Snort mailing list archives

Re: Duplicate downloaded rules

From: "Lay, James" <james.lay () wincofoods com>
Date: Wed, 20 Oct 2010 08:06:55 -0600

Thank you Matthew (and others that suggested open-nogpl).  This
morning's report was nice:

 

Loading /usr/local/etc/snort/oinkmaster.conf

Downloading file from
http://www.snort.org/pub-bin/oinkmaster.cgi/*oinkcode*/snortrules-snapsh
ot-2900.tar.gz... done.

Archive successfully downloaded, unpacking... done.

Downloading file from
http://rules.emergingthreats.net/open-nogpl/snort-2.8.6/emerging.rules.t
ar.gz... done.

Archive successfully downloaded, unpacking... done.

Setting up rules structures... done.

Processing downloaded rules... disabled 8, enabled 0, modified 0,
total=21533

Setting up rules structures... done.

Comparing new files to the old ones... done.

Updating local rules files... done.

 

And thanks for shedding light on how this whole business works...really
helps.

 

James

 

From: Matthew Jonkman [mailto:jonkman () emergingthreatspro com] 
Sent: Wednesday, October 20, 2010 3:02 AM
To: Lay, James
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] Duplicate downloaded rules

 

Answers inline, good questions!

 

 

        Snort VRT support 2.8.6.1 and 2.9.0

        ET support 2.4-2.8.6

 

We will have 2.9.0 out this week as well. So we're 2.4 through 2.9.





 

Is it just me or does this not make sense?  Why are ET rules even
bothering with unsupported versions of Snort, and not putting out rules
that are in line with supported versions of Snort?

 

Unsupported doesn't really apply. There are thousands of old snorts out
ther,e on embedded hardware, on old sensors, doing task specific jobs
that have no need to upgrade or haven't the memory/cpu to upgrade. And
they're doing just fine. Sourcefire's decision to only support very
recent snorts we think is counterproductive, and we have a LOT of folks
using older versions of our rules. So we'll continue to put them out as
long as people need them. 

 

(It's really not that hard to support an older ruleset...)





  I have to be honest...from a home and business user, going from what
used to be a relatively easy rule management system, to what it is now
has been extremely time consuming and frustrating.  And, coming from
someone who has little knowledge of how the ET and VRT rulesets are
developed/maintained, I have to think that duplicate SID's seems to be
counterproductive.  I'll keep plodding along...thank you.

 

We have the complete ruleset (old gpl rules and community in one
tarball) so that we can support the old rules. If we weren't
distributing them they'd not be available anywhere for older versions.
if you can't follow or keep up with the sourcefire rapid-fire release
and unsupport system you'd be screwed. That's why we distribute them
all.

 

We have an open-nogpl ruleset though if you'd like to use the ET open
and the VRT rules. You won't get duplication there. 

 

Matt





 

James 

 

From: Weir, Jason [mailto:jason.weir () nhrs org] 
Sent: Tuesday, October 19, 2010 9:20 AM
To: snort-users () lists sourceforge net
Subject: Re: [Snort-users] Duplicate downloaded rules

 

looks good - let me know if you have any problems..

 

FYI - this might change if ET & VRT come up with a better solution..

 

-J

        -----Original Message-----
        From: Lay, James [mailto:james.lay () wincofoods com] 
        Sent: Tuesday, October 19, 2010 11:11 AM
        To: snort-users () lists sourceforge net
        Subject: Re: [Snort-users] Duplicate downloaded rules

        ....so let me understand this.  My current setup is:

         

        /usr/local/bin/oinkmaster.pl -C
/usr/local/etc/snort/oinkmaster.conf -o /usr/local/etc/snort/rules

        /usr/local/bin/create-sidmap.pl /usr/local/etc/snort/rules >
/usr/local/etc/snort/sid-msg.map

         

        I need to:

        Create separate directories for the two rulesets

        Change the above to reflect:

         

                /usr/local/bin/oinkmaster.pl -C /usr/local/etc/vrt.conf
-o /etc/snort/rules/vrt

                /usr/local/bin/oinkmaster.pl -C /usr/local/etc/et.conf
-o /etc/snort/rules/et

         

                cp /etc/snort/rules/vrt/*.* /etc/snort/rules

                cp /etc/snort/rules/et/*.* /etc/snort/rules

        Create two new oinkmaster conf files, the vrt.conf containing
what's in the attachment in the original post of the 410 rules.

        Modify create-sidmap.pl line 101 to reflect:

         

                next if ($single =~ /^\#/);

         

        Have I missed anything?  Thanks Jason

         

         

        From: Weir, Jason [mailto:jason.weir () nhrs org] 
        Sent: Tuesday, October 19, 2010 8:19 AM
        To: snort-users () lists sourceforge net
        Subject: Re: [Snort-users] Duplicate downloaded rules

         

        ET and VRT are publishing duplicate rules.

         

        Read the "The New Rulesets are Ready!!" thread here

         

        
http://lists.emergingthreats.net/pipermail/emerging-sigs/2010-October/th
read.html

         

        Not sure if you use Oinkmaster but I posted a solution in that
thread.

         

        -J

                -----Original Message-----
                From: Lay, James [mailto:james.lay () wincofoods com] 
                Sent: Tuesday, October 19, 2010 10:05 AM
                To: snort-users () lists sourceforge net
                Subject: [Snort-users] Duplicate downloaded rules

                I sent this to snort-sigs a few days ago, but it got
moderated into oblivion.  Here's a pruned down one in hopes it will make
it:

                 

                I am seeing the below with grabbing these rulesets:

                 

                Downloading file from
http://www.snort.org/pub-bin/oinkmaster.cgi/*oinkcode*/snortrules-snapsh
ot-2900.tar.gz

                Downloading file from
http://rules.emergingthreats.net/open/snort-2.8.6/emerging.rules.tar.gz

                 

                WARNING: duplicate SID in downloaded archive, SID=498,
only keeping rule with highest 'rev'

                WARNING: duplicate SID in downloaded archive, SID=494,
only keeping rule with highest 'rev'

                WARNING: duplicate SID in downloaded archive, SID=495,
only keeping rule with highest 'rev'

                WARNING: duplicate SID in downloaded archive, SID=497,
only keeping rule with highest 'rev'

                <snip> many more of these

                WARNING: duplicate SID in downloaded archive, SID=1666,
only keeping rule with highest 'rev'

                WARNING: duplicate SID in downloaded archive, SID=1988,
only keeping rule with highest 'rev'

                WARNING: duplicate SID in downloaded archive, SID=1989,
only keeping rule with highest 'rev'

                 

                A grand total of 409 dup messages are seen even as of
this morning.  Maybe this one will make it through...

                 

                James

________________________________________________________________________
_____________________
 
Please visit www.nhrs.org to subscribe to NHRS email announcements and
updates.

------------------------------------------------------------------------
------
Download new Adobe(R) Flash(R) Builder(TM) 4
The new Adobe(R) Flex(R) 4 and Flash(R) Builder(TM) 4 (formerly 
Flex(R) Builder(TM)) enable the development of rich applications that
run
across multiple browsers and platforms. Download your free trials today!
http://p.sf.net/sfu/adobe-dev2dev_______________________________________
________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

 


----------------------------------------------------
Matthew Jonkman

Emergingthreats.net
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 765-807-8630
Fax 312-264-0205
http://www.emergingthreatspro.com
http://www.openinfosecfoundation.org
----------------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc

------------------------------------------------------------------------------
Download new Adobe(R) Flash(R) Builder(TM) 4
The new Adobe(R) Flex(R) 4 and Flash(R) Builder(TM) 4 (formerly 
Flex(R) Builder(TM)) enable the development of rich applications that run
across multiple browsers and platforms. Download your free trials today!
http://p.sf.net/sfu/adobe-dev2dev

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Duplicate downloaded rules Lay, James (Oct 19)
- Re: Duplicate downloaded rules Jason Brvenik (Oct 19)
- Re: Duplicate downloaded rules Weir, Jason (Oct 19)
  - Re: Duplicate downloaded rules Lay, James (Oct 19)
    - Re: Duplicate downloaded rules Weir, Jason (Oct 19)
    - Re: Duplicate downloaded rules Lay, James (Oct 19)
    - Re: Duplicate downloaded rules Weir, Jason (Oct 19)
    - Message not available
    - Re: Duplicate downloaded rules Lay, James (Oct 20)