<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 TRANSITIONAL//EN">
<HTML>
<HEAD>
  <META HTTP-EQUIV="Content-Type" CONTENT="text/html; CHARSET=UTF-8">
  <META NAME="GENERATOR" CONTENT="GtkHTML/4.6.6">
</HEAD>
<BODY>
On Sat, 2015-08-08 at 10:29 +0100, Charlie wrote:
<BLOCKQUOTE TYPE=CITE>
<PRE>
Hi

When I run pulledpork, this is what happens:

Prepping rules from snortrules-snapshot-2975.tar.gz for work....
         extracting contents of /tmp/snortrules-snapshot-2975.tar.gz...
         Ignoring plaintext rules: deleted.rules
         Extracted: /tha_rules/VRT-indicator-compromise.rules
         Extracted: /tha_rules/VRT-file-executable.rules
  ...
         Extracted: /tha_rules/VRT-server-iis.rules
         Reading rules...
         Reading rules...
Cleanup....
         removed 170 temporary snort files or directories from 
/tmp/tha_rules!
Blacklist version is unchanged, not updating!
Setting Flowbit State....
         Enabled 57 flowbits
         Done
Writing /usr/local/snort/rules/snort.rules....
         Done
Generating sid-msg.map....
         Done
Writing v1 /usr/local/snort/etc/sid-msg.map....
         Done
Writing /var/log/sid_changes.log....
         Done
Rule Stats...
         New:-------47
         Deleted:---16
         Enabled Rules:----26218
         Dropped Rules:----0
         Disabled Rules:---21141
         Total Rules:------47359
No IP Blacklist Changes

Done
<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<

I can see that in the ../snort/rules directory, the snort.rules files 
has been updated
BUT
none of the smaller *.rules files like app-detect.rules, 
attack-responses.rules and so on are.

Is this correct as I was expecting the snort.rules to be broken down in 
its many *.rules files?

If this is correct, should the snort.conf file have a:
include $RULE_PATH/snort.rules
rather than
include $RULE_PATH/app-detect.rules
include $RULE_PATH/attack-responses.rules
...

Thanks in advance



------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
<A HREF="mailto:Snort-users@lists.sourceforge.net">Snort-users@lists.sourceforge.net</A>
Go to this URL to change user options or unsubscribe:
<A HREF="https://lists.sourceforge.net/lists/listinfo/snort-users">https://lists.sourceforge.net/lists/listinfo/snort-users</A>
Snort-users list archive:
<A HREF="http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users">http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users</A>

Please visit <A HREF="http://blog.snort.org">http://blog.snort.org</A> to stay current on all the latest Snort news!
</PRE>
</BLOCKQUOTE>
<BR>
By default pulledpork merges all the rules into one large snort.rules file. <BR>
<BR>
James
</BODY>
</HTML>