Snort mailing list archives

Previous By Date Next
Previous By Thread Next

pulledpork V0.7.0 not updating the ../rules/*.rules files

From: Charlie <ForFun2000 () hotmail com>
Date: Sat, 8 Aug 2015 10:29:01 +0100
Hi

When I run pulledpork, this is what happens:

Prepping rules from snortrules-snapshot-2975.tar.gz for work....
         extracting contents of /tmp/snortrules-snapshot-2975.tar.gz...
         Ignoring plaintext rules: deleted.rules
         Extracted: /tha_rules/VRT-indicator-compromise.rules
         Extracted: /tha_rules/VRT-file-executable.rules
  ...
         Extracted: /tha_rules/VRT-server-iis.rules
         Reading rules...
         Reading rules...
Cleanup....
         removed 170 temporary snort files or directories from 
/tmp/tha_rules!
Blacklist version is unchanged, not updating!
Setting Flowbit State....
         Enabled 57 flowbits
         Done
Writing /usr/local/snort/rules/snort.rules....
         Done
Generating sid-msg.map....
         Done
Writing v1 /usr/local/snort/etc/sid-msg.map....
         Done
Writing /var/log/sid_changes.log....
         Done
Rule Stats...
         New:-------47
         Deleted:---16
         Enabled Rules:----26218
         Dropped Rules:----0
         Disabled Rules:---21141
         Total Rules:------47359
No IP Blacklist Changes

Done
<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<

I can see that in the ../snort/rules directory, the snort.rules files 
has been updated
BUT
none of the smaller *.rules files like app-detect.rules, 
attack-responses.rules and so on are.

Is this correct as I was expecting the snort.rules to be broken down in 
its many *.rules files?

If this is correct, should the snort.conf file have a:
include $RULE_PATH/snort.rules
rather than
include $RULE_PATH/app-detect.rules
include $RULE_PATH/attack-responses.rules
...

Thanks in advance



------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: