Snort mailing list archives

Re: Pulledpork duplicate rules

From: "Stark, Vernon L." <Vernon.Stark () jhuapl edu>
Date: Tue, 15 Oct 2013 06:09:09 -0400

Thanks for the tip.  In this particular case, I was lucky enough not to catch any other sids as visual inspection of 
the actual duplicated rules shows I'm only catching lines with " sid:24291;".

Vern

-----Original Message-----
From: wkitty42 () windstream net [mailto:wkitty42 () windstream net] 
Sent: Monday, October 14, 2013 11:21 PM
To: Stark, Vernon L.; snort-users () lists sourceforge net
Subject: Re: [Snort-users] Pulledpork duplicate rules

On Monday, October 14, 2013 4:12 PM, Stark, Vernon L. <Vernon.Stark () jhuapl edu> wrote:

I'm also getting duplicate rules with PP version 0.7.0.  I didn't have 
this issue with PP version 0.6.1.  I keep the separate rules files and use:
 
./pulledpork.pl -c pulledpork.conf -K /etc/snort/rules/ -E
 
An example duplicate SID is 24291 (a VRT rule in 
VRT-server-webapp.rules).  The duplication also compounds.  Every time 
I run PP, I get more duplicates of the same rules.  After my latest PP run, I have 4 copies of the same rule:
# grep "sid:24291" *.rules | wc -l
4


FWIW: you should modify that regex to avoid finding sids 24291xxxx where x is any number of trailing digits... 
personally, i use the following grep in a shell script so replace the $1 with your desired sid... you really should 
have the trailing semicolon ";" to terminate the SID string you are searching for...

grep -E "sid:\W*$1;"

of course neither if these will catch SID or SiD or Sid or similar that have a capital letter in the string "sid" ;)


------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from 
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60135031&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Re: Pulledpork duplicate rules, (continued)
- - - Re: Pulledpork duplicate rules carlopmart (Oct 14)
    - Re: Pulledpork duplicate rules James Lay (Oct 14)
    - Re: Pulledpork duplicate rules JJ Cummings (Oct 14)
- Re: Pulledpork duplicate rules Stark, Vernon L. (Oct 14)
  - Re: Pulledpork duplicate rules JJ Cummings (Oct 14)
    - Re: Pulledpork duplicate rules Stark, Vernon L. (Oct 15)
    - Re: Pulledpork duplicate rules Stark, Vernon L. (Oct 15)
    - Re: Pulledpork duplicate rules James Lay (Oct 15)
    - Re: Pulledpork duplicate rules waldo kitty (Oct 15)
- Re: Pulledpork duplicate rules wkitty42 (Oct 14)
  - Re: Pulledpork duplicate rules Stark, Vernon L. (Oct 15)