Snort mailing list archives
Re: [Emerging-Sigs] Problems with new pulledpork 0.6.0 version
From: Kevin Ross <kevross33 () googlemail com>
Date: Tue, 29 Mar 2011 12:46:44 +0100
No I don't think so. In 0.5.0 of pulled pork I had the file like scada.rules,1:XXXXX,1:XXXXX,emerging-scada.rules etc then it did not like that when I went to 0.6.0. I tried changing the text to match the new format (i.e ET-scada, ET-emerging-scada, ET-scada.rules etc) but none of them worked and I still get the error. When I removed all non-numerical stuff from the file (you can have it on seperate lines) it works. No idea if the way to define an entire rule file is now something else or it is a bug. Pulledpork is a great rule management tool though because it handles all the current rule files (i.e ET, ETPRO, VRT etc) including shared object rules. Also it is handy that it generates a sid-msg.map file itself which is important if you are using barnyard (which you should be) so when you look at alerts you don't just get a SID. On 29 March 2011 12:32, carlopmart <carlopmart () gmail com> wrote:
On 03/29/2011 12:09 PM, Kevin Ross wrote:I am getting the same. It seems to be linked to if you put text in your list of sids for disable/enable etc. i.e ET-scada.rules or whatever. If you remove it and leave only sid listings it runs fine.Do you mean that I need to put, for example: 2012455, 2012456, 2012457 ... all in one line on disablesid.conf file to work?? That's not good, not good. Then, pulledpork is not the tool that I need to update snort/suricata rules. -- CL Martinez carlopmart {at} gmail {d0t} com _______________________________________________ Emerging-sigs mailing list Emerging-sigs () emergingthreats net http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!
------------------------------------------------------------------------------ Enable your software for Intel(R) Active Management Technology to meet the growing manageability and security demands of your customers. Businesses are taking advantage of Intel(R) vPro (TM) technology - will your software be a part of the solution? Download the Intel(R) Manageability Checker today! http://p.sf.net/sfu/intel-dev2devmar
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Problems with new pulledpork 0.6.0 version carlopmart (Mar 29)
- Re: Problems with new pulledpork 0.6.0 version Kevin Ross (Mar 29)
- Re: Problems with new pulledpork 0.6.0 version carlopmart (Mar 29)
- Re: [Emerging-Sigs] Problems with new pulledpork 0.6.0 version Kevin Ross (Mar 29)
- Re: [Emerging-Sigs] Problems with new pulledpork 0.6.0 version carlopmart (Mar 29)
- Re: [Emerging-Sigs] Problems with new pulledpork 0.6.0 version Joel Esler (Mar 29)
- Re: [Emerging-Sigs] Problems with new pulledpork 0.6.0 version JJC (Mar 29)
- Re: [Emerging-Sigs] Problems with new pulledpork 0.6.0 version JJC (Mar 29)
- Re: [Emerging-Sigs] Problems with new pulledpork 0.6.0 version JJC (Mar 29)
- Re: Problems with new pulledpork 0.6.0 version carlopmart (Mar 29)
- Re: Problems with new pulledpork 0.6.0 version Kevin Ross (Mar 29)