root   29186 Sep 11 21:40 rules/VRT-server-mssql.rules
> -rw-r--r-- 1 root root   28865 Sep 11 21:40 rules/VRT-server-mysql.rules
> -rw-r--r-- 1 root root  234727 Sep 11 21:40 rules/VRT-server-oracle.rules
> -rw-r--r-- 1 root root  542148 Sep 11 21:40 rules/VRT-server-other.rules
> -rw-r--r-- 1 root root   14153 Sep 11 21:40 rules/VRT-server-samba.rules
> -rw-r--r-- 1 root root  840655 Sep 11 21:40 rules/VRT-server-webapp.rules
> -rw-r--r-- 1 root root   33116 Sep 11 21:40 rules/VRT-sql.rules
> -rw-r--r-- 1 root root    1007 Sep 11 21:40 rules/VRT-x11.rules
> 
Below is what is in the downloaded tar ball.
> -rw-r--r-- 1 1210 1210   56210 Sep 10 13:39 app-detect.rules
> -rw-r--r-- 1 1210 1210    1061 May  6  2013 attack-responses.rules
> -rw-r--r-- 1 1210 1210    1037 May  6  2013 backdoor.rules
> -rw-r--r-- 1 1210 1210    1046 May  6  2013 bad-traffic.rules
> -rw-r--r-- 1 1210 1210 1122284 Sep 10 13:39 blacklist.rules
> -rw-r--r-- 1 1210 1210    1043 May  6  2013 botnet-cnc.rules
> -rw-r--r-- 1 1210 1210   16985 Sep 10 13:39 browser-chrome.rules
> -rw-r--r-- 1 1210 1210   96109 Sep 10 13:39 browser-firefox.rules
> -rw-r--r-- 1 1210 1210  829077 Sep 10 13:39 browser-ie.rules
> -rw-r--r-- 1 1210 1210   17231 Sep 10 13:39 browser-other.rules
> -rw-r--r-- 1 1210 1210 1355617 Sep 10 13:39 browser-plugins.rules
> -rw-r--r-- 1 1210 1210   35267 Sep 10 13:39 browser-webkit.rules
> -rw-r--r-- 1 1210 1210    1025 May  6  2013 chat.rules
> -rw-r--r-- 1 1210 1210    8052 Sep 10 13:39 content-replace.rules
> -rw-r--r-- 1 1210 1210    1025 May  6  2013 ddos.rules
> -rw-r--r-- 1 1210 1210 6646740 Sep 10 13:39 deleted.rules
> -rw-r--r-- 1 1210 1210    1022 Jun 19  2013 dns.rules
> -rw-r--r-- 1 1210 1210    1022 Feb  9  2015 dos.rules
> -rw-r--r-- 1 1210 1210    1049 May  6  2013 experimental.rules
> -rw-r--r-- 1 1210 1210  332415 Sep 10 13:39 exploit-kit.rules
> -rw-r--r-- 1 1210 1210    1034 May  6  2013 exploit.rules
> -rw-r--r-- 1 1210 1210   31114 Sep 10 13:39 file-executable.rules
> -rw-r--r-- 1 1210 1210  561693 Sep 10 13:39 file-flash.rules
> -rw-r--r-- 1 1210 1210  435088 Sep 10 13:39 file-identify.rules
> -rw-r--r-- 1 1210 1210  100837 Sep 10 13:39 file-image.rules
> -rw-r--r-- 1 1210 1210  105973 Sep 10 13:39 file-java.rules
> -rw-r--r-- 1 1210 1210  159122 Sep 10 13:39 file-multimedia.rules
> -rw-r--r-- 1 1210 1210  501590 Sep 10 13:39 file-office.rules
> -rw-r--r-- 1 1210 1210  388129 Sep 10 13:39 file-other.rules
> -rw-r--r-- 1 1210 1210  317016 Sep 10 13:39 file-pdf.rules
> -rw-r--r-- 1 1210 1210    1031 May  6  2013 finger.rules
> -rw-r--r-- 1 1210 1210    1022 May  6  2013 ftp.rules
> -rw-r--r-- 1 1210 1210    1040 May  6  2013 icmp-info.rules
> -rw-r--r-- 1 1210 1210    1025 May  6  2013 icmp.rules
> -rw-r--r-- 1 1210 1210    1025 May  6  2013 imap.rules
> -rw-r--r-- 1 1210 1210   96339 Sep 10 13:39 indicator-compromise.rules
> -rw-r--r-- 1 1210 1210   57745 Sep 10 13:39 indicator-obfuscation.rules
> -rw-r--r-- 1 1210 1210   10302 Sep 10 13:39 indicator-scan.rules
> -rw-r--r-- 1 1210 1210   89878 Sep 10 13:39 indicator-shellcode.rules
> -rw-r--r-- 1 1210 1210    1025 May  6  2013 info.rules
> -rw-r--r-- 1 1210 1210    1028 May  6  2013 local.rules
> -rw-r--r-- 1 1210 1210  289694 Sep 10 13:39 malware-backdoor.rules
> -rw-r--r-- 1 1210 1210 1520361 Sep 10 13:39 malware-cnc.rules
> -rw-r--r-- 1 1210 1210  288414 Sep 10 13:39 malware-other.rules
> -rw-r--r-- 1 1210 1210   59786 Sep 10 13:39 malware-tools.rules
> -rw-r--r-- 1 1210 1210    1025 May  6  2013 misc.rules
> -rw-r--r-- 1 1210 1210    1043 May  6  2013 multimedia.rules
> -rw-r--r-- 1 1210 1210    1028 May  6  2013 mysql.rules
> -rw-r--r-- 1 1210 1210  131163 Sep 10 13:39 netbios.rules
> -rw-r--r-- 1 1210 1210    1025 Jun 19  2013 nntp.rules
> -rw-r--r-- 1 1210 1210    1031 May  6  2013 oracle.rules
> -rw-r--r-- 1 1210 1210    9499 Sep 10 13:39 os-linux.rules
> -rw-r--r-- 1 1210 1210   52609 Sep 10 13:39 os-mobile.rules
> -rw-r--r-- 1 1210 1210   17644 Sep 10 13:39 os-other.rules
> -rw-r--r-- 1 1210 1210    4710 Sep 10 13:39 os-solaris.rules
> -rw-r--r-- 1 1210 1210  414112 Sep 10 13:39 os-windows.rules
> -rw-r--r-- 1 1210 1210    1040 May  6  2013 other-ids.rules
> -rw-r--r-- 1 1210 1210    1022 May  6  2013 p2p.rules
> -rw-r--r-- 1 1210 1210    1052 May  6  2013 phishing-spam.rules
> -rw-r--r-- 1 1210 1210    3096 Sep 10 13:39 policy-multimedia.rules
> -rw-r--r-- 1 1210 1210   47987 Sep 10 13:39 policy-other.rules
> -rw-r--r-- 1 1210 1210    1031 May  6  2013 policy.rules
> -rw-r--r-- 1 1210 1210   25896 Sep 10 13:39 policy-social.rules
> -rw-r--r-- 1 1210 1210   65441 Sep 10 13:39 policy-spam.rules
> -rw-r--r-- 1 1210 1210    1025 May  6  2013 pop2.rules
> -rw-r--r-- 1 1210 1210    1025 May  6  2013 pop3.rules
> -rw-r--r-- 1 1210 1210   16534 Sep 10 13:39 protocol-dns.rules
> -rw-r--r-- 1 1210 1210    4514 Sep 10 13:39 protocol-finger.rules
> -rw-r--r-- 1 1210 1210   39752 Sep 10 13:39 protocol-ftp.rules
> -rw-r--r-- 1 1210 1210   34500 Sep 10 13:39 protocol-icmp.rules
> -rw-r--r-- 1 1210 1210   20768 Sep 10 13:39 protocol-imap.rules
> -rw-r--r-- 1 1210 1210    5592 Sep 10 13:39 protocol-nntp.rules
> -rw-r--r-- 1 1210 1210       0 Aug 25  2014 protocol-other.rules
> -rw-r--r-- 1 1210 1210    9166 Sep 10 13:39 protocol-pop.rules
> -rw-r--r-- 1 1210 1210   95719 Sep 10 13:39 protocol-rpc.rules
> -rw-r--r-- 1 1210 1210   97860 Sep 10 13:39 protocol-scada.rules
> -rw-r--r-- 1 1210 1210    6348 Sep 10 13:39 protocol-services.rules
> -rw-r--r-- 1 1210 1210   15079 Sep 10 13:39 protocol-snmp.rules
> -rw-r--r-- 1 1210 1210   11713 Sep 10 13:39 protocol-telnet.rules
> -rw-r--r-- 1 1210 1210    7994 Sep 10 13:39 protocol-tftp.rules
> -rw-r--r-- 1 1210 1210   97810 Sep 10 13:39 protocol-voip.rules
> -rw-r--r-- 1 1210 1210  359364 Sep 10 13:39 pua-adware.rules
> -rw-r--r-- 1 1210 1210   10261 Sep 10 13:39 pua-other.rules
> -rw-r--r-- 1 1210 1210    8082 Sep 10 13:39 pua-p2p.rules
> -rw-r--r-- 1 1210 1210   91956 Sep 10 13:39 pua-toolbars.rules
> -rw-r--r-- 1 1210 1210    1022 Jun 19  2013 rpc.rules
> -rw-r--r-- 1 1210 1210    1040 May  6  2013 rservices.rules
> -rw-r--r-- 1 1210 1210    1028 Feb  9  2015 scada.rules
> -rw-r--r-- 1 1210 1210    1025 Jun 19  2013 scan.rules
> -rw-r--r-- 1 1210 1210   45323 Sep 10 13:39 server-apache.rules
> -rw-r--r-- 1 1210 1210   77676 Sep 10 13:39 server-iis.rules
> -rw-r--r-- 1 1210 1210   67001 Sep 10 13:39 server-mail.rules
> -rw-r--r-- 1 1210 1210   30143 Sep 10 13:39 server-mssql.rules
> -rw-r--r-- 1 1210 1210   29822 Sep 10 13:39 server-mysql.rules
> -rw-r--r-- 1 1210 1210  235686 Sep 10 13:39 server-oracle.rules
> -rw-r--r-- 1 1210 1210  543107 Sep 10 13:39 server-other.rules
> -rw-r--r-- 1 1210 1210   15110 Sep 10 13:39 server-samba.rules
> -rw-r--r-- 1 1210 1210  841614 Sep 10 13:39 server-webapp.rules
> -rw-r--r-- 1 1210 1210    1040 May  6  2013 shellcode.rules
> -rw-r--r-- 1 1210 1210    1025 May  6  2013 smtp.rules
> -rw-r--r-- 1 1210 1210    1025 Jun 19  2013 snmp.rules
> -rw-r--r-- 1 1210 1210    1061 May  6  2013 specific-threats.rules
> -rw-r--r-- 1 1210 1210    1046 May  6  2013 spyware-put.rules
> -rw-r--r-- 1 1210 1210   34055 Sep 10 13:39 sql.rules
> -rw-r--r-- 1 1210 1210    1031 Jun 19  2013 telnet.rules
> -rw-r--r-- 1 1210 1210    1025 Jun 19  2013 tftp.rules
> -rw-r--r-- 1 1210 1210    1028 May  6  2013 virus.rules
> -rw-r--r-- 1 1210 1210    1025 May  6  2013 voip.rules
> -rw-r--r-- 1 1210 1210   21083 Sep 10 13:36 VRT-License.txt
> -rw-r--r-- 1 1210 1210    1046 May  6  2013 web-activex.rules
> -rw-r--r-- 1 1210 1210    1046 May  6  2013 web-attacks.rules
> -rw-r--r-- 1 1210 1210    1034 May  6  2013 web-cgi.rules
> -rw-r--r-- 1 1210 1210    1043 May  6  2013 web-client.rules
> -rw-r--r-- 1 1210 1210    1055 May  6  2013 web-coldfusion.rules
> -rw-r--r-- 1 1210 1210    1052 May  6  2013 web-frontpage.rules
> -rw-r--r-- 1 1210 1210    1034 May  6  2013 web-iis.rules
> -rw-r--r-- 1 1210 1210    1037 May  6  2013 web-misc.rules
> -rw-r--r-- 1 1210 1210    1034 May  6  2013 web-php.rules
> -rw-r--r-- 1 1210 1210    1946 Sep 10 13:39 x11.rules
> 
> 
> 

Thanks,
KL
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150911/c87fdd5c/attachment.html>


More information about the Snort-users mailing list