Closed rgctoo closed 6 years ago
shirkdog
commented
6 years ago This has come up before, the idea is that pulledpork will take all of the Snort rules AND your local.rules files and merge them into a single "snort.rules" to use, making it easier to maintain local updates while still updating your rules from elsewhere. The only thing you need in your snort.conf is:
include $RULE_PATH/snort.rules
rmonk
commented
6 years ago I just hit this as well. It's because the documentation (--help) says: -L Where do you want me to read your local.rules for inclusion in sid-msg.map
And the older behavior was to do the above exactly, read it in and generate a map, but don't actually include the rules. I think changing the documentation to be more clear would help here.
Bug or Feature? I installed Snort 2.9.11.0 and pulledpork "0.7.3" from github. The download works, but Snort complains duplicate rules (SIDs). I found that all rules of my "local.rules, .." also appear in the pullpork-generated "snort.rules". Shouldn't local rules be excluded in "snort.rules"? My previous pulledpork-pre0.7.2 worked