Snort mailing list archives
Re: Duplicate downloaded rules
From: "Lay, James" <james.lay () wincofoods com>
Date: Wed, 20 Oct 2010 08:06:55 -0600
Thank you Matthew (and others that suggested open-nogpl). This morning's report was nice: Loading /usr/local/etc/snort/oinkmaster.conf Downloading file from http://www.snort.org/pub-bin/oinkmaster.cgi/*oinkcode*/snortrules-snapsh ot-2900.tar.gz... done. Archive successfully downloaded, unpacking... done. Downloading file from http://rules.emergingthreats.net/open-nogpl/snort-2.8.6/emerging.rules.t ar.gz... done. Archive successfully downloaded, unpacking... done. Setting up rules structures... done. Processing downloaded rules... disabled 8, enabled 0, modified 0, total=21533 Setting up rules structures... done. Comparing new files to the old ones... done. Updating local rules files... done. And thanks for shedding light on how this whole business works...really helps. James From: Matthew Jonkman [mailto:jonkman () emergingthreatspro com] Sent: Wednesday, October 20, 2010 3:02 AM To: Lay, James Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] Duplicate downloaded rules Answers inline, good questions! Snort VRT support 2.8.6.1 and 2.9.0 ET support 2.4-2.8.6 We will have 2.9.0 out this week as well. So we're 2.4 through 2.9. Is it just me or does this not make sense? Why are ET rules even bothering with unsupported versions of Snort, and not putting out rules that are in line with supported versions of Snort? Unsupported doesn't really apply. There are thousands of old snorts out ther,e on embedded hardware, on old sensors, doing task specific jobs that have no need to upgrade or haven't the memory/cpu to upgrade. And they're doing just fine. Sourcefire's decision to only support very recent snorts we think is counterproductive, and we have a LOT of folks using older versions of our rules. So we'll continue to put them out as long as people need them. (It's really not that hard to support an older ruleset...) I have to be honest...from a home and business user, going from what used to be a relatively easy rule management system, to what it is now has been extremely time consuming and frustrating. And, coming from someone who has little knowledge of how the ET and VRT rulesets are developed/maintained, I have to think that duplicate SID's seems to be counterproductive. I'll keep plodding along...thank you. We have the complete ruleset (old gpl rules and community in one tarball) so that we can support the old rules. If we weren't distributing them they'd not be available anywhere for older versions. if you can't follow or keep up with the sourcefire rapid-fire release and unsupport system you'd be screwed. That's why we distribute them all. We have an open-nogpl ruleset though if you'd like to use the ET open and the VRT rules. You won't get duplication there. Matt James From: Weir, Jason [mailto:jason.weir () nhrs org] Sent: Tuesday, October 19, 2010 9:20 AM To: snort-users () lists sourceforge net Subject: Re: [Snort-users] Duplicate downloaded rules looks good - let me know if you have any problems.. FYI - this might change if ET & VRT come up with a better solution.. -J -----Original Message----- From: Lay, James [mailto:james.lay () wincofoods com] Sent: Tuesday, October 19, 2010 11:11 AM To: snort-users () lists sourceforge net Subject: Re: [Snort-users] Duplicate downloaded rules ....so let me understand this. My current setup is: /usr/local/bin/oinkmaster.pl -C /usr/local/etc/snort/oinkmaster.conf -o /usr/local/etc/snort/rules /usr/local/bin/create-sidmap.pl /usr/local/etc/snort/rules > /usr/local/etc/snort/sid-msg.map I need to: Create separate directories for the two rulesets Change the above to reflect: /usr/local/bin/oinkmaster.pl -C /usr/local/etc/vrt.conf -o /etc/snort/rules/vrt /usr/local/bin/oinkmaster.pl -C /usr/local/etc/et.conf -o /etc/snort/rules/et cp /etc/snort/rules/vrt/*.* /etc/snort/rules cp /etc/snort/rules/et/*.* /etc/snort/rules Create two new oinkmaster conf files, the vrt.conf containing what's in the attachment in the original post of the 410 rules. Modify create-sidmap.pl line 101 to reflect: next if ($single =~ /^\#/); Have I missed anything? Thanks Jason From: Weir, Jason [mailto:jason.weir () nhrs org] Sent: Tuesday, October 19, 2010 8:19 AM To: snort-users () lists sourceforge net Subject: Re: [Snort-users] Duplicate downloaded rules ET and VRT are publishing duplicate rules. Read the "The New Rulesets are Ready!!" thread here http://lists.emergingthreats.net/pipermail/emerging-sigs/2010-October/th read.html Not sure if you use Oinkmaster but I posted a solution in that thread. -J -----Original Message----- From: Lay, James [mailto:james.lay () wincofoods com] Sent: Tuesday, October 19, 2010 10:05 AM To: snort-users () lists sourceforge net Subject: [Snort-users] Duplicate downloaded rules I sent this to snort-sigs a few days ago, but it got moderated into oblivion. Here's a pruned down one in hopes it will make it: I am seeing the below with grabbing these rulesets: Downloading file from http://www.snort.org/pub-bin/oinkmaster.cgi/*oinkcode*/snortrules-snapsh ot-2900.tar.gz Downloading file from http://rules.emergingthreats.net/open/snort-2.8.6/emerging.rules.tar.gz WARNING: duplicate SID in downloaded archive, SID=498, only keeping rule with highest 'rev' WARNING: duplicate SID in downloaded archive, SID=494, only keeping rule with highest 'rev' WARNING: duplicate SID in downloaded archive, SID=495, only keeping rule with highest 'rev' WARNING: duplicate SID in downloaded archive, SID=497, only keeping rule with highest 'rev' <snip> many more of these WARNING: duplicate SID in downloaded archive, SID=1666, only keeping rule with highest 'rev' WARNING: duplicate SID in downloaded archive, SID=1988, only keeping rule with highest 'rev' WARNING: duplicate SID in downloaded archive, SID=1989, only keeping rule with highest 'rev' A grand total of 409 dup messages are seen even as of this morning. Maybe this one will make it through... James ________________________________________________________________________ _____________________ Please visit www.nhrs.org to subscribe to NHRS email announcements and updates. ------------------------------------------------------------------------ ------ Download new Adobe(R) Flash(R) Builder(TM) 4 The new Adobe(R) Flex(R) 4 and Flash(R) Builder(TM) 4 (formerly Flex(R) Builder(TM)) enable the development of rich applications that run across multiple browsers and platforms. Download your free trials today! http://p.sf.net/sfu/adobe-dev2dev_______________________________________ ________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ---------------------------------------------------- Matthew Jonkman Emergingthreats.net Emerging Threats Pro Open Information Security Foundation (OISF) Phone 765-807-8630 Fax 312-264-0205 http://www.emergingthreatspro.com http://www.openinfosecfoundation.org ---------------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc
------------------------------------------------------------------------------ Download new Adobe(R) Flash(R) Builder(TM) 4 The new Adobe(R) Flex(R) 4 and Flash(R) Builder(TM) 4 (formerly Flex(R) Builder(TM)) enable the development of rich applications that run across multiple browsers and platforms. Download your free trials today! http://p.sf.net/sfu/adobe-dev2dev
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Duplicate downloaded rules Lay, James (Oct 19)
- Re: Duplicate downloaded rules Jason Brvenik (Oct 19)
- Re: Duplicate downloaded rules Weir, Jason (Oct 19)
- Re: Duplicate downloaded rules Lay, James (Oct 19)
- Re: Duplicate downloaded rules Weir, Jason (Oct 19)
- Re: Duplicate downloaded rules Lay, James (Oct 19)
- Re: Duplicate downloaded rules Weir, Jason (Oct 19)
- Message not available
- Re: Duplicate downloaded rules Lay, James (Oct 20)
- Re: Duplicate downloaded rules Lay, James (Oct 19)