Snort mailing list archives

Previous By Date Next
Previous By Thread Next

SO rules and pulledpork

From: Fred Maillou <frederriffic () yahoo ca>
Date: Fri, 21 Feb 2014 08:23:44 -0800 (PST)


So far I understand that SO rules should have a .rules counterpart to enable/disable them.  Is that right ?

*If* that's the case, I do not get the corresponding .rules files to the .so files.  

This is using pulledpork 0.7.0 and the 2955 version of the rules snapshot.  Since there's a big *if* here, I'l make the 
description short.

The error from pp is:

 An error occurred: ERROR:
 [...]/tmp/etc/snort/rules/local.rules(0) Unable to open rules
 file "[...]/tmp/etc/snort/rules/local.rules": No such file or
 directory.  An error occurred: Fatal Error, Quitting..

/tmp/ is the temp_path.  The 2955 archived snapshot is in there also.  So I presume that the local.rules file that pp 
does not find should be included in the 2955 snapshot from snort.org.

pp is called, apart fron the config file, with the following: '-n -P -k -D Debian-6-0' and works from an already 
downloaded 2995 archive and md5 file in it's temp_path.

Apart from this puzzlement, lots of rules gets written in the out_path, and possibly all .so files gets created/moved 
at the right location defined by sorule_path.

At this stage there are two questions basically:

1) Should each SO .so file have a corresponding .rules file ?

2) Why does pp expects to find a local.rules file at that location ?  There is no local_rules defined in pp's config.

I'd like to sort this out: any help will be greatly appreciated - thanks.  

------------------------------------------------------------------------------
Managing the Performance of Cloud-Based Applications
Take advantage of what the Cloud has to offer - Avoid Common Pitfalls.
Read the Whitepaper.
http://pubads.g.doubleclick.net/gampad/clk?id=121054471&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: