Re: [Snort-users] Duplicate downloaded rules

From: Lay, James <james.lay_at_nospam>
Date: Tue Oct 19 2010 - 15:27:44 GMT
To: <snort-users@lists.sourceforge.net>

Ok...thanks again Jason. Also....I guess there's something I do not
understand as it relates to ET & VRT rules. As I understand it:

Snort VRT support 2.8.6.1 and 2.9.0

ET support 2.4-2.8.6

Is it just me or does this not make sense? Why are ET rules even
bothering with unsupported versions of Snort, and not putting out rules
that are in line with supported versions of Snort? I have to be
honest...from a home and business user, going from what used to be a
relatively easy rule management system, to what it is now has been
extremely time consuming and frustrating. And, coming from someone who
has little knowledge of how the ET and VRT rulesets are
developed/maintained, I have to think that duplicate SID's seems to be
counterproductive. I'll keep plodding along...thank you.

James

From: Weir, Jason [mailto:jason.weir@nhrs.org]
Sent: Tuesday, October 19, 2010 9:20 AM
To: snort-users@lists.sourceforge.net
Subject: Re: [Snort-users] Duplicate downloaded rules

looks good - let me know if you have any problems..

FYI - this might change if ET & VRT come up with a better solution..

-J

        -----Original Message-----
        From: Lay, James [mailto:james.lay@wincofoods.com]
        Sent: Tuesday, October 19, 2010 11:11 AM
        To: snort-users@lists.sourceforge.net
        Subject: Re: [Snort-users] Duplicate downloaded rules

....so let me understand this. My current setup is:

/usr/local/bin/oinkmaster.pl -C
/usr/local/etc/snort/oinkmaster.conf -o /usr/local/etc/snort/rules

/usr/local/bin/create-sidmap.pl /usr/local/etc/snort/rules >
/usr/local/etc/snort/sid-msg.map

I need to:

Create separate directories for the two rulesets

Change the above to reflect:

/usr/local/bin/oinkmaster.pl -C /usr/local/etc/vrt.conf
-o /etc/snort/rules/vrt

/usr/local/bin/oinkmaster.pl -C /usr/local/etc/et.conf
-o /etc/snort/rules/et

cp /etc/snort/rules/vrt/*.* /etc/snort/rules

cp /etc/snort/rules/et/*.* /etc/snort/rules

Create two new oinkmaster conf files, the vrt.conf containing
what's in the attachment in the original post of the 410 rules.

Modify create-sidmap.pl line 101 to reflect:

next if ($single =~ /^\#/);

Have I missed anything? Thanks Jason

        From: Weir, Jason [mailto:jason.weir@nhrs.org]
        Sent: Tuesday, October 19, 2010 8:19 AM
        To: snort-users@lists.sourceforge.net
        Subject: Re: [Snort-users] Duplicate downloaded rules

ET and VRT are publishing duplicate rules.

Read the "The New Rulesets are Ready!!" thread here

http://lists.emergingthreats.net/pipermail/emerging-sigs/2010-October/th
read.html

Not sure if you use Oinkmaster but I posted a solution in that
thread.

-J

                -----Original Message-----
                From: Lay, James [mailto:james.lay@wincofoods.com]
                Sent: Tuesday, October 19, 2010 10:05 AM
                To: snort-users@lists.sourceforge.net
                Subject: [Snort-users] Duplicate downloaded rules

I sent this to snort-sigs a few days ago, but it got
moderated into oblivion. Here's a pruned down one in hopes it will make
it:

I am seeing the below with grabbing these rulesets:

Downloading file from
http://www.snort.org/pub-bin/oinkmaster.cgi/*oinkcode*/snortrules-snapsh
ot-2900.tar.gz

Downloading file from
http://rules.emergingthreats.net/open/snort-2.8.6/emerging.rules.tar.gz

WARNING: duplicate SID in downloaded archive, SID=498,
only keeping rule with highest 'rev'

WARNING: duplicate SID in downloaded archive, SID=494,
only keeping rule with highest 'rev'

WARNING: duplicate SID in downloaded archive, SID=495,
only keeping rule with highest 'rev'

WARNING: duplicate SID in downloaded archive, SID=497,
only keeping rule with highest 'rev'

<snip> many more of these

WARNING: duplicate SID in downloaded archive, SID=1666,
only keeping rule with highest 'rev'

WARNING: duplicate SID in downloaded archive, SID=1988,
only keeping rule with highest 'rev'

WARNING: duplicate SID in downloaded archive, SID=1989,
only keeping rule with highest 'rev'

A grand total of 409 dup messages are seen even as of
this morning. Maybe this one will make it through...

James

________________________________________________________________________
_____________________

Please visit www.nhrs.org to subscribe to NHRS email announcements and
updates.

------------------------------------------------------------------------------
Download new Adobe(R) Flash(R) Builder(TM) 4
The new Adobe(R) Flex(R) 4 and Flash(R) Builder(TM) 4 (formerly
Flex(R) Builder(TM)) enable the development of rich applications that run
across multiple browsers and platforms. Download your free trials today!
http://p.sf.net/sfu/adobe-dev2dev

_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

This message: [ Message body ]
Next message: Danny Paul: "Re: [Snort-users] Snort 2.9.0 ipvar unknown rule type"
Previous message: Weir, Jason: "Re: [Snort-users] Duplicate downloaded rules"
In reply to: Weir, Jason: "Re: [Snort-users] Duplicate downloaded rules"
Next in thread: Weir, Jason: "Re: [Snort-users] Duplicate downloaded rules"
Reply: Weir, Jason: "Re: [Snort-users] Duplicate downloaded rules"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ]