Snort mailing list archives

Re: Duplicate downloaded rules

From: "Weir, Jason" <jason.weir () nhrs org>
Date: Tue, 19 Oct 2010 11:19:38 -0400

looks good - let me know if you have any problems..
 
FYI - this might change if ET & VRT come up with a better solution..
 
-J

        -----Original Message-----
        From: Lay, James [mailto:james.lay () wincofoods com] 
        Sent: Tuesday, October 19, 2010 11:11 AM
        To: snort-users () lists sourceforge net
        Subject: Re: [Snort-users] Duplicate downloaded rules
        
        

        ....so let me understand this.  My current setup is:

         

        /usr/local/bin/oinkmaster.pl -C
/usr/local/etc/snort/oinkmaster.conf -o /usr/local/etc/snort/rules

        /usr/local/bin/create-sidmap.pl /usr/local/etc/snort/rules >
/usr/local/etc/snort/sid-msg.map

         

        I need to:

        Create separate directories for the two rulesets

        Change the above to reflect:

         

                /usr/local/bin/oinkmaster.pl -C /usr/local/etc/vrt.conf
-o /etc/snort/rules/vrt

                /usr/local/bin/oinkmaster.pl -C /usr/local/etc/et.conf
-o /etc/snort/rules/et

         

                cp /etc/snort/rules/vrt/*.* /etc/snort/rules

                cp /etc/snort/rules/et/*.* /etc/snort/rules

        Create two new oinkmaster conf files, the vrt.conf containing
what's in the attachment in the original post of the 410 rules.

        Modify create-sidmap.pl line 101 to reflect:

         

                next if ($single =~ /^\#/);

         

        Have I missed anything?  Thanks Jason

         

         

        From: Weir, Jason [mailto:jason.weir () nhrs org] 
        Sent: Tuesday, October 19, 2010 8:19 AM
        To: snort-users () lists sourceforge net
        Subject: Re: [Snort-users] Duplicate downloaded rules

         

        ET and VRT are publishing duplicate rules.

         

        Read the "The New Rulesets are Ready!!" thread here

         

        
http://lists.emergingthreats.net/pipermail/emerging-sigs/2010-October/th
read.html

         

        Not sure if you use Oinkmaster but I posted a solution in that
thread.

         

        -J

                -----Original Message-----
                From: Lay, James [mailto:james.lay () wincofoods com] 
                Sent: Tuesday, October 19, 2010 10:05 AM
                To: snort-users () lists sourceforge net
                Subject: [Snort-users] Duplicate downloaded rules

                I sent this to snort-sigs a few days ago, but it got
moderated into oblivion.  Here's a pruned down one in hopes it will make
it:

                 

                I am seeing the below with grabbing these rulesets:

                 

                Downloading file from
http://www.snort.org/pub-bin/oinkmaster.cgi/*oinkcode*/snortrules-snapsh
ot-2900.tar.gz

                Downloading file from
http://rules.emergingthreats.net/open/snort-2.8.6/emerging.rules.tar.gz

                 

                WARNING: duplicate SID in downloaded archive, SID=498,
only keeping rule with highest 'rev'

                WARNING: duplicate SID in downloaded archive, SID=494,
only keeping rule with highest 'rev'

                WARNING: duplicate SID in downloaded archive, SID=495,
only keeping rule with highest 'rev'

                WARNING: duplicate SID in downloaded archive, SID=497,
only keeping rule with highest 'rev'

                <snip> many more of these

                WARNING: duplicate SID in downloaded archive, SID=1666,
only keeping rule with highest 'rev'

                WARNING: duplicate SID in downloaded archive, SID=1988,
only keeping rule with highest 'rev'

                WARNING: duplicate SID in downloaded archive, SID=1989,
only keeping rule with highest 'rev'

                 

                A grand total of 409 dup messages are seen even as of
this morning.  Maybe this one will make it through...

                 

                James

_____________________________________________________________________________________________

Please visit www.nhrs.org to subscribe to NHRS email announcements and updates.

------------------------------------------------------------------------------
Download new Adobe(R) Flash(R) Builder(TM) 4
The new Adobe(R) Flex(R) 4 and Flash(R) Builder(TM) 4 (formerly 
Flex(R) Builder(TM)) enable the development of rich applications that run
across multiple browsers and platforms. Download your free trials today!
http://p.sf.net/sfu/adobe-dev2dev

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Duplicate downloaded rules Lay, James (Oct 19)
- Re: Duplicate downloaded rules Jason Brvenik (Oct 19)
- Re: Duplicate downloaded rules Weir, Jason (Oct 19)
  - Re: Duplicate downloaded rules Lay, James (Oct 19)
    - Re: Duplicate downloaded rules Weir, Jason (Oct 19)
    - Re: Duplicate downloaded rules Lay, James (Oct 19)
    - Re: Duplicate downloaded rules Weir, Jason (Oct 19)
    - Message not available
    - Re: Duplicate downloaded rules Lay, James (Oct 20)