The filenames are changing, that said if you see it in the tarball you should be seeing it update... run with -vv and you should see it extract and write the file, if it cannot it should throw a pretty verbose error.
On Monday, October 29, 2012 7:39:45 AM UTC-6, JJC wrote:
> The filenames are changing, that said if you see it in the tarball you > should be seeing it update... run with -vv and you should see it extract > and write the file, if it cannot it should throw a pretty verbose error.
> On Friday, October 26, 2012 2:05:05 PM UTC-6, DigiAngel wrote:
>> Topic says it..I seem to be having some issues with pp updating rule >> sets. In my rules dir:
On Monday, October 29, 2012 7:54:22 AM UTC-6, JJC wrote:
> Yep, I just validated, that file is now empty (no rules) and as such PP > will not update it, as it has nothing to update.
> JJC
> On Monday, October 29, 2012 7:39:45 AM UTC-6, JJC wrote:
>> The filenames are changing, that said if you see it in the tarball you >> should be seeing it update... run with -vv and you should see it extract >> and write the file, if it cannot it should throw a pretty verbose error.
>> On Friday, October 26, 2012 2:05:05 PM UTC-6, DigiAngel wrote:
>>> Topic says it..I seem to be having some issues with pp updating rule >>> sets. In my rules dir:
> At some point in time pp stopped updating that file...I have no idea why. Hope that helps.
> James
> On Monday, October 29, 2012 7:54:22 AM UTC-6, JJC wrote:
>> Yep, I just validated, that file is now empty (no rules) and as such PP will not update it, as it has nothing to update.
>> JJC
>> On Monday, October 29, 2012 7:39:45 AM UTC-6, JJC wrote:
>>> The filenames are changing, that said if you see it in the tarball you should be seeing it update... run with -vv and you should see it extract and write the file, if it cannot it should throw a pretty verbose error.
>>> On Friday, October 26, 2012 2:05:05 PM UTC-6, DigiAngel wrote:
>>>> Topic says it..I seem to be having some issues with pp updating rule sets. In my rules dir:
>>>> Is there something I can do on my end to troubleshoot this? Thank you.
>>>> James
> -- > You received this message because you are subscribed to the Google Groups "pulledpork users" group.
> To view this discussion on the web visit https://groups.google.com/d/msg/pulledpork-users/-/CKq4IpOhxzsJ.
> To post to this group, send email to pulledpork-users@googlegroups.com.
> To unsubscribe from this group, send email to pulledpork-users+unsubscribe@googlegroups.com.
> For more options, visit this group at http://groups.google.com/group/pulledpork-users?hl=en.
In light of Joel's comments about not deleting these out yet on the snort-sig list, my question is, why isn't pp updating certain rules? I'm not sure how it all works to be sure...does pp "sync" a ruleset? That' doesn't seem to have happened for me at least. There are a few files that differ wildly from current snort rulesets:
This list seems pretty close to the list of rules that will be deleted down the road, but again, I'm just wondering why they aren't getting updated. PP.conf below:
> At some point in time pp stopped updating that file...I have no idea why. > Hope that helps.
> James
> On Monday, October 29, 2012 7:54:22 AM UTC-6, JJC wrote:
>> Yep, I just validated, that file is now empty (no rules) and as such PP >> will not update it, as it has nothing to update.
>> JJC
>> On Monday, October 29, 2012 7:39:45 AM UTC-6, JJC wrote:
>>> The filenames are changing, that said if you see it in the tarball you >>> should be seeing it update... run with -vv and you should see it extract >>> and write the file, if it cannot it should throw a pretty verbose error.
>>> On Friday, October 26, 2012 2:05:05 PM UTC-6, DigiAngel wrote:
>>>> Topic says it..I seem to be having some issues with pp updating rule >>>> sets. In my rules dir:
>>>> Is there something I can do on my end to troubleshoot this? Thank you.
>>>> James
>>>> -- > You received this message because you are subscribed to the Google Groups > "pulledpork users" group. > To view this discussion on the web visit > https://groups.google.com/d/msg/pulledpork-users/-/CKq4IpOhxzsJ. > To post to this group, send email to pulledpo...@googlegroups.com<javascript:> > . > To unsubscribe from this group, send email to > pulledpork-use...@googlegroups.com <javascript:>. > For more options, visit this group at > http://groups.google.com/group/pulledpork-users?hl=en.
This is what's in the current shellcode.rules file.. no rules:
$ less shellcode.rules
# Copyright 2001-2012 Sourcefire Inc. All Rights Reserved.
#
# This file may contain proprietary rules that were created, tested and
# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as
# rules that were created by Sourcefire and other third parties and
# distributed under the GNU General Public License (the "GPL Rules"). The
# VRT Certified Rules contained in this file are the property of
# Sourcefire, Inc. Copyright 2012 Sourcefire, Inc. All Rights Reserved.
# The GPL Rules created by Sourcefire, Inc. are the property of
# Sourcefire, Inc. Copyright 2002-2012 Sourcefire, Inc. All Rights
# Reserved. All other GPL Rules are owned and copyrighted by their
# respective owners (please see www.snort.org/contributors for a list of
# owners and their respective copyrights). In order to determine what
# rules are VRT Certified Rules or GPL Rules, please refer to the VRT
# Certified Rules License Agreement.
#
#-----------------
# SHELLCODE RULES
#-----------------
# These signatures are based on shellcode that is common ammong multiple
# publicly available exploits.
#
# Because these signatures check ALL traffic for shellcode, these signatures
# are disabled by default. There is a LARGE performance hit by enabling
# these signatures.
#
On Wed, Oct 31, 2012 at 11:24 AM, DigiAngel <digital...@gmail.com> wrote:
> HI JJ,
> In light of Joel's comments about not deleting these out yet on the
> snort-sig list, my question is, why isn't pp updating certain rules? I'm
> not sure how it all works to be sure...does pp "sync" a ruleset? That'
> doesn't seem to have happened for me at least. There are a few files that
> differ wildly from current snort rulesets:
> This list seems pretty close to the list of rules that will be deleted
> down the road, but again, I'm just wondering why they aren't getting
> updated. PP.conf below:
>> At some point in time pp stopped updating that file...I have no idea
>> why. Hope that helps.
>> James
>> On Monday, October 29, 2012 7:54:22 AM UTC-6, JJC wrote:
>>> Yep, I just validated, that file is now empty (no rules) and as such PP
>>> will not update it, as it has nothing to update.
>>> JJC
>>> On Monday, October 29, 2012 7:39:45 AM UTC-6, JJC wrote:
>>>> The filenames are changing, that said if you see it in the tarball you
>>>> should be seeing it update... run with -vv and you should see it extract
>>>> and write the file, if it cannot it should throw a pretty verbose error.
>>>> On Friday, October 26, 2012 2:05:05 PM UTC-6, DigiAngel wrote:
>>>>> Topic says it..I seem to be having some issues with pp updating rule
>>>>> sets. In my rules dir:
>>>>> Is there something I can do on my end to troubleshoot this? Thank you.
>>>>> James
>>>>> --
>> You received this message because you are subscribed to the Google Groups
>> "pulledpork users" group.
>> To view this discussion on the web visit https://groups.google.com/d/** >> msg/pulledpork-users/-/**CKq4IpOhxzsJ<https://groups.google.com/d/msg/pulledpork-users/-/CKq4IpOhxzsJ>
>> .
>> To post to this group, send email to pulledpo...@googlegroups.**com.
>> To unsubscribe from this group, send email to pulledpork-use...@**
>> googlegroups.com.
> To post to this group, send email to pulledpork-users@googlegroups.com.
> To unsubscribe from this group, send email to
> pulledpork-users+unsubscribe@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/pulledpork-users?hl=en.
So yes…currently shellcode.rules is empty…and that's my question; why is the official snortrules shellcode.rules empty, and the shellcode.rules that is currently in my rules dir NOT empty? Why after running pp are they not the same? Is that making sense? Thanks a bunch JJ.
James
On Oct 31, 2012, at 12:03 PM, JJC <cummin...@gmail.com> wrote:
> This is what's in the current shellcode.rules file.. no rules:
> $ less shellcode.rules > # Copyright 2001-2012 Sourcefire Inc. All Rights Reserved.
> #
> # This file may contain proprietary rules that were created, tested and
> # certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as
> # rules that were created by Sourcefire and other third parties and
> # distributed under the GNU General Public License (the "GPL Rules"). The
> # VRT Certified Rules contained in this file are the property of
> # Sourcefire, Inc. Copyright 2012 Sourcefire, Inc. All Rights Reserved.
> # The GPL Rules created by Sourcefire, Inc. are the property of
> # Sourcefire, Inc. Copyright 2002-2012 Sourcefire, Inc. All Rights
> # Reserved. All other GPL Rules are owned and copyrighted by their
> # respective owners (please see www.snort.org/contributors for a list of
> # owners and their respective copyrights). In order to determine what
> # rules are VRT Certified Rules or GPL Rules, please refer to the VRT
> # Certified Rules License Agreement.
> #
> #-----------------
> # SHELLCODE RULES
> #-----------------
> # These signatures are based on shellcode that is common ammong multiple
> # publicly available exploits.
> #
> # Because these signatures check ALL traffic for shellcode, these signatures
> # are disabled by default. There is a LARGE performance hit by enabling
> # these signatures.
> #
> On Wed, Oct 31, 2012 at 11:24 AM, DigiAngel <digital...@gmail.com> wrote:
> HI JJ,
> In light of Joel's comments about not deleting these out yet on the snort-sig list, my question is, why isn't pp updating certain rules? I'm not sure how it all works to be sure...does pp "sync" a ruleset? That' doesn't seem to have happened for me at least. There are a few files that differ wildly from current snort rulesets:
> This list seems pretty close to the list of rules that will be deleted down the road, but again, I'm just wondering why they aren't getting updated. PP.conf below:
>> At some point in time pp stopped updating that file...I have no idea why. Hope that helps.
>> James
>> On Monday, October 29, 2012 7:54:22 AM UTC-6, JJC wrote:
>> Yep, I just validated, that file is now empty (no rules) and as such PP will not update it, as it has nothing to update.
>> JJC
>> On Monday, October 29, 2012 7:39:45 AM UTC-6, JJC wrote:
>> The filenames are changing, that said if you see it in the tarball you should be seeing it update... run with -vv and you should see it extract and write the file, if it cannot it should throw a pretty verbose error.
>> On Friday, October 26, 2012 2:05:05 PM UTC-6, DigiAngel wrote:
>> Topic says it..I seem to be having some issues with pp updating rule sets. In my rules dir:
>> Is there something I can do on my end to troubleshoot this? Thank you.
>> James
>> -- >> You received this message because you are subscribed to the Google Groups "pulledpork users" group.
>> To view this discussion on the web visit https://groups.google.com/d/msg/pulledpork-users/-/CKq4IpOhxzsJ.
>> To post to this group, send email to pulledpo...@googlegroups.com.
>> To unsubscribe from this group, send email to pulledpork-use...@googlegroups.com.
> To post to this group, send email to pulledpork-users@googlegroups.com.
> To unsubscribe from this group, send email to pulledpork-users+unsubscribe@googlegroups.com.
> For more options, visit this group at http://groups.google.com/group/pulledpork-users?hl=en.
> -- > You received this message because you are subscribed to the Google Groups "pulledpork users" group.
> To post to this group, send email to pulledpork-users@googlegroups.com.
> To unsubscribe from this group, send email to pulledpork-users+unsubscribe@googlegroups.com.
> For more options, visit this group at http://groups.google.com/group/pulledpork-users?hl=en.
Ah, now I see.. yes so essentially what's happening is that PP is not
touching the shellcode.rules file because it doesn't have anything to do
(in terms of new rules etc).. essentially when writing out the unique
filenames if there are no rules in a file then PP ignores it and moves on..
this is one of the drawbacks to doing it that way rather than a single
large rules file, if that makes any sense..
On Wed, Oct 31, 2012 at 12:05 PM, James Lay <digital...@gmail.com> wrote:
> Hehe…maybe I'm not explaining myself :)
> So yes…currently shellcode.rules is empty…and that's my question; why is
> the official snortrules shellcode.rules empty, and the shellcode.rules that
> is currently in my rules dir NOT empty? Why after running pp are they not
> the same? Is that making sense? Thanks a bunch JJ.
> James
> On Oct 31, 2012, at 12:03 PM, JJC <cummin...@gmail.com> wrote:
> This is what's in the current shellcode.rules file.. no rules:
> $ less shellcode.rules
> # Copyright 2001-2012 Sourcefire Inc. All Rights Reserved.
> #
> # This file may contain proprietary rules that were created, tested and
> # certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as
> # rules that were created by Sourcefire and other third parties and
> # distributed under the GNU General Public License (the "GPL Rules"). The
> # VRT Certified Rules contained in this file are the property of
> # Sourcefire, Inc. Copyright 2012 Sourcefire, Inc. All Rights Reserved.
> # The GPL Rules created by Sourcefire, Inc. are the property of
> # Sourcefire, Inc. Copyright 2002-2012 Sourcefire, Inc. All Rights
> # Reserved. All other GPL Rules are owned and copyrighted by their
> # respective owners (please see www.snort.org/contributors for a list of
> # owners and their respective copyrights). In order to determine what
> # rules are VRT Certified Rules or GPL Rules, please refer to the VRT
> # Certified Rules License Agreement.
> #
> #-----------------
> # SHELLCODE RULES
> #-----------------
> # These signatures are based on shellcode that is common ammong multiple
> # publicly available exploits.
> #
> # Because these signatures check ALL traffic for shellcode, these
> signatures
> # are disabled by default. There is a LARGE performance hit by enabling
> # these signatures.
> #
> On Wed, Oct 31, 2012 at 11:24 AM, DigiAngel <digital...@gmail.com> wrote:
>> HI JJ,
>> In light of Joel's comments about not deleting these out yet on the
>> snort-sig list, my question is, why isn't pp updating certain rules? I'm
>> not sure how it all works to be sure...does pp "sync" a ruleset? That'
>> doesn't seem to have happened for me at least. There are a few files that
>> differ wildly from current snort rulesets:
>> This list seems pretty close to the list of rules that will be deleted
>> down the road, but again, I'm just wondering why they aren't getting
>> updated. PP.conf below:
>>> At some point in time pp stopped updating that file...I have no idea
>>> why. Hope that helps.
>>> James
>>> On Monday, October 29, 2012 7:54:22 AM UTC-6, JJC wrote:
>>>> Yep, I just validated, that file is now empty (no rules) and as such PP
>>>> will not update it, as it has nothing to update.
>>>> JJC
>>>> On Monday, October 29, 2012 7:39:45 AM UTC-6, JJC wrote:
>>>>> The filenames are changing, that said if you see it in the tarball you
>>>>> should be seeing it update... run with -vv and you should see it extract
>>>>> and write the file, if it cannot it should throw a pretty verbose error.
>>>>> On Friday, October 26, 2012 2:05:05 PM UTC-6, DigiAngel wrote:
>>>>>> Topic says it..I seem to be having some issues with pp updating rule
>>>>>> sets. In my rules dir:
>>>>>> Is there something I can do on my end to troubleshoot this? Thank
>>>>>> you.
>>>>>> James
>>> --
>>> You received this message because you are subscribed to the Google
>>> Groups "pulledpork users" group.
>>> To view this discussion on the web visit https://groups.google.com/d/** >>> msg/pulledpork-users/-/**CKq4IpOhxzsJ<https://groups.google.com/d/msg/pulledpork-users/-/CKq4IpOhxzsJ>
>>> .
>>> To post to this group, send email to pulledpo...@googlegroups.**com.
>>> To unsubscribe from this group, send email to pulledpork-use...@**
>>> googlegroups.com.
Thanks JJ..I'll manually copy them over for now. Maybe we could add this as a feature request...."hardcore" sync or something that will still sync empty rulesets or rulesets with everything commented out :)
On Wednesday, October 31, 2012 12:19:59 PM UTC-6, JJC wrote:
> Ah, now I see.. yes so essentially what's happening is that PP is not > touching the shellcode.rules file because it doesn't have anything to do > (in terms of new rules etc).. essentially when writing out the unique > filenames if there are no rules in a file then PP ignores it and moves on.. > this is one of the drawbacks to doing it that way rather than a single > large rules file, if that makes any sense..
> JJC
> On Wed, Oct 31, 2012 at 12:05 PM, James Lay <digit...@gmail.com<javascript:>
> > wrote:
>> Hehe…maybe I'm not explaining myself :)
>> So yes…currently shellcode.rules is empty…and that's my question; why is >> the official snortrules shellcode.rules empty, and the shellcode.rules that >> is currently in my rules dir NOT empty? Why after running pp are they not >> the same? Is that making sense? Thanks a bunch JJ.
>> James
>> On Oct 31, 2012, at 12:03 PM, JJC <cumm...@gmail.com <javascript:>> >> wrote:
>> This is what's in the current shellcode.rules file.. no rules:
>> $ less shellcode.rules >> # Copyright 2001-2012 Sourcefire Inc. All Rights Reserved.
>> #
>> # This file may contain proprietary rules that were created, tested and
>> # certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as
>> # rules that were created by Sourcefire and other third parties and
>> # distributed under the GNU General Public License (the "GPL Rules"). The
>> # VRT Certified Rules contained in this file are the property of
>> # Sourcefire, Inc. Copyright 2012 Sourcefire, Inc. All Rights Reserved.
>> # The GPL Rules created by Sourcefire, Inc. are the property of
>> # Sourcefire, Inc. Copyright 2002-2012 Sourcefire, Inc. All Rights
>> # Reserved. All other GPL Rules are owned and copyrighted by their
>> # respective owners (please see www.snort.org/contributors for a list of
>> # owners and their respective copyrights). In order to determine what
>> # rules are VRT Certified Rules or GPL Rules, please refer to the VRT
>> # Certified Rules License Agreement.
>> #
>> #-----------------
>> # SHELLCODE RULES
>> #-----------------
>> # These signatures are based on shellcode that is common ammong multiple
>> # publicly available exploits.
>> #
>> # Because these signatures check ALL traffic for shellcode, these >> signatures
>> # are disabled by default. There is a LARGE performance hit by enabling
>> # these signatures.
>> #
>> On Wed, Oct 31, 2012 at 11:24 AM, DigiAngel <digit...@gmail.com<javascript:>
>> > wrote:
>>> HI JJ,
>>> In light of Joel's comments about not deleting these out yet on the >>> snort-sig list, my question is, why isn't pp updating certain rules? I'm >>> not sure how it all works to be sure...does pp "sync" a ruleset? That' >>> doesn't seem to have happened for me at least. There are a few files that >>> differ wildly from current snort rulesets:
>>> This list seems pretty close to the list of rules that will be deleted >>> down the road, but again, I'm just wondering why they aren't getting >>> updated. PP.conf below:
>>>> At some point in time pp stopped updating that file...I have no idea >>>> why. Hope that helps.
>>>> James
>>>> On Monday, October 29, 2012 7:54:22 AM UTC-6, JJC wrote:
>>>>> Yep, I just validated, that file is now empty (no rules) and as such >>>>> PP will not update it, as it has nothing to update.
>>>>> JJC
>>>>> On Monday, October 29, 2012 7:39:45 AM UTC-6, JJC wrote:
>>>>>> The filenames are changing, that said if you see it in the tarball >>>>>> you should be seeing it update... run with -vv and you should see it >>>>>> extract and write the file, if it cannot it should throw a pretty verbose >>>>>> error.
>>>>>> On Friday, October 26, 2012 2:05:05 PM UTC-6, DigiAngel wrote:
>>>>>>> Topic says it..I seem to be having some issues with pp updating rule >>>>>>> sets. In my rules dir:
