search

shift / pulledpork

Automatically exported from code.google.com/p/pulledpork
GNU General Public License v2.0
0 stars 0 forks source link

Feature Request: Support for preprocessor and decoder rules #59

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
Provide configuration option in pulledpork.conf to identify the location of 
decoder.rules and preprocessor.rules.

Allow these to be enabled/disabled when pp is run.

Obviously we do not need to "update" these or mess with gen-mesg.map but this 
would centralize administration of all alerts in one place.

Original issue reported on code.google.com by Jason.R....@gmail.com on 17 Jan 2011 at 3:01

GoogleCodeExporter commented 9 years ago 
This is already built in, these rules are in the snort.rules output.

Original comment by Cummin...@gmail.com on 19 Jan 2011 at 6:42

GoogleCodeExporter commented 9 years ago 
Are they only included if pulling the VRT rule set, because I have a sensor 
that only pulls the ET rule set and the decoder/preproc rules are not in the 
file it creates. I do not see an option to specify their location so how would 
PP know where they are?

Original comment by Jason.R....@gmail.com on 19 Jan 2011 at 8:00

GoogleCodeExporter commented 9 years ago 
What is the path in the archive?

Original comment by Cummin...@gmail.com on 20 Jan 2011 at 4:09

GoogleCodeExporter commented 9 years ago 
In the VRT rule tarball they are in preproc_rules\ but these are also shipped 
with the snort application tarball. So if you do not pull the VRT set you can't 
manage the ones that were shipped with snort.

preproc_rules\decoder.rules
preproc_rules\preprocessor.rules

Waite a second, are you sure these are currently handled by PP? If they were 
wouldn't you have to include an option to specify the location of gen-msg.map?

Original comment by Jason.R....@gmail.com on 20 Jan 2011 at 4:30

GoogleCodeExporter commented 9 years ago 
Yes, PP absolutely already handles these, PP does not yet handle the gen-msg 
though... As this is currently largely a static file... It is trivial to 
manually manage this file.

I thought you meant these rules within the et ruleset...

You should be using the updated preproc rules from the VRT rules  tarball and 
not the snort tarball

Original comment by Cummin...@gmail.com on 20 Jan 2011 at 4:59

GoogleCodeExporter commented 9 years ago 
Got it. I'll just pull the VRT set as well for this sensor. Thx for the help 
and sorry about the confusion.

Original comment by Jason.R....@gmail.com on 20 Jan 2011 at 5:11