Snort mailing list archives
Re: Duplicate downloaded rules
From: "Weir, Jason" <jason.weir () nhrs org>
Date: Tue, 19 Oct 2010 11:19:38 -0400
looks good - let me know if you have any problems.. FYI - this might change if ET & VRT come up with a better solution.. -J -----Original Message----- From: Lay, James [mailto:james.lay () wincofoods com] Sent: Tuesday, October 19, 2010 11:11 AM To: snort-users () lists sourceforge net Subject: Re: [Snort-users] Duplicate downloaded rules ....so let me understand this. My current setup is: /usr/local/bin/oinkmaster.pl -C /usr/local/etc/snort/oinkmaster.conf -o /usr/local/etc/snort/rules /usr/local/bin/create-sidmap.pl /usr/local/etc/snort/rules > /usr/local/etc/snort/sid-msg.map I need to: Create separate directories for the two rulesets Change the above to reflect: /usr/local/bin/oinkmaster.pl -C /usr/local/etc/vrt.conf -o /etc/snort/rules/vrt /usr/local/bin/oinkmaster.pl -C /usr/local/etc/et.conf -o /etc/snort/rules/et cp /etc/snort/rules/vrt/*.* /etc/snort/rules cp /etc/snort/rules/et/*.* /etc/snort/rules Create two new oinkmaster conf files, the vrt.conf containing what's in the attachment in the original post of the 410 rules. Modify create-sidmap.pl line 101 to reflect: next if ($single =~ /^\#/); Have I missed anything? Thanks Jason From: Weir, Jason [mailto:jason.weir () nhrs org] Sent: Tuesday, October 19, 2010 8:19 AM To: snort-users () lists sourceforge net Subject: Re: [Snort-users] Duplicate downloaded rules ET and VRT are publishing duplicate rules. Read the "The New Rulesets are Ready!!" thread here http://lists.emergingthreats.net/pipermail/emerging-sigs/2010-October/th read.html Not sure if you use Oinkmaster but I posted a solution in that thread. -J -----Original Message----- From: Lay, James [mailto:james.lay () wincofoods com] Sent: Tuesday, October 19, 2010 10:05 AM To: snort-users () lists sourceforge net Subject: [Snort-users] Duplicate downloaded rules I sent this to snort-sigs a few days ago, but it got moderated into oblivion. Here's a pruned down one in hopes it will make it: I am seeing the below with grabbing these rulesets: Downloading file from http://www.snort.org/pub-bin/oinkmaster.cgi/*oinkcode*/snortrules-snapsh ot-2900.tar.gz Downloading file from http://rules.emergingthreats.net/open/snort-2.8.6/emerging.rules.tar.gz WARNING: duplicate SID in downloaded archive, SID=498, only keeping rule with highest 'rev' WARNING: duplicate SID in downloaded archive, SID=494, only keeping rule with highest 'rev' WARNING: duplicate SID in downloaded archive, SID=495, only keeping rule with highest 'rev' WARNING: duplicate SID in downloaded archive, SID=497, only keeping rule with highest 'rev' <snip> many more of these WARNING: duplicate SID in downloaded archive, SID=1666, only keeping rule with highest 'rev' WARNING: duplicate SID in downloaded archive, SID=1988, only keeping rule with highest 'rev' WARNING: duplicate SID in downloaded archive, SID=1989, only keeping rule with highest 'rev' A grand total of 409 dup messages are seen even as of this morning. Maybe this one will make it through... James _____________________________________________________________________________________________ Please visit www.nhrs.org to subscribe to NHRS email announcements and updates.
------------------------------------------------------------------------------ Download new Adobe(R) Flash(R) Builder(TM) 4 The new Adobe(R) Flex(R) 4 and Flash(R) Builder(TM) 4 (formerly Flex(R) Builder(TM)) enable the development of rich applications that run across multiple browsers and platforms. Download your free trials today! http://p.sf.net/sfu/adobe-dev2dev
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Duplicate downloaded rules Lay, James (Oct 19)
- Re: Duplicate downloaded rules Jason Brvenik (Oct 19)
- Re: Duplicate downloaded rules Weir, Jason (Oct 19)
- Re: Duplicate downloaded rules Lay, James (Oct 19)
- Re: Duplicate downloaded rules Weir, Jason (Oct 19)
- Re: Duplicate downloaded rules Lay, James (Oct 19)
- Re: Duplicate downloaded rules Weir, Jason (Oct 19)
- Message not available
- Re: Duplicate downloaded rules Lay, James (Oct 20)
- Re: Duplicate downloaded rules Lay, James (Oct 19)