Re: pulledpork V0.7.0 not updating the ../rules/*.rules files

[James Lay <jlay () slave-tothe-box net>]

On Sat, 2015-08-08 at 10:29 +0100, Charlie wrote:

> Hi
>
> When I run pulledpork, this is what happens:
>
> Prepping rules from snortrules-snapshot-2975.tar.gz for work....
>          extracting contents of /tmp/snortrules-snapshot-2975.tar.gz...
>          Ignoring plaintext rules: deleted.rules
>          Extracted: /tha_rules/VRT-indicator-compromise.rules
>          Extracted: /tha_rules/VRT-file-executable.rules
>   ...
>          Extracted: /tha_rules/VRT-server-iis.rules
>          Reading rules...
>          Reading rules...
> Cleanup....
>          removed 170 temporary snort files or directories from 
> /tmp/tha_rules!
> Blacklist version is unchanged, not updating!
> Setting Flowbit State....
>          Enabled 57 flowbits
>          Done
> Writing /usr/local/snort/rules/snort.rules....
>          Done
> Generating sid-msg.map....
>          Done
> Writing v1 /usr/local/snort/etc/sid-msg.map....
>          Done
> Writing /var/log/sid_changes.log....
>          Done
> Rule Stats...
>          New:-------47
>          Deleted:---16
>          Enabled Rules:----26218
>          Dropped Rules:----0
>          Disabled Rules:---21141
>          Total Rules:------47359
> No IP Blacklist Changes
>
> Done
> <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
>
> I can see that in the ../snort/rules directory, the snort.rules files 
> has been updated
> BUT
> none of the smaller *.rules files like app-detect.rules, 
> attack-responses.rules and so on are.
>
> Is this correct as I was expecting the snort.rules to be broken down in 
> its many *.rules files?
>
> If this is correct, should the snort.conf file have a:
> include $RULE_PATH/snort.rules
> rather than
> include $RULE_PATH/app-detect.rules
> include $RULE_PATH/attack-responses.rules
> ...
>
> Thanks in advance
>
>
>
> ------------------------------------------------------------------------------
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!


By default pulledpork merges all the rules into one large snort.rules
file. 

James

------------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!