Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

rule-update: run PulledPork with -T option if ENGINE=suricata #560

Closed
GoogleCodeExporter opened this issue Mar 24, 2015 · 3 comments
Closed

rule-update: run PulledPork with -T option if ENGINE=suricata #560

GoogleCodeExporter opened this issue Mar 24, 2015 · 3 comments

Comments

@GoogleCodeExporter
Copy link

@GoogleCodeExporter GoogleCodeExporter commented Mar 24, 2015

rule-update: run PulledPork with -T option if ENGINE=suricata

Original issue reported on code.google.com by doug.bu...@gmail.com on 17 Jul 2014 at 10:47

@GoogleCodeExporter

This comment has been minimized.

Copy link
Author

@GoogleCodeExporter GoogleCodeExporter commented Mar 24, 2015

        # Default to no PulledPork options
        PP_OPTIONS=""

        # OPTION: -n if we have no Internet connection
        if [ "$LOCAL_NIDS_RULE_TUNING" == "true" ] || [ "$LOCAL_NIDS_RULE_TUNING" == "yes" ]; then
                cp /opt/emergingthreats/emerging* /tmp
                PP_OPTIONS="-n"
                echo "LOCAL_NIDS_RULE_TUNING is enabled."
                echo "This will cause PulledPork to use the existing rules in /opt/emergingthreats/"
                echo "instead of downloading new rules from the Internet."
                echo "If you want PulledPork to download new rules from the Internet,"
                echo "set the following in /etc/nsm/securityonion.conf:"
                echo "LOCAL_NIDS_RULE_TUNING=no" 
        fi

        # OPTION: -T if the user is running Suricata
        if [ "$ENGINE" = "suricata" ]; then
                PP_OPTIONS="$PP_OPTIONS -T"
                echo "ENGINE=suricata, so we'll execute PulledPork with the -T option to avoid adding soid rules to downloaded.rules."
        fi

        # Go get rules from Internet.
        echo "Running PulledPork."
        /usr/bin/pulledpork.pl -P $PP_OPTIONS -c /etc/nsm/pulledpork/pulledpork.conf |
                grep -v "normalizations disabled because not inline" |grep -v "^$"

Original comment by doug.bu...@gmail.com on 17 Jul 2014 at 11:17

  • Added labels: ****
  • Removed labels: ****
@GoogleCodeExporter

This comment has been minimized.

Copy link
Author

@GoogleCodeExporter GoogleCodeExporter commented Mar 24, 2015

Submitted for testing:
https://groups.google.com/d/topic/security-onion-testing/RoNGrHjMEGk/discussion

Original comment by doug.bu...@gmail.com on 17 Jul 2014 at 11:58

  • Added labels: ****
  • Removed labels: ****
@GoogleCodeExporter

This comment has been minimized.

Copy link
Author

@GoogleCodeExporter GoogleCodeExporter commented Mar 24, 2015

Published:
http://blog.securityonion.net/2014/07/new-securityonion-rule-update-package.html

Original comment by doug.bu...@gmail.com on 25 Jul 2014 at 11:45

  • Changed state: Verified
  • Added labels: ****
  • Removed labels: ****
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
1 participant
You can’t perform that action at this time.