pulledpork icon indicating copy to clipboard operation
pulledpork copied to clipboard

Published 20 hours ago verified publisher icon shirkdog

rule duplication

Open matthbr opened this issue 5 years ago • 4 comments

running pulled pork 0.7.4 generates a lot of duplicated rules. This happens even if the old rule file is deleted beforehand the newly generated rule file will already contain the duplicates. An example is the rule with SID 32192 which I have once in the section

# ----- Begin VRT-malware-cnc Rules Category ----- #
# -- Begin GID:1 Based Rules -- #

and once in

# ----- Begin Snort-Community-community Rules Category ----- #
# -- Begin GID:1 Based Rules -- #

In my opinion one of the two rules should be disabled...

matthbr avatar Nov 08 '19 16:11 matthbr

Can you provide your pulledpork.con (without your oink code) and your CLI runtime?

shirkdog avatar Nov 20 '19 00:11 shirkdog

Sorry for only answering now. Got stuck on an other project.

I updated to master beginning of the month but the problem still persisted then.

I assume CLI stands for Command-line interface aka shell for that I tried it in "bash, version 5.0.3(1)-release" as well as "zsh 5.7.1".

I have Perl v5.28.1 installed. In case that matters.

My pulledpork.conf is here: pulledpork.conf.txt

matthbr avatar Feb 25 '20 15:02 matthbr

Is this still an issue? let me know if you are still seeing sid:32912 still duplicated in your rules file.

Also, by CLI runtime, I mean how you are running pulledpork, and what flags you are passing to it

shirkdog avatar Aug 24 '20 19:08 shirkdog

at Snort runtime, Snort picks the rule with the highest rev. if the revs are the same, then Snort picks the first one it comes to (since they are the same). Not really necessary for pulledpork to interpret anything here. We did this on purpose because Snort handles it correctly.

finchy avatar Sep 02 '20 15:09 finchy