I installed Oinkmaster to update the Snort rules at 7:00am everyday. And =
it works fine. But the Snort doesn't work after I restart it (snort). =
And it is caused by the duplicated SID. Could you please help me on =
these 2 questiones? Thanks in advance!!
1. How does Oinkmaster check for the update rules? It compares the SID =
or Content of a rule?
2. How does Oinkmaster handle the duplicated SID? or I need to fix it =
From: Andreas <andreaso@it...> - 2006-05-09 10:33:29
On Sunday 07 May 2006 08:09, Jackie Chen wrote:
> Hi there,
> I installed Oinkmaster to update the Snort rules at 7:00am everyday.
> And it works fine. But the Snort doesn't work after I restart it
> (snort). And it is caused by the duplicated SID.
I'm not sure I understand what you mean. Snort shouldn't have any
problems starting even if the sigs contains duplicate SIDs. Perhaps you
mean there are duplicate entries in the database? What's the exact
> 1. How does Oinkmaster check for the update rules? It compares the SID
> or Content of a rule?
It compares each old and new rule as two long strings, so the rule gets
updated regardless of what field in it changed. Also see "How it works"
in the README.
> 2. How does Oinkmaster handle the
> duplicated SID? or I need to fix it manually.
If there are duplicate SIDs in the downloaded signatures, Oinkmaster
will only keep one of each SID so the dup will never make it into your
local rules files. If you want to know the details of how it's done,
see the Changelog for Oinkmaster 1.1 ("Better handlig of duplicate
rules"). This is not needed unless the downloaded signatures are broken
and actually contains dups though, so I don't think it's related to