search

shirkdog / pulledpork

Pulled Pork for Snort and Suricata rule management (from Google code)
GNU General Public License v2.0
419 stars 133 forks source link

pulledpork-0.7.3 updates local.rules file when configured to ignore local.rules #312

Open gmarkj opened 6 years ago

gmarkj commented 6 years ago

I am running pulled pork with the -k parameter and ignore=local.rules in the configuration file. I have observed that my local.rules file is being updated by pulled pork to delete all rules starting with # (example below). I expected the local.rules to be unchanged however wanted to check prior to proposing a patch?

my local.rules file has the following content prior to running pulled pork

----- Begin local Rules Category -----

alert icmp any any -> $HOME_NET any (msg:"ICMP test"; sid:10000001; rev:001;)

alert icmp any any -> $HOME_NET any (msg:"ICMP test"; sid:10000002; rev:001;)

after running pulled pork the file has been changed to

----- Begin local Rules Category -----

-- Begin GID:0 Based Rules --

alert icmp any any -> $HOME_NET any (msg:"ICMP test"; sid:10000001; rev:001;)

shirkdog commented 4 years ago

I am not seeing this issue, but there is something with this process that does not work correctly. so not an issue with removing signatures from local.rules, but not actually ignoring local.rules.