Snort mailing list archives
pulledpork re-organizing rules?
From: "Billy Marshall" <Billy.Marshall () state co us>
Date: Tue, 10 Aug 2010 10:06:02 -0600
Hi all, I noticed that Pulled_Pork v0.4.2 is writing the rules to two large files now so there are only 2 rule files; snort.rules and so_rules.rules Doesn't this defeat the organization of the rules that snort.org has set forth? Why is a third party support application re-structuring rule sets and not conforming to snort? Have I misunderstood something? Is snort restructuring its configuration file? With pulledpork: I can not exclude a rule set with the snort.conf without running pulledpork. The files snort.rules and so_rules.rules are not in the snort.conf file. If I add them (logically) I will have duplicate rules unless I comment out the rules I want to keep that are organized. However, when I really do add the files, snort.rules and so_rules.rules , Snort does not initialize. Furthermore; logically, when I do update with pulledpork and if I was unaware of the changes I would never get the new rules because they are stuffed in files that are never looked at by the snort engine without adding them to the snort.conf file. This is confusing, poses many future issues, and forces snort being dependent on pulledpork. If I remove all rules from the rules directory and run pulled pork it only creates the afore mentioned files and none of the others. <excerpt form pulledpork.conf> "# What path you want the .rules file containing all of the processed # rules? (this value has changed as of 0.4.0, previously we copied # all of the rules, now we are creating a single large rules file # but still keeping a separate file for your so_rules! rule_path=/etc/snort/rules/snort.rules ... s0_rule_path=/etc/snort/rules/so_rules.rules"
------------------------------------------------------------------------------ This SF.net email is sponsored by Make an app they can't live without Enter the BlackBerry Developer Challenge http://p.sf.net/sfu/RIM-dev2dev
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- snort installation error Jun Wan (Aug 10)
- Re: snort installation error Sylvain Chillaud (Aug 10)
- Re: snort installation error Joel Esler (Aug 10)
- pulledpork re-organizing rules? Billy Marshall (Aug 10)
- Re: pulledpork re-organizing rules? Joel Esler (Aug 10)
- Re: pulledpork re-organizing rules? JJC (Aug 10)
- Re: pulledpork re-organizing rules? Billy Marshall (Aug 10)
- snort version 2.8.6.1 with 2.8.6.0 rules Billy Marshall (Aug 10)
- Re: snort version 2.8.6.1 with 2.8.6.0 rules Ryan Jordan (Aug 10)
- Re: snort installation error Joel Esler (Aug 10)
- Re: snort installation error Sylvain Chillaud (Aug 10)
- Re: snort installation error Edward Bjarte Fjellskål (Aug 10)