Feature request: snort.org support in rulecat about py-idstools HOT 4 CLOSED

With an alternative community rules download url used by pulledpork https://github.com/shirkdog/pulledpork/blob/a2c1b6772f7dfd178a54aa2f4e9f4f04a9072389/etc/pulledpork.conf#L21, this works for me with https://github.com/jasonish/py-idstools/releases/tag/0.6.0 (only with Python2, due to #53)

idstools-rulecat --url "https://snort.org/downloads/community/community-rules.tar.gz" --merged community.rules
idstools-rulecat --url "https://www.snort.org/rules/snortrules-snapshot-2983.tar.gz?oinkcode=<oinkcode>" --merged snort.rules

from py-idstools.

I've updated git master to handle the case 1 - even though I still suggest linking directly to the full filename, I haven't seen that shorter URL before.

There are some other issues I think I need to deal with before adding proper support for the Snort URLs:

• My target is Suricata, there are known incompatibilities between Suricata and Snort rules, and I don't want to promote their use.
• If using for Snort, you really want to regenerate the SO rule stubs after updating, rulecat does not have support for that.
• Not sure yet how rulecat deals with the extra directories in the Talos ruleset.

Pulled Pork is really the tool to use for Snort.

from py-idstools.

It's ok if you want to keep the two enviroment separeted.

Btw, the URL of case 1 is found on official snort site:

You can close the Issue if support for Snort/Talos Rules is not intended.

Thanks.

from py-idstools.

Ah, I believe there is example is wrong as well. That will download the file as just "community" (missing extension) so the second command will fail for cut and pasters. I've notified them.

Closing for now. Snort support is something thats always on my mind, so feel free to raise this again sometime in the near future if I haven't myself.

from py-idstools.