Snort mailing list archives

Re: Duplicate rules & rule parser

From: Peter Bates <peter.bates () ucl ac uk>
Date: Thu, 24 Oct 2013 10:38:35 +0100

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hello all

On 23/10/2013 19:41, Anshuman Anil Deshmukh wrote:

Oddities I can see:

1) You've defined a reg-rules rule_url and the community-rules.
[Anshuman] Yes, I am a registered user. So in that case do you mean to say that both community & registered user 
rules doesn't work together and hence rather than using both of them, either one of them should be used?


If you see Joel's earlier comments - it shouldn't matter if you run both.
Personally I'm just using the registered user rules.

2) You've put a fixed Snort version (2.9.5.0) into the reg-rules rule_url
[Anshuman] I request you to kindly send me the correct URL meant for registered users


The correct URL is in the default pulledpork.conf that comes with PP 0.7.0.

It reads:

rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|<oinkcode>

As you might guess, you have to replace <oinkcode> with your oinkcode, so for example:

rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|1bf0c204e1ff27e7ebacdeadbeefc0de

- -- 
Peter Bates
Senior Information Security Officer   Phone: +44(0)2076792049
Information Services Division         Internal Ext: 32049
University College London
London WC1E 6BT
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBAgAGBQJSaOqbAAoJELhVoVpEMS6R+1IH/3aa1r7W91vETkzuAP2B80uz
GErtJot9PHASJJYRVhwfiUStEJ8omVgq42w7fH6PmMHaNm6cXWUI2oa7OYhFGw7n
J2wGaVE5285Tzz8ldqneWQcW3sOyjVkDiPRtdxyesS/m6h2PI+8yP6NkFQoXCTRl
SgZ6+hR/SQV5ZoVHFLgCWKQe8lxGe/8mTiPQ1qDZB/E3/93pW5K5+ySHuvAYfPVC
16m3Dw+IAdQ0a2SJEBS2gKZ8AW65tTTLdPcy7wclacnRiWhW7PzEbSFWR3nPp1aU
v+A/2vklNOECvT7GqDiazsDuKE+cG3dqx0OQuJX4QV++Uf9nOjenBf29uR1fuB0=
=+M4n
-----END PGP SIGNATURE-----


------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from 
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Re: Duplicate rules & rule parser, (continued)
- - Re: Duplicate rules & rule parser Anshuman Anil Deshmukh (Oct 23)
    - Re: Duplicate rules & rule parser JJ Cummings (Oct 23)
    - Re: Duplicate rules & rule parser Anshuman Anil Deshmukh (Oct 23)
    - Re: Duplicate rules & rule parser Anshuman Anil Deshmukh (Oct 24)
    - Re: Duplicate rules & rule parser Joel Esler (Oct 25)
    - Re: Duplicate rules & rule parser JJC (Oct 25)
    - Re: Duplicate rules & rule parser Anshuman Anil Deshmukh (Oct 26)
    - Re: Duplicate rules & rule parser Eric G (Oct 26)
    - Re: Duplicate rules & rule parser Joel Esler (Oct 26)
    - Re: Duplicate rules & rule parser Anshuman Anil Deshmukh (Oct 27)
    - Re: Duplicate rules & rule parser Peter Bates (Oct 24)