Snort mailing list archives

Re: [Emerging-Sigs] Problems with new pulledpork 0.6.0 version

From: Kevin Ross <kevross33 () googlemail com>
Date: Tue, 29 Mar 2011 12:46:44 +0100

No I don't think so. In 0.5.0 of pulled pork I had the file like
scada.rules,1:XXXXX,1:XXXXX,emerging-scada.rules etc then it did not like
that when I went to 0.6.0. I tried changing the text to match the new format
(i.e ET-scada, ET-emerging-scada, ET-scada.rules etc) but none of them
worked and I still get the error. When I removed all non-numerical stuff
from the file (you can have it on seperate lines) it works. No idea if the
way to define an entire rule file is now something else or it is a bug.

Pulledpork is a great rule management tool though because it handles all the
current rule files (i.e ET, ETPRO, VRT etc) including shared object rules.
Also it is handy that it generates a sid-msg.map file itself which is
important if you are using barnyard (which you should be) so when you look
at alerts you don't just get a SID.

On 29 March 2011 12:32, carlopmart <carlopmart () gmail com> wrote:

On 03/29/2011 12:09 PM, Kevin Ross wrote:

I am getting the same. It seems to be linked to if you put text in your
list of sids for disable/enable etc. i.e ET-scada.rules or whatever. If
you remove it and leave only sid listings it runs fine.


Do you mean that I need to put, for example: 2012455, 2012456, 2012457
... all in one line on disablesid.conf file to work??

That's not good, not good. Then, pulledpork is not the tool that I need
to update snort/suricata rules.


--
CL Martinez
carlopmart {at} gmail {d0t} com
_______________________________________________
Emerging-sigs mailing list
Emerging-sigs () emergingthreats net
http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs

Support Emerging Threats! Subscribe to Emerging Threats Pro
http://www.emergingthreatspro.com
The ONLY place to get complete premium rulesets for Snort 2.4.0 through
Current!

------------------------------------------------------------------------------
Enable your software for Intel(R) Active Management Technology to meet the
growing manageability and security demands of your customers. Businesses
are taking advantage of Intel(R) vPro (TM) technology - will your software 
be a part of the solution? Download the Intel(R) Manageability Checker 
today! http://p.sf.net/sfu/intel-dev2devmar

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Problems with new pulledpork 0.6.0 version carlopmart (Mar 29)
- Re: Problems with new pulledpork 0.6.0 version Kevin Ross (Mar 29)
  - Re: Problems with new pulledpork 0.6.0 version carlopmart (Mar 29)
    - Re: [Emerging-Sigs] Problems with new pulledpork 0.6.0 version Kevin Ross (Mar 29)
    - Re: [Emerging-Sigs] Problems with new pulledpork 0.6.0 version carlopmart (Mar 29)
    - Re: [Emerging-Sigs] Problems with new pulledpork 0.6.0 version Joel Esler (Mar 29)
    - Re: [Emerging-Sigs] Problems with new pulledpork 0.6.0 version JJC (Mar 29)
    - Re: [Emerging-Sigs] Problems with new pulledpork 0.6.0 version JJC (Mar 29)
    - Re: [Emerging-Sigs] Problems with new pulledpork 0.6.0 version JJC (Mar 29)