[Snort-users] Pulledpork missing VRT rules

xinland66 at ...11827... xinland66 at ...11827...
Sat Sep 12 22:05:20 EDT 2015


That was the registered rule set. I just tried the subscriber rule set. I got the same result. About half of the rules were missing.

Thanks,
Qiao 

--------
Qiao Xin
Security Systems Architect|Engineering Manager
Security Operations Center (SOC)
Division of Information Security|Division of Technology|SC Department of Administration
Qiao.Xin at ...17304...
803-896-0597


> On Sep 12, 2015, at 2:38 PM, Joel Esler (jesler) <jesler at ...589...> wrote:
> 
> Are you downloading the registered or the subscriber ruleset?
> 
> 
> --
> Joel Esler
> Talos Group
> 
> 
> 
>> On Sep 11, 2015, at 9:54 PM, xinland66 at ...11827... wrote:
>> 
>> Hi,
>> When I ran pulledpork with the -k option. I noticed the many VRT rules were missing compared to the downloaded tar ball. 69 out of about 120 rules.
>> Please advise.
>> 
>> Below is what I got from the pulledpork.
>>> 
>>> # ls -l rules
>>> -rw-r--r-- 1 root root   55257 Sep 11 21:40 rules/VRT-app-detect.rules
>>> -rw-r--r-- 1 root root 1121333 Sep 11 21:40 rules/VRT-blacklist.rules
>>> -rw-r--r-- 1 root root   16024 Sep 11 21:40 rules/VRT-browser-chrome.rules
>>> -rw-r--r-- 1 root root   95146 Sep 11 21:40 rules/VRT-browser-firefox.rules
>>> -rw-r--r-- 1 root root  828124 Sep 11 21:40 rules/VRT-browser-ie.rules
>>> -rw-r--r-- 1 root root   16272 Sep 11 21:40 rules/VRT-browser-other.rules
>>> -rw-r--r-- 1 root root 1354654 Sep 11 21:40 rules/VRT-browser-plugins.rules
>>> -rw-r--r-- 1 root root   34306 Sep 11 21:40 rules/VRT-browser-webkit.rules
>>> -rw-r--r-- 1 root root    7089 Sep 11 21:40 rules/VRT-content-replace.rules
>>> -rw-r--r-- 1 root root   20189 Sep 11 21:40 rules/VRT-decoder.rules
>>> -rw-r--r-- 1 root root  331442 Sep 11 21:40 rules/VRT-exploit-kit.rules
>>> -rw-r--r-- 1 root root   30151 Sep 11 21:40 rules/VRT-file-executable.rules
>>> -rw-r--r-- 1 root root  560740 Sep 11 21:40 rules/VRT-file-flash.rules
>>> -rw-r--r-- 1 root root  434117 Sep 11 21:40 rules/VRT-file-identify.rules
>>> -rw-r--r-- 1 root root   99884 Sep 11 21:40 rules/VRT-file-image.rules
>>> -rw-r--r-- 1 root root  105022 Sep 11 21:40 rules/VRT-file-java.rules
>>> -rw-r--r-- 1 root root  158159 Sep 11 21:40 rules/VRT-file-multimedia.rules
>>> -rw-r--r-- 1 root root  500635 Sep 11 21:40 rules/VRT-file-office.rules
>>> -rw-r--r-- 1 root root  387176 Sep 11 21:40 rules/VRT-file-other.rules
>>> -rw-r--r-- 1 root root  316067 Sep 11 21:40 rules/VRT-file-pdf.rules
>>> -rw-r--r-- 1 root root   95366 Sep 11 21:40 rules/VRT-indicator-compromise.rules
>>> -rw-r--r-- 1 root root   56770 Sep 11 21:40 rules/VRT-indicator-obfuscation.rules
>>> -rw-r--r-- 1 root root    9341 Sep 11 21:40 rules/VRT-indicator-scan.rules
>>> -rw-r--r-- 1 root root   88907 Sep 11 21:40 rules/VRT-indicator-shellcode.rules
>>> -rw-r--r-- 1 root root  288729 Sep 11 21:40 rules/VRT-malware-backdoor.rules
>>> -rw-r--r-- 1 root root 1519406 Sep 11 21:40 rules/VRT-malware-cnc.rules
>>> -rw-r--r-- 1 root root  287455 Sep 11 21:40 rules/VRT-malware-other.rules
>>> -rw-r--r-- 1 root root   58827 Sep 11 21:40 rules/VRT-malware-tools.rules
>>> -rw-r--r-- 1 root root  130212 Sep 11 21:40 rules/VRT-netbios.rules
>>> -rw-r--r-- 1 root root    8550 Sep 11 21:40 rules/VRT-os-linux.rules
>>> -rw-r--r-- 1 root root   51658 Sep 11 21:40 rules/VRT-os-mobile.rules
>>> -rw-r--r-- 1 root root   16695 Sep 11 21:40 rules/VRT-os-other.rules
>>> -rw-r--r-- 1 root root    3757 Sep 11 21:40 rules/VRT-os-solaris.rules
>>> -rw-r--r-- 1 root root  413157 Sep 11 21:40 rules/VRT-os-windows.rules
>>> -rw-r--r-- 1 root root    2129 Sep 11 21:40 rules/VRT-policy-multimedia.rules
>>> -rw-r--r-- 1 root root   47030 Sep 11 21:40 rules/VRT-policy-other.rules
>>> -rw-r--r-- 1 root root   24937 Sep 11 21:40 rules/VRT-policy-social.rules
>>> -rw-r--r-- 1 root root   64486 Sep 11 21:40 rules/VRT-policy-spam.rules
>>> -rw-r--r-- 1 root root   42858 Sep 11 21:40 rules/VRT-preprocessor.rules
>>> -rw-r--r-- 1 root root   15577 Sep 11 21:40 rules/VRT-protocol-dns.rules
>>> -rw-r--r-- 1 root root    3551 Sep 11 21:40 rules/VRT-protocol-finger.rules
>>> -rw-r--r-- 1 root root   38795 Sep 11 21:40 rules/VRT-protocol-ftp.rules
>>> -rw-r--r-- 1 root root   33541 Sep 11 21:40 rules/VRT-protocol-icmp.rules
>>> -rw-r--r-- 1 root root   19809 Sep 11 21:40 rules/VRT-protocol-imap.rules
>>> -rw-r--r-- 1 root root    4633 Sep 11 21:40 rules/VRT-protocol-nntp.rules
>>> -rw-r--r-- 1 root root    8209 Sep 11 21:40 rules/VRT-protocol-pop.rules
>>> -rw-r--r-- 1 root root   94762 Sep 11 21:40 rules/VRT-protocol-rpc.rules
>>> -rw-r--r-- 1 root root   96899 Sep 11 21:40 rules/VRT-protocol-scada.rules
>>> -rw-r--r-- 1 root root    5381 Sep 11 21:40 rules/VRT-protocol-services.rules
>>> -rw-r--r-- 1 root root   14120 Sep 11 21:40 rules/VRT-protocol-snmp.rules
>>> -rw-r--r-- 1 root root   10746 Sep 11 21:40 rules/VRT-protocol-telnet.rules
>>> -rw-r--r-- 1 root root    7035 Sep 11 21:40 rules/VRT-protocol-tftp.rules
>>> -rw-r--r-- 1 root root   96851 Sep 11 21:40 rules/VRT-protocol-voip.rules
>>> -rw-r--r-- 1 root root  358411 Sep 11 21:40 rules/VRT-pua-adware.rules
>>> -rw-r--r-- 1 root root    9310 Sep 11 21:40 rules/VRT-pua-other.rules
>>> -rw-r--r-- 1 root root    7135 Sep 11 21:40 rules/VRT-pua-p2p.rules
>>> -rw-r--r-- 1 root root   90999 Sep 11 21:40 rules/VRT-pua-toolbars.rules
>>> -rw-r--r-- 1 root root    1405 Sep 11 21:40 rules/VRT-sensitive-data.rules
>>> -rw-r--r-- 1 root root   44364 Sep 11 21:40 rules/VRT-server-apache.rules
>>> -rw-r--r-- 1 root root   76723 Sep 11 21:40 rules/VRT-server-iis.rules
>>> -rw-r--r-- 1 root root   66046 Sep 11 21:40 rules/VRT-server-mail.rules
>>> -rw-r--r-- 1 root root   29186 Sep 11 21:40 rules/VRT-server-mssql.rules
>>> -rw-r--r-- 1 root root   28865 Sep 11 21:40 rules/VRT-server-mysql.rules
>>> -rw-r--r-- 1 root root  234727 Sep 11 21:40 rules/VRT-server-oracle.rules
>>> -rw-r--r-- 1 root root  542148 Sep 11 21:40 rules/VRT-server-other.rules
>>> -rw-r--r-- 1 root root   14153 Sep 11 21:40 rules/VRT-server-samba.rules
>>> -rw-r--r-- 1 root root  840655 Sep 11 21:40 rules/VRT-server-webapp.rules
>>> -rw-r--r-- 1 root root   33116 Sep 11 21:40 rules/VRT-sql.rules
>>> -rw-r--r-- 1 root root    1007 Sep 11 21:40 rules/VRT-x11.rules
>> Below is what is in the downloaded tar ball.
>>> -rw-r--r-- 1 1210 1210   56210 Sep 10 13:39 app-detect.rules
>>> -rw-r--r-- 1 1210 1210    1061 May  6  2013 attack-responses.rules
>>> -rw-r--r-- 1 1210 1210    1037 May  6  2013 backdoor.rules
>>> -rw-r--r-- 1 1210 1210    1046 May  6  2013 bad-traffic.rules
>>> -rw-r--r-- 1 1210 1210 1122284 Sep 10 13:39 blacklist.rules
>>> -rw-r--r-- 1 1210 1210    1043 May  6  2013 botnet-cnc.rules
>>> -rw-r--r-- 1 1210 1210   16985 Sep 10 13:39 browser-chrome.rules
>>> -rw-r--r-- 1 1210 1210   96109 Sep 10 13:39 browser-firefox.rules
>>> -rw-r--r-- 1 1210 1210  829077 Sep 10 13:39 browser-ie.rules
>>> -rw-r--r-- 1 1210 1210   17231 Sep 10 13:39 browser-other.rules
>>> -rw-r--r-- 1 1210 1210 1355617 Sep 10 13:39 browser-plugins.rules
>>> -rw-r--r-- 1 1210 1210   35267 Sep 10 13:39 browser-webkit.rules
>>> -rw-r--r-- 1 1210 1210    1025 May  6  2013 chat.rules
>>> -rw-r--r-- 1 1210 1210    8052 Sep 10 13:39 content-replace.rules
>>> -rw-r--r-- 1 1210 1210    1025 May  6  2013 ddos.rules
>>> -rw-r--r-- 1 1210 1210 6646740 Sep 10 13:39 deleted.rules
>>> -rw-r--r-- 1 1210 1210    1022 Jun 19  2013 dns.rules
>>> -rw-r--r-- 1 1210 1210    1022 Feb  9  2015 dos.rules
>>> -rw-r--r-- 1 1210 1210    1049 May  6  2013 experimental.rules
>>> -rw-r--r-- 1 1210 1210  332415 Sep 10 13:39 exploit-kit.rules
>>> -rw-r--r-- 1 1210 1210    1034 May  6  2013 exploit.rules
>>> -rw-r--r-- 1 1210 1210   31114 Sep 10 13:39 file-executable.rules
>>> -rw-r--r-- 1 1210 1210  561693 Sep 10 13:39 file-flash.rules
>>> -rw-r--r-- 1 1210 1210  435088 Sep 10 13:39 file-identify.rules
>>> -rw-r--r-- 1 1210 1210  100837 Sep 10 13:39 file-image.rules
>>> -rw-r--r-- 1 1210 1210  105973 Sep 10 13:39 file-java.rules
>>> -rw-r--r-- 1 1210 1210  159122 Sep 10 13:39 file-multimedia.rules
>>> -rw-r--r-- 1 1210 1210  501590 Sep 10 13:39 file-office.rules
>>> -rw-r--r-- 1 1210 1210  388129 Sep 10 13:39 file-other.rules
>>> -rw-r--r-- 1 1210 1210  317016 Sep 10 13:39 file-pdf.rules
>>> -rw-r--r-- 1 1210 1210    1031 May  6  2013 finger.rules
>>> -rw-r--r-- 1 1210 1210    1022 May  6  2013 ftp.rules
>>> -rw-r--r-- 1 1210 1210    1040 May  6  2013 icmp-info.rules
>>> -rw-r--r-- 1 1210 1210    1025 May  6  2013 icmp.rules
>>> -rw-r--r-- 1 1210 1210    1025 May  6  2013 imap.rules
>>> -rw-r--r-- 1 1210 1210   96339 Sep 10 13:39 indicator-compromise.rules
>>> -rw-r--r-- 1 1210 1210   57745 Sep 10 13:39 indicator-obfuscation.rules
>>> -rw-r--r-- 1 1210 1210   10302 Sep 10 13:39 indicator-scan.rules
>>> -rw-r--r-- 1 1210 1210   89878 Sep 10 13:39 indicator-shellcode.rules
>>> -rw-r--r-- 1 1210 1210    1025 May  6  2013 info.rules
>>> -rw-r--r-- 1 1210 1210    1028 May  6  2013 local.rules
>>> -rw-r--r-- 1 1210 1210  289694 Sep 10 13:39 malware-backdoor.rules
>>> -rw-r--r-- 1 1210 1210 1520361 Sep 10 13:39 malware-cnc.rules
>>> -rw-r--r-- 1 1210 1210  288414 Sep 10 13:39 malware-other.rules
>>> -rw-r--r-- 1 1210 1210   59786 Sep 10 13:39 malware-tools.rules
>>> -rw-r--r-- 1 1210 1210    1025 May  6  2013 misc.rules
>>> -rw-r--r-- 1 1210 1210    1043 May  6  2013 multimedia.rules
>>> -rw-r--r-- 1 1210 1210    1028 May  6  2013 mysql.rules
>>> -rw-r--r-- 1 1210 1210  131163 Sep 10 13:39 netbios.rules
>>> -rw-r--r-- 1 1210 1210    1025 Jun 19  2013 nntp.rules
>>> -rw-r--r-- 1 1210 1210    1031 May  6  2013 oracle.rules
>>> -rw-r--r-- 1 1210 1210    9499 Sep 10 13:39 os-linux.rules
>>> -rw-r--r-- 1 1210 1210   52609 Sep 10 13:39 os-mobile.rules
>>> -rw-r--r-- 1 1210 1210   17644 Sep 10 13:39 os-other.rules
>>> -rw-r--r-- 1 1210 1210    4710 Sep 10 13:39 os-solaris.rules
>>> -rw-r--r-- 1 1210 1210  414112 Sep 10 13:39 os-windows.rules
>>> -rw-r--r-- 1 1210 1210    1040 May  6  2013 other-ids.rules
>>> -rw-r--r-- 1 1210 1210    1022 May  6  2013 p2p.rules
>>> -rw-r--r-- 1 1210 1210    1052 May  6  2013 phishing-spam.rules
>>> -rw-r--r-- 1 1210 1210    3096 Sep 10 13:39 policy-multimedia.rules
>>> -rw-r--r-- 1 1210 1210   47987 Sep 10 13:39 policy-other.rules
>>> -rw-r--r-- 1 1210 1210    1031 May  6  2013 policy.rules
>>> -rw-r--r-- 1 1210 1210   25896 Sep 10 13:39 policy-social.rules
>>> -rw-r--r-- 1 1210 1210   65441 Sep 10 13:39 policy-spam.rules
>>> -rw-r--r-- 1 1210 1210    1025 May  6  2013 pop2.rules
>>> -rw-r--r-- 1 1210 1210    1025 May  6  2013 pop3.rules
>>> -rw-r--r-- 1 1210 1210   16534 Sep 10 13:39 protocol-dns.rules
>>> -rw-r--r-- 1 1210 1210    4514 Sep 10 13:39 protocol-finger.rules
>>> -rw-r--r-- 1 1210 1210   39752 Sep 10 13:39 protocol-ftp.rules
>>> -rw-r--r-- 1 1210 1210   34500 Sep 10 13:39 protocol-icmp.rules
>>> -rw-r--r-- 1 1210 1210   20768 Sep 10 13:39 protocol-imap.rules
>>> -rw-r--r-- 1 1210 1210    5592 Sep 10 13:39 protocol-nntp.rules
>>> -rw-r--r-- 1 1210 1210       0 Aug 25  2014 protocol-other.rules
>>> -rw-r--r-- 1 1210 1210    9166 Sep 10 13:39 protocol-pop.rules
>>> -rw-r--r-- 1 1210 1210   95719 Sep 10 13:39 protocol-rpc.rules
>>> -rw-r--r-- 1 1210 1210   97860 Sep 10 13:39 protocol-scada.rules
>>> -rw-r--r-- 1 1210 1210    6348 Sep 10 13:39 protocol-services.rules
>>> -rw-r--r-- 1 1210 1210   15079 Sep 10 13:39 protocol-snmp.rules
>>> -rw-r--r-- 1 1210 1210   11713 Sep 10 13:39 protocol-telnet.rules
>>> -rw-r--r-- 1 1210 1210    7994 Sep 10 13:39 protocol-tftp.rules
>>> -rw-r--r-- 1 1210 1210   97810 Sep 10 13:39 protocol-voip.rules
>>> -rw-r--r-- 1 1210 1210  359364 Sep 10 13:39 pua-adware.rules
>>> -rw-r--r-- 1 1210 1210   10261 Sep 10 13:39 pua-other.rules
>>> -rw-r--r-- 1 1210 1210    8082 Sep 10 13:39 pua-p2p.rules
>>> -rw-r--r-- 1 1210 1210   91956 Sep 10 13:39 pua-toolbars.rules
>>> -rw-r--r-- 1 1210 1210    1022 Jun 19  2013 rpc.rules
>>> -rw-r--r-- 1 1210 1210    1040 May  6  2013 rservices.rules
>>> -rw-r--r-- 1 1210 1210    1028 Feb  9  2015 scada.rules
>>> -rw-r--r-- 1 1210 1210    1025 Jun 19  2013 scan.rules
>>> -rw-r--r-- 1 1210 1210   45323 Sep 10 13:39 server-apache.rules
>>> -rw-r--r-- 1 1210 1210   77676 Sep 10 13:39 server-iis.rules
>>> -rw-r--r-- 1 1210 1210   67001 Sep 10 13:39 server-mail.rules
>>> -rw-r--r-- 1 1210 1210   30143 Sep 10 13:39 server-mssql.rules
>>> -rw-r--r-- 1 1210 1210   29822 Sep 10 13:39 server-mysql.rules
>>> -rw-r--r-- 1 1210 1210  235686 Sep 10 13:39 server-oracle.rules
>>> -rw-r--r-- 1 1210 1210  543107 Sep 10 13:39 server-other.rules
>>> -rw-r--r-- 1 1210 1210   15110 Sep 10 13:39 server-samba.rules
>>> -rw-r--r-- 1 1210 1210  841614 Sep 10 13:39 server-webapp.rules
>>> -rw-r--r-- 1 1210 1210    1040 May  6  2013 shellcode.rules
>>> -rw-r--r-- 1 1210 1210    1025 May  6  2013 smtp.rules
>>> -rw-r--r-- 1 1210 1210    1025 Jun 19  2013 snmp.rules
>>> -rw-r--r-- 1 1210 1210    1061 May  6  2013 specific-threats.rules
>>> -rw-r--r-- 1 1210 1210    1046 May  6  2013 spyware-put.rules
>>> -rw-r--r-- 1 1210 1210   34055 Sep 10 13:39 sql.rules
>>> -rw-r--r-- 1 1210 1210    1031 Jun 19  2013 telnet.rules
>>> -rw-r--r-- 1 1210 1210    1025 Jun 19  2013 tftp.rules
>>> -rw-r--r-- 1 1210 1210    1028 May  6  2013 virus.rules
>>> -rw-r--r-- 1 1210 1210    1025 May  6  2013 voip.rules
>>> -rw-r--r-- 1 1210 1210   21083 Sep 10 13:36 VRT-License.txt
>>> -rw-r--r-- 1 1210 1210    1046 May  6  2013 web-activex.rules
>>> -rw-r--r-- 1 1210 1210    1046 May  6  2013 web-attacks.rules
>>> -rw-r--r-- 1 1210 1210    1034 May  6  2013 web-cgi.rules
>>> -rw-r--r-- 1 1210 1210    1043 May  6  2013 web-client.rules
>>> -rw-r--r-- 1 1210 1210    1055 May  6  2013 web-coldfusion.rules
>>> -rw-r--r-- 1 1210 1210    1052 May  6  2013 web-frontpage.rules
>>> -rw-r--r-- 1 1210 1210    1034 May  6  2013 web-iis.rules
>>> -rw-r--r-- 1 1210 1210    1037 May  6  2013 web-misc.rules
>>> -rw-r--r-- 1 1210 1210    1034 May  6  2013 web-php.rules
>>> -rw-r--r-- 1 1210 1210    1946 Sep 10 13:39 x11.rules
>> 
>> Thanks,
>> KL
>> ------------------------------------------------------------------------------
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>> 
>> Please visit http://blog.snort.org to stay current on all the latest Snort news!
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150912/da840ad5/attachment.html>


More information about the Snort-users mailing list