Support for multiple rulesets

Quantalytics / pulledpork

Automatically exported from code.google.com/p/pulledpork

GNU General Public License v2.0

0 stars 0 forks source link

Support for multiple rulesets #25

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago

What steps will reproduce the problem?
1. Attempt to configure pulled-pork to download from more than one ruleset, for 
example both VRT and Emerging Threats.

What is the expected output? What do you see instead?
Expect to find the ability to configure multiple base-urls, or some other way 
of configuring multiple rule-sources.  Instead, there are no such options are 
available.

What version of the product are you using? On what operating system?
0.4.2, RHEL5.

Please provide any additional information below.
VRT + supplemental ET rules is not an uncommon configuration.  It's 
straightforward to configure in oinkmaster, but currently requires quite a bit 
of hoop-jumping involving multiple pulled-pork configs working in concert.

Original issue reported on code.google.com by mikeloc...@gmail.com on 30 Jun 2010 at 3:12

GoogleCodeExporter commented 9 years ago

This seems like a reasonable requirement... I had planned on adding it and will 
work on doing so now.

Original comment by Cummin...@gmail.com on 30 Jun 2010 at 3:19

Changed state: Accepted
Added labels: Type-Enhancement
Removed labels: Type-Defect

GoogleCodeExporter commented 9 years ago

Oops, should have made this an enhancement.  It doesn't look like I have 
permission to fix it now, or can't figure out how if I do.

Original comment by mikeloc...@gmail.com on 30 Jun 2010 at 3:23

GoogleCodeExporter commented 9 years ago

Our messages crossed in the ether, thanks for the quick response, and great 
work on PP.

Original comment by mikeloc...@gmail.com on 30 Jun 2010 at 3:24

GoogleCodeExporter commented 9 years ago

Not a problem!  I'm sure you are aware that you will need to run pp 2x to 
achieve what you want now... one to get the first set of rules.. and the second 
to get the second.. while referencing the first set's rules file as a "local" 
rules file so that the sid-msg.map is fully populated.

JJC

Original comment by Cummin...@gmail.com on 30 Jun 2010 at 3:28

GoogleCodeExporter commented 9 years ago

Ok, check out what's in SVN now.. it should do the trick for you... Of course 
specifying any type of base policy (security, balanced, connectivity) will 
render the ET rules disabled, unless you specify some pcre foo in 
enablesid.conf ;-)  Please test and let me know what you think.

You will need to note the changes in pulledpork.conf!

Original comment by Cummin...@gmail.com on 30 Jun 2010 at 7:50

Changed state: Fixed

GoogleCodeExporter commented 9 years ago

JJ: That was pretty ridiculously fast.  I looked through the changes and they 
look reasonable, I'll give the code a go on my test snort instance in the next 
week or so.

You might consider labeling this as a 0.5.0 release instead of 0.4.x if it 
breaks config-file compatibility.  I wasn't able to follow on a quick 
read-through whether base_url and rule_file would still work if they were 
specified instead of the new rule_url option.  I'll give it a test when I try 
the code out shortly.

Original comment by mikeloc...@gmail.com on 30 Jun 2010 at 8:59