Snort mailing list archives
Re: Pulledpork duplicate rules
From: "Stark, Vernon L." <Vernon.Stark () jhuapl edu>
Date: Tue, 15 Oct 2013 06:14:40 -0400
That should have been: # cat VRT-server-webapp.rules | grep "sid:24291;" | wc -l 4 Vern -----Original Message----- From: Stark, Vernon L. Sent: Tuesday, October 15, 2013 6:06 AM To: 'JJ Cummings' Cc: snort-users () lists sourceforge net Subject: RE: [Snort-users] Pulledpork duplicate rules Yes, all in VRT-server-webapp.rules. # cat VRT-server-webapp.rules | grep "sid:24291" *.rules | wc -l 4 Vern -----Original Message----- From: JJ Cummings [mailto:cummingsj () gmail com] Sent: Monday, October 14, 2013 8:06 PM To: Stark, Vernon L. Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] Pulledpork duplicate rules All in the same file? Sent from the iRoad
On Oct 14, 2013, at 14:12, "Stark, Vernon L." <Vernon.Stark () jhuapl edu> wrote: I'm also getting duplicate rules with PP version 0.7.0. I didn't have this issue with PP version 0.6.1. I keep the separate rules files and use: ./pulledpork.pl -c pulledpork.conf -K /etc/snort/rules/ -E An example duplicate SID is 24291 (a VRT rule in VRT-server-webapp.rules). The duplication also compounds. Every time I run PP, I get more duplicates of the same rules. After my latest PP run, I have 4 copies of the same rule: # grep "sid:24291" *.rules | wc -l 4 In case it's relevant, I also get several instances of the following error when I run PP: "Use of uninitialized value in pattern match (m//) at ./pulledpork.pl line 1029." I haven't spent much time trying to troubleshoot this, but wanted to report my observations since others were getting rule duplication. Vern -----Original Message----- From: JJ Cummings [mailto:cummingsj () gmail com] Sent: Monday, October 14, 2013 3:41 PM To: James Lay Cc: <snort-users () lists sourceforge net> Subject: Re: [Snort-users] Pulledpork duplicate rules Only if it is duplicated in multiple files Sent from the iRoadOn Oct 14, 2013, at 13:21, James Lay <jlay () slave-tothe-box net> wrote:On 2013-10-14 12:59, carlopmart wrote: On 14/10/13 14:50, James Lay wrote: Got a rule SID that's duping? I'm going to bet it's a rule that was moved from one ruleset to a different set.Uhmm .. I doubt this .. I haven't added any rule manually. I only use emergingthreats in this sensor ... -- CL MartinezCan you give a SID that shows up as a duplicate? --------------------------------------------------------------------- - -------- October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg. c lktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!---------------------------------------------------------------------- -------- October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.c lktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! ---------------------------------------------------------------------- -------- October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.c lktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60135031&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: Pulledpork duplicate rules, (continued)
- Re: Pulledpork duplicate rules James Lay (Oct 14)
- Re: Pulledpork duplicate rules JJC (Oct 14)
- Re: Pulledpork duplicate rules James Lay (Oct 14)
- Re: Pulledpork duplicate rules carlopmart (Oct 14)
- Re: Pulledpork duplicate rules carlopmart (Oct 14)
- Re: Pulledpork duplicate rules James Lay (Oct 14)
- Re: Pulledpork duplicate rules JJ Cummings (Oct 14)
- Re: Pulledpork duplicate rules JJ Cummings (Oct 14)
- Re: Pulledpork duplicate rules Stark, Vernon L. (Oct 15)
- Re: Pulledpork duplicate rules Stark, Vernon L. (Oct 15)
- Re: Pulledpork duplicate rules James Lay (Oct 15)
- Re: Pulledpork duplicate rules waldo kitty (Oct 15)
- Re: Pulledpork duplicate rules Stark, Vernon L. (Oct 15)