Pulled pork disable not seeming to work anymore

[GoogleCodeExporter]

What steps will reproduce the problem?
1.  pp is run with:
/usr/bin/perl /opt/bin/pulledpork.pl -c 
/opt/etc/snort/pulledpork/pulledpork.conf -l -T -k

2.  pp.conf:
rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot-2910.tar.gz|<redac
ted>
rule_url=https://rules.emergingthreats.net/|emerging.rules.tar.gz|open-nogpl

ignore=deleted.rules,experimental.rules,local.rules
temp_path=/tmp
out_path=/opt/etc/snort/rules/
rule_path=/opt/etc/snort/rules/snort.rules
local_rules=/opt/etc/snort/rules/winco.rules
sid_msg=/opt/etc/snort/sid-msg.map
sid_changelog=/opt/var/log/sid_changes.log
sorule_path=/opt/lib/snort_dynamicrules/
snort_path=/opt/bin/snort
config_path=/opt/etc/snort/snort.conf
sostub_path=/opt/etc/snort/rules/so_rules.rules

modifysid=/opt/etc/snort/pulledpork/modifysid.conf
dropsid=/opt/etc/snort/pulledpork/dropsid.conf
disablesid=/opt/etc/snort/pulledpork/disablesid.conf

3.  disablesid.conf contains: 
1:401,1:485,1:648,1:649,1:1390,1:1394,1:3079,1:3655,1:4152,1:4156,1:5713,1:5714,
1:5910,1:7201,1:7203,1:7033,1:7034,1:7035,1:8375,1:10505,1:10997,1:11837,1:12280
,1:12256,1:12286,1:12633,1:12634,1:12798,1:12799,1:12800,1:12801,1:12802,1:13300
,1:13301,1:13573,1:13824,1:13894,1:13964,1:13974,1:14644,1:14764,1:14998,1:15114
,1:15147,1:15362,1:15460,1:15469,1:15517,1:15587,1:15695,1:16214,1:16231,1:16295
,1:16377,1:16482,1:17153,1:17154,1:17231,1:17232,1:17245,1:17246,1:17276,1:17297
,1:17333,1:17363,1:17379,1:17390,1:17468,1:17484,1:17487,1:17494,1:17645,1:17750
,1:18608,1:18609,1:18682,1:19174,1:19177,1:19253,1:19274,1:19894,1:20117,1:20130
,1:2001569,1:2002196,1:2002751,1:2002878,1:2003122,1:2003195,1:2003494,1:2003601
,1:2003602,1:2006380,1:2008418,1:2009475,1:2010525,1:2010726,1:2010785,1:2010931
,1:2011346,1:2011347,1:2011582,1:2012046,1:2012064,1:2012075,1:2012086,1:2012205
,1:2012252,1:2012647,1:2012648,1:2012684,1:2013029,1:2013031,1:2013075,1:2013222
,1:2013267,1:2013437,1:2013459,1:2013504,1:2013514,1:2013869,1:100000137

4.  grep 2011582 *.rules
ET-emerging-policy.rules:alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"ET POLICY Vulnerable Java Version 1.6.x Detected"; 
flow:established,to_server; content:" Java/1.6.0_"; fast_pattern:only; 
http_header; pcre:"/Java\/1.6.0_([0-1]|2[0-7])/"; 
flowbits:set,ET.http.javaclient.vulnerable; flowbits:unset,ET.http.javaclient; 
threshold: type limit, count 2, seconds 300, track by_src; 
classtype:bad-unknown; sid:2011582; rev:10;)

What is the expected output? What do you see instead?
I expect to see rules disabled..example:
grep 2003122 *.rules
ET-emerging-deleted.rules:#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
(msg:"ET DELETED Possible docs.google.com Activity"; 
flow:established,to_server; content:"WRITELY_SID"; nocase; 
reference:url,docs.google.com; reference:url,doc.emergingthreats.net/2003122; 
classtype:policy-violation; sid:2003122; rev:5;)

What version of the product are you using? On what operating system?
0.6.1

Please provide any additional information below.

Original issue reported on code.google.com by digital...@gmail.com on 18 Nov 2011 at 5:49

[GoogleCodeExporter]

What happens if you run pulledpork with the -vv flag? The output should say 
that it explicitly disabled the sid of interest, but then it might also say 
that it was re-enabling it because it sets a flowbit.

Original comment by david.na...@gmail.com on 20 Nov 2011 at 4:43

[GoogleCodeExporter]

Heh...well I'll be:

Setting Flowbit State....
        WARN - 1:15587 is re-enabled by a check of the http.rtf flowbit!
        WARN - 1:2011582 is re-enabled by a check of the ET.http.javaclient flowbit!

Thanks for the quick response and assistance.  Close this baby out...they need 
an "Ignorant user" status/flag here ;)

Original comment by digital...@gmail.com on 22 Nov 2011 at 3:38

[GoogleCodeExporter]

Closed not a bug

Original comment by Cummin...@gmail.com on 22 Nov 2011 at 9:35

• Changed state: Invalid