Snort mailing list archives
Re: More problems with pulledpork 0.6.0
From: JJC <cummingsj () gmail com>
Date: Fri, 1 Apr 2011 10:14:59 -0600
The reasoning is simple, there is no reliable way, other than using a known trusted url identification to determine the source of the rules. Consider the case of ETPRO rules vs VRT rules, there are sids that match, the contained filenames match exactly, and you may have changed the source tarball name when you put it on your custom server url... I will likely (in the next major release) make that a configurable option.. such as rule_url=<url>|<filename>|<oinkcode>|<prependname> or something... Oh, 0.6.1 is up and has your fix in it... JJC On Fri, Apr 1, 2011 at 9:57 AM, carlopmart <carlopmart () gmail com> wrote:
On 04/01/2011 05:26 PM, JJC wrote:Ok, I see the problem... PP has no way of knowing that the rules you are putting on your custom-url-server are ET rules (it determines if it's VRT or ET based on the source url), thus the other errors (in your bug) that you are reporting and the behavior that you see. If you remove the ET- from your dropsid and disablesid config. I will be publishing a bugfix today for that (0.6.1) that will fix both issues, but require you to use Custom-<category> when retrieving from a purely custom url, such as you are doing. JJCOk. All works as expected now disabling ET- . But, why not to use in the new version "Custom-ET-" and "Custom-VRT-" instead of "Custom-"? With this mode you can prevent that VRT and ET release a .rules file with the same name. Thanks JJC. -- CL Martinez carlopmart {at} gmail {d0t} com
------------------------------------------------------------------------------ Create and publish websites with WebMatrix Use the most popular FREE web apps or write code yourself; WebMatrix provides all the features you need to develop and publish your website. http://p.sf.net/sfu/ms-webmatrix-sf
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- More problems with pulledpork 0.6.0 carlopmart (Apr 01)
- Re: More problems with pulledpork 0.6.0 JJC (Apr 01)
- Re: More problems with pulledpork 0.6.0 carlopmart (Apr 01)
- Re: More problems with pulledpork 0.6.0 JJC (Apr 01)
- Re: More problems with pulledpork 0.6.0 carlopmart (Apr 01)
- Re: More problems with pulledpork 0.6.0 JJC (Apr 01)
- Re: More problems with pulledpork 0.6.0 carlopmart (Apr 01)
- Re: More problems with pulledpork 0.6.0 JJC (Apr 01)
- Re: More problems with pulledpork 0.6.0 JJC (Apr 01)
- Re: More problems with pulledpork 0.6.0 carlopmart (Apr 01)
- Re: More problems with pulledpork 0.6.0 JJC (Apr 01)
- Re: More problems with pulledpork 0.6.0 carlopmart (Apr 01)
- Re: More problems with pulledpork 0.6.0 carlopmart (Apr 01)
- Re: More problems with pulledpork 0.6.0 JJC (Apr 01)