Re: Pulledpork doesn't creates sid-msg.map properly

["C. L. Martinez" <carlopmart () gmail com>]

On Mon, Oct 13, 2014 at 8:27 AM, C. L. Martinez <carlopmart () gmail com> wrote:
> Hi all,
>
>  After some days working with pulledpork for suricata 2.0.4 all works
> ok until today.
>
>  I have added the following rules in pulledpork's config file as a local_rules:
>
>  https://sslbl.abuse.ch/blacklist/sslblacklist.rules
>
>  After that, sid-msg doesn't creates properly. For emergingthreats
> rules works ok, but not for these last ones rules:
>
> cat sid-msg.rules
>
> 2523264 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group
> 633 || url,doc.emergingthreats.net/bin/view/Main/TorRules
> 2523266 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group
> 634 || url,doc.emergingthreats.net/bin/view/Main/TorRules
> 2523268 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group
> 635 || url,doc.emergingthreats.net/bin/view/Main/TorRules
> 2523270 || ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group
> 636 || url,doc.emergingthreats.net/bin/view/Main/TorRules
> 3 || FILEEXT BMP file claimed
> 6 || FILESTORE jpg
> 648 || GPL SHELLCODE x86 NOOP || arachnids,181
> 653 || GPL SHELLCODE x86 0x90 unicode NOOP
> 8 || FILESTORE pdf
> 9 || FILEMAGIC pdf
> 902200008 ||
> 902200009 ||
> 902200035 ||
> 902200060 ||
> 902200062 ||
> 902200064 ||
> 902200081 ||
> 902200082 ||
> 902200125 ||
> 902200133 ||
> 902200134 ||
> 902200141 ||
> 902200148 ||
> 902200151 ||
> 902200178 ||
> 902200195 ||
> 902200209 ||
> 902200213 ||
> 902200241 ||
> 902200248 ||
> 902200381 ||
> 902200382 ||
> 902200383 ||
>
> How can I fix this??


More info. Pulledpork clear this file:

cat Custom-sslblacklist.rules



# ----- Begin Custom-sslblacklist Rules Category ----- #

# -- Begin GID:1 Based Rules -- #

pulledpork.conf:

#
# Download rules url
#
#rule_url=http://rules.emergingthreats.net/|emerging.rules.tar.gz|open
rule_url=http://rules.emergingthreats.net/open/suricata/|emerging.rules.tar.gz|open

# What is our temp path, be sure this path has a bit of space for rule
# extraction and manipulation, no trailing slash
temp_path=/tmp

# Output path for download rules
out_path=/data/config/etc/idpsuricata/rules
local_rules=/data/config/etc/idpsuricata/rules/Custom-sslblacklist.rules

# Location for sid-msg.map file
sid_msg=/data/config/etc/idpsuricata/sid-msg.map

# New for by2 and more advanced msg mapping.  Valid options are 1 or 2
# specify version 2 if you are running barnyard2.2+.  Otherwise use 1
sid_msg_version=1

# Defined path for sid changelog file
sid_changelog=/tmp/sid_changes.log

# Here you can specify what rule modification files to run automatically.
# simply uncomment and specify the apt path.
# enablesid=/usr/local/etc/snort/enablesid.conf
# dropsid=/usr/local/etc/snort/dropsid.conf
disablesid=/data/config/etc/idpsuricata/pulledpork/disablesid.conf
# modifysid=/usr/local/etc/snort/modifysid.conf

version=0.7.0

------------------------------------------------------------------------------
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
http://p.sf.net/sfu/Zoho
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!