-
Notifications
You must be signed in to change notification settings - Fork 134
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
rule duplication #339
Comments
Can you provide your pulledpork.con (without your oink code) and your CLI runtime? |
Sorry for only answering now. Got stuck on an other project. I updated to master beginning of the month but the problem still persisted then. I assume CLI stands for Command-line interface aka shell for that I tried it in "bash, version 5.0.3(1)-release" as well as "zsh 5.7.1". I have Perl v5.28.1 installed. In case that matters. My pulledpork.conf is here: pulledpork.conf.txt |
Is this still an issue? let me know if you are still seeing sid:32912 still duplicated in your rules file. Also, by CLI runtime, I mean how you are running pulledpork, and what flags you are passing to it |
at Snort runtime, Snort picks the rule with the highest rev. if the revs are the same, then Snort picks the first one it comes to (since they are the same). Not really necessary for pulledpork to interpret anything here. We did this on purpose because Snort handles it correctly. |
running pulled pork 0.7.4 generates a lot of duplicated rules. This happens even if the old rule file is deleted beforehand the newly generated rule file will already contain the duplicates. An example is the rule with SID 32192 which I have once in the section
and once in
In my opinion one of the two rules should be disabled...
The text was updated successfully, but these errors were encountered: