Snort mailing list archives
Re: Pulledpork duplicate rules
From: <wkitty42 () windstream net>
Date: Mon, 14 Oct 2013 23:20:52 -0400
On Monday, October 14, 2013 4:12 PM, Stark, Vernon L. <Vernon.Stark () jhuapl edu> wrote:
I'm also getting duplicate rules with PP version 0.7.0. I didn't have this issue with PP version 0.6.1. I keep the separate rules files and use: ./pulledpork.pl -c pulledpork.conf -K /etc/snort/rules/ -E An example duplicate SID is 24291 (a VRT rule in VRT-server-webapp.rules). The duplication also compounds. Every time I run PP, I get more duplicates of the same rules. After my latest PP run, I have 4 copies of the same rule: # grep "sid:24291" *.rules | wc -l 4
FWIW: you should modify that regex to avoid finding sids 24291xxxx where x is any number of trailing digits... personally, i use the following grep in a shell script so replace the $1 with your desired sid... you really should have the trailing semicolon ";" to terminate the SID string you are searching for... grep -E "sid:\W*$1;" of course neither if these will catch SID or SiD or Sid or similar that have a capital letter in the string "sid" ;) ------------------------------------------------------------------------------ October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60135031&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: Pulledpork duplicate rules, (continued)
- Re: Pulledpork duplicate rules carlopmart (Oct 14)
- Re: Pulledpork duplicate rules carlopmart (Oct 14)
- Re: Pulledpork duplicate rules James Lay (Oct 14)
- Re: Pulledpork duplicate rules JJ Cummings (Oct 14)
- Re: Pulledpork duplicate rules JJ Cummings (Oct 14)
- Re: Pulledpork duplicate rules Stark, Vernon L. (Oct 15)
- Re: Pulledpork duplicate rules Stark, Vernon L. (Oct 15)
- Re: Pulledpork duplicate rules James Lay (Oct 15)
- Re: Pulledpork duplicate rules waldo kitty (Oct 15)
- Re: Pulledpork duplicate rules Stark, Vernon L. (Oct 15)