snort-sigs February 2011 archive
Main Archive Page > Month Archives  > snort-sigs archives
snort-sigs: Re: [Snort-sigs] oinkmaster and so rules.. FAQ broke

Re: [Snort-sigs] oinkmaster and so rules.. FAQ broken?

From: Michael Scheidell <michael.scheidell_at_nospam>
Date: Wed Feb 09 2011 - 15:03:13 GMT
To: JJC <>

On 2/9/11 9:38 AM, JJC wrote:
> As such, and by design, it would
> be trivial for someone to use this data to write individual rules
> files back out from PP and this is a slated enhancement to PP. Having
> said that, I still advocate using a single rules file as it can
> dramatically reduce the complexity needed to run / tune your snort
> deployment. This does not apply to gid:3 stub rules though, they will
> still be written to a single output file.
I think stubs need to be re-written via snort itself, right?
> I certainly welcome any contribution to the tool such as the aforementioned :-)
then see attached: I am not sure if this means it already writes it out
file by file, or if this means its possible to edit it.

On 2/9/11 3:23 AM, Edward Fjellskål wrote:
>> one such reason that i'm aware, and i think i have talked with the pulledpork
>> maintainer about it, is the merging of all rules files into one rules file...
>> that is just not an option in our environment... management of individual rules
>> sets via the snort.conf is much easier handled with the distributed multiple
>> rules files... but this is quite possibly also a limitation of certain tools
>> used to manage the rules sets... i've not dug deeper into it because of the
>> corporate and local limits in place...
> Thats just one of the reasons I would not use pulledpork...
> One can solve this like I did:
> Check out the code between line 549 and 596.
> You need to preserve the "filename" (category) from where the rule was
> picked up when parsing the rulefiles.
> Then you can write them out to the original named rulefile again.

-- Michael Scheidell, CTO o: 561-999-5000 d: 561-948-2259 ISN: 1259*1300 >*| *SECNAP Network Security Corporation * Certified SNORT Integrator * 2008-9 Hot Company Award Winner, World Executive Alliance * Five-Star Partner Program 2009, VARBusiness * Best in Email Security,2010: Network Products Guide * King of Spam Filters, SC Magazine 2008 ______________________________________________________________________ This email has been scanned and certified safe by SpammerTrap(r). For Information please see ______________________________________________________________________

The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
Pinpoint memory and threading errors before they happen.
Find and fix more than 250 security defects in the development cycle.
Locate bottlenecks in serial and parallel code that limit performance.

Snort-sigs mailing list