rule duplication

[matthbr]

running pulled pork 0.7.4 generates a lot of duplicated rules. This happens even if the old rule file is deleted beforehand the newly generated rule file will already contain the duplicates. An example is the rule with SID 32192 which I have once in the section

# ----- Begin VRT-malware-cnc Rules Category ----- #
# -- Begin GID:1 Based Rules -- #

and once in

# ----- Begin Snort-Community-community Rules Category ----- #
# -- Begin GID:1 Based Rules -- #

In my opinion one of the two rules should be disabled...

[shirkdog]

Can you provide your pulledpork.con (without your oink code) and your CLI runtime?

[matthbr]

Sorry for only answering now. Got stuck on an other project.

I updated to master beginning of the month but the problem still persisted then.

I assume CLI stands for Command-line interface aka shell for that I tried it in "bash, version 5.0.3(1)-release" as well as "zsh 5.7.1".

I have Perl v5.28.1 installed. In case that matters.

My pulledpork.conf is here: pulledpork.conf.txt

[shirkdog]

Is this still an issue? let me know if you are still seeing sid:32912 still duplicated in your rules file.

Also, by CLI runtime, I mean how you are running pulledpork, and what flags you are passing to it

[finchy]

at Snort runtime, Snort picks the rule with the highest rev. if the revs are the same, then Snort picks the first one it comes to (since they are the same). Not really necessary for pulledpork to interpret anything here. We did this on purpose because Snort handles it correctly.