[Snort-sigs] typical errors when trying pulledpork

PR oly562 at ...2420...
Fri Sep 7 15:13:01 EDT 2012


hi all,


1. modified and created dirs for what pulledpork.conf requires as root
user.


2. ran this cmd:

root at ...3729...:/usr/local/etc/pulledpork-0.6.1/etc# ./pulledpork.conf
-c /usr/local/etc/pulledpork-0.6.1/etc/pulledpork.conf -I Security


3. got this error:

root at ...3729...:/usr/local/etc/pulledpork-0.6.1/etc# ./pulledpork.conf
-c /usr/local/etc/pulledpork-0.6.1/etc/pulledpork.conf -I Security
./pulledpork.conf: line 21: 6d31c34a34b8e7d8a42751d16b50e3dda634XXXX:
command not found
./pulledpork.conf: line 21: snortrules-snapshot.tar.gz: command not
found


4. here is the conf in entirety:

# more pulledpork.conf 
# Config file for pulledpork
# Be sure to read through the entire configuration file
# If you specify any of these items on the command line, it WILL take 
# precedence over any value that you specify in this file!

#######
#######  The below section defines what your oinkcode is (required for 
#######  VRT rules), defines a temp path (must be writable) and also 
#######  defines what version of rules that you are getting (for your 
#######  snort version and subscription etc...)
####### 

# The rule_url value replaces the old base_url and rule_file
configuration
# options.  You can now specify one or as many rule_urls as you like,
they 
# must appear as http://what.site.com/|rulesfile.tar.gz|1234567.  You
can specif
y
# each on an individual line, or you can specify them in a , separated
list
# i.e. rule_url=http://x.y.z/|a.tar.gz|123,http://z.y.z/|b.tar.gz|456
# note that the url, rule file, and oinkcode itself are separated by a
pipe |
# i.e. url|tarball|123456789, 
#rule_url=https://www.snort.org/reg-rules/|
snortrules-snapshot.tar.gz|<oinkcode>



##*** ( here is line 21 )***

rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|
6d31c34a34b
8e7d8a42751d16b50e3dda634XXXX

# get the rule docs!
#rule_url=https://www.snort.org/reg-rules/|opensource.gz|
6d31c34a34b8e7d8a42751d
16b50e3dda634XXXX



#rule_url=https://rules.emergingthreats.net/|emerging.rules.tar.gz|open
# THE FOLLOWING URL is for etpro downloads, note the tarball name
change!
# and the et oinkcode requirement!
#rule_url=https://rules.emergingthreats.net/|etpro.rules.tar.gz|<et
oinkcode>
# NOTE above that the VRT snortrules-snapshot does not contain the
version
# portion of the tarball name, this is because PP now automatically
populates
# this value for you, if, however you put the version information in, PP
will
# NOT populate this value but will use your value!

# Specify rule categories to ignore from the tarball in a comma
separated list
# with no spaces.  There are four ways to do this:
# 1) Specify the category name with no suffix at all to ignore the
category
#    regardless of what rule-type it is, ie: netbios
# 2) Specify the category name with a '.rules' suffix to ignore only gid
1
#    rulefiles located in the /rules directory of the tarball, ie:
policy.rules
# 3) Specify the category name with a '.preproc' suffix to ignore only
#    preprocessor rules located in the /preproc_rules directory of the
tarball,
#    ie: sensitive-data.preproc
# 4) Specify the category name with a '.so' suffix to ignore only
shared-object
#    rules located in the /so_rules directory of the tarball, ie:
netbios.so
# The example below ignores dos rules wherever they may appear,
sensitive-
# data preprocessor rules, p2p so-rules (while including gid 1 p2p
rules),
# and netbios gid-1 rules (while including netbios so-rules):
# ignore = dos,sensitive-data.preproc,p2p.so,netbios.rules
# These defaults are reasonable for the VRT ruleset with Snort 2.9.0.x.
ignore=deleted.rules,experimental.rules,local.rules
# IMPORTANT, if you are NOT yet using 2.8.6 then you MUST comment out
the
# previous ignore line and uncomment the following!
# ignore=deleted,experimental,local,decoder,preprocessor,sensitive-data

# Define your Oinkcode - DEPRICATED, SEE RULE_URL
# oinkcode=replacethiswithyouroinkcode

# What is our temp path, be sure this path has a bit of space for rule 
# extraction and manipulation, no trailing slash
temp_path=/tmp

#######
#######  The below section is for rule processing.  This section is 
#######  required if you are not specifying the configuration using
#######  runtime switches.  Note that runtime switches do SUPERSEED 
#######  any values that you have specified here!
#######

# What path you want the .rules file containing all of the processed 
# rules? (this value has changed as of 0.4.0, previously we copied 
# all of the rules, now we are creating a single large rules file
# but still keeping a separate file for your so_rules!
rule_path=/usr/local/etc/snort/rules/snort.rules

# What path you want the .rules files to be written to, this is UNIQUE
# from the rule_path and cannot be used in conjunction, this is to be
used with 
the
# -k runtime flag, this can be set at runtime using the -K flag or
specified
# here.  If specified here, the -k option must also be passed at
runtime, however
# specifying -K <path> at runtime forces the -k option to also be set


###(created all the dirs and pointed to currently snort.conf )

# out_path=/usr/local/etc/snort/rules/

# If you are running any rules in your local.rules file, we need to
# know about them to properly build a sid-msg.map that will contain your
# local.rules metadata (msg) information.  You can specify other rules
# files that are local to your system here by adding a comma and more
paths...
# remember that the FULL path must be specified for EACH value.
# local_rules=/path/to/these.rules,/path/to/those.rules
###(yadda)

local_rules=/usr/local/etc/snort/rules/local.rules

# Where should I put the sid-msg.map file?
sid_msg=/usr/local/etc/snort/sid-msg.map

# Where do you want me to put the sid changelog?  This is a changelog 
# that pulledpork maintains of all new sids that are imported
sid_changelog=/var/log/sid_changes.log
# this value is optional

#######
#######  The below section is for so_rule processing only.  If you don't
#######  need to use them.. then comment this section out!
#######  Alternately, if you are not using pulledpork to process 
#######  so_rules, you can specify -T at runtime to bypass this
altogether
#######

# What path you want the .so files to actually go to *i.e. where is it
# defined in your snort.conf, needs a trailing slash
sorule_path=/usr/local/lib/snort_dynamicrules/

# Path to the snort binary, we need this to generate the stub files
#snort_path=/usr/local/bin/snort

(modified current path)

snort_path=/usr/sbin/snort

# We need to know where your snort.conf file lives so that we can
# generate the stub files

config_path=/usr/local/etc/snort/snort.conf

# This is the file that contains all of the shared object rules that
pulledpork
# has processed, note that this has changed as of 0.4.0 just like the
rules_path
!
sostub_path=/usr/local/etc/snort/rules/so_rules.rules

# Define your distro, this is for the precompiled shared object libs!
# Valid Distro Types=Debian-Lenny, Ubuntu-6.01.1, Ubuntu-8.04
# CentOS-4.6, Centos-4-8, CentOS-5.0, Centos-5-4
# FC-5, FC-9, FC-11, FC-12, RHEL-5.0
# FreeBSD-6.3, FreeBSD-7-2, FreeBSD-7-3, FreeBSD-7.0, FreeBSD-8-0,
FreeBSD-8-1
# OpenSUSE-11-3
distro=FreeBSD-8.0

#######  This next section is optional, but probably pretty useful to
you.
#######  Please read thoroughly!

# What do you want to backup and archive?  This is a comma separated
list
# of file or directory values.  If a directory is specified, PP will
recurse
# through said directory and all subdirectories to archive all files.
# The following example backs up all snort config files, rules,
pulledpork
# config files, and snort shared object binary rules.
#
backup=/usr/local/etc/snort,/usr/local/etc/pulledpork,/usr/local/lib/snort_dyn
amicrules/

# what path and filename should we use for the backup tarball?
# note that an epoch time value and the .tgz extension is automatically
added
# to the backup_file name on completeion i.e. the written file is:
# pp_backup.1295886020.tgz
# backup_file=/tmp/pp_backup

# Where do you want the signature docs to be copied, if this is
commented 
# out then they will not be copied / extracted.  Note that extracting
them 
# will add considerable runtime to pulledpork.
# docs=/path/to/base/www

# The following option, state_order, allows you to more finely control
the order
# that pulledpork performs the modify operations, specifically the
enablesid
# disablesid and dropsid functions.  An example use case here would be
to
# disable an entire category and later enable only a rule or two out of
it.
# the valid values are disable, drop, and enable.
# state_order=disable,drop,enable


# Define the path to the pid files of any running process that you want
to
# HUP after PP has completed its run.
#
pid_path=/var/run/snort.pid,/var/run/barnyard.pid,/var/run/barnyard2.pid
# and so on...
# pid_path=/var/run/snort_eth0.pid

# This defines the version of snort that you are using, for use ONLY if
the 
# proper snort binary is not on the system that you are fetching the
rules with
# Defining this value will set the Textonly flag, and thus will NOT
allow
# you to use shared object rules.  This value MUST contain all 4 minor
version
# numbers. ET rules are now also dependant on this, verify supported ET
versions
# prior to simply throwing rubbish in this variable kthx!
# snort_version=2.9.0.0

# Here you can specify what rule modification files to run
automatically.
# simply uncomment and specify the apt path.
# enablesid=/usr/local/etc/snort/enablesid.conf
# dropsid=/usr/local/etc/snort/dropsid.conf
# disablesid=/usr/local/etc/snort/disablesid.conf
# modifysid=/usr/local/etc/snort/modifysid.conf

# What is the base ruleset that you want to use, please uncomment to use
# and see the README.RULESETS for a description of the options.  
# Note that setting this value will disable all ET rulesets if you are 
# Running such rulesets
# ips_policy=security

####### Remember, a number of these values are optional.. if you don't 
####### need to process so_rules, simply comment out the so_rule section
####### you can also specify -T at runtime to process only GID 1 rules.

version=0.6.0


5. your thoughts? your suggestions?

thanks, pete
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20120907/a0499586/attachment.html>


More information about the Snort-sigs mailing list