[Snort-sigs] typical errors when trying pulledpork

PR oly562 at ...2420...
Fri Sep 7 15:30:41 EDT 2012


opps, i figured out my mistake lolol...

ok but now i run into the same prob as before. versioning!


here is what i get when i do the cmd properly at tail of stdout:

The specified Snort binary does not exist!
Please correct the value or specify the FULL rules tarball name in the
pulledpork.conf!
 at ./pulledpork.pl line 1736.

i will goto pulledpork.pl line 1736 now. brb.......



ok, i thought, no i swear it says on snort.org page, pulledpork will
automajically decide which version to download/upgrade rules too.


-*> Snort! <*-
  o"  )~   Version 2.9.2 IPv6 GRE (Build 78) 
   ''''    By Martin Roesch & The Snort Team:

so...... let me guess 2.9.2 isnt "supported" here is what i think, i
think it's too hard for anyone to simply update rules unless you always
update your snort program to the same version, thats just ludacrious!

yes im running acidbase, yes it was loaded with apt-get install
snort-mysql snort acidbase, so what... 

i can move files and confs to point in right direction, not the issue,
its the updating of the snort program and ONLY allowing automation to
those who either 
1. pay
2. pay to have you guys install
3. pay to stay current
4. pay pay pay, rather than providing a script that keeps the snort
program updated no matter what version you have in reason like 2.9.x
5. How about fixing that perl script on the server side to allows us to
download the files automajically as it claims

i used snort since the begging, it always was easy to update so forth, 
but now, it's getting silly. 

ok, there im done ranting, however, i still need FREE input, like
community input.

if not, as usual i will just figure it out, may take a while but i'll
get it, i have before, and can do again. im complaining becuz its not
simple anymore. or as simple as it can be to download some rules
automatically.

sighs.... you can comment if you like, but i know each of you have been
here before at some point in your snorting career... 



On Fri, 2012-09-07 at 12:13 -0700, PR wrote:
> hi all,
> 
> 
> 1. modified and created dirs for what pulledpork.conf requires as root
> user.
> 
> 
> 2. ran this cmd:
> 
> root at ...3729...:/usr/local/etc/pulledpork-0.6.1/etc# ./pulledpork.conf -c /usr/local/etc/pulledpork-0.6.1/etc/pulledpork.conf -I Security
> 
> 
> 3. got this error:
> 
> root at ...3729...:/usr/local/etc/pulledpork-0.6.1/etc# ./pulledpork.conf -c /usr/local/etc/pulledpork-0.6.1/etc/pulledpork.conf -I Security
> ./pulledpork.conf: line 21: 6d31c34a34b8e7d8a42751d16b50e3dda634XXXX:
> command not found
> ./pulledpork.conf: line 21: snortrules-snapshot.tar.gz: command not
> found
> 
> 
> 4. here is the conf in entirety:
> 
> # more pulledpork.conf 
> # Config file for pulledpork
> # Be sure to read through the entire configuration file
> # If you specify any of these items on the command line, it WILL take 
> # precedence over any value that you specify in this file!
> 
> #######
> #######  The below section defines what your oinkcode is (required
> for 
> #######  VRT rules), defines a temp path (must be writable) and also 
> #######  defines what version of rules that you are getting (for your 
> #######  snort version and subscription etc...)
> ####### 
> 
> # The rule_url value replaces the old base_url and rule_file
> configuration
> # options.  You can now specify one or as many rule_urls as you like,
> they 
> # must appear as http://what.site.com/|rulesfile.tar.gz|1234567.  You
> can specif
> y
> # each on an individual line, or you can specify them in a , separated
> list
> # i.e. rule_url=http://x.y.z/|a.tar.gz|123,http://z.y.z/|b.tar.gz|456
> # note that the url, rule file, and oinkcode itself are separated by a
> pipe |
> # i.e. url|tarball|123456789, 
> #rule_url=https://www.snort.org/reg-rules/|
> snortrules-snapshot.tar.gz|<oinkcode>
> 
> 
> 
> ##*** ( here is line 21 )***
> 
> rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|
> 6d31c34a34b
> 8e7d8a42751d16b50e3dda634XXXX
> 
> # get the rule docs!
> #rule_url=https://www.snort.org/reg-rules/|opensource.gz|
> 6d31c34a34b8e7d8a42751d
> 16b50e3dda634XXXX
> 
> 
> 
> #rule_url=https://rules.emergingthreats.net/|emerging.rules.tar.gz|
> open
> # THE FOLLOWING URL is for etpro downloads, note the tarball name
> change!
> # and the et oinkcode requirement!
> #rule_url=https://rules.emergingthreats.net/|etpro.rules.tar.gz|<et
> oinkcode>
> # NOTE above that the VRT snortrules-snapshot does not contain the
> version
> # portion of the tarball name, this is because PP now automatically
> populates
> # this value for you, if, however you put the version information in,
> PP will
> # NOT populate this value but will use your value!
> 
> # Specify rule categories to ignore from the tarball in a comma
> separated list
> # with no spaces.  There are four ways to do this:
> # 1) Specify the category name with no suffix at all to ignore the
> category
> #    regardless of what rule-type it is, ie: netbios
> # 2) Specify the category name with a '.rules' suffix to ignore only
> gid 1
> #    rulefiles located in the /rules directory of the tarball, ie:
> policy.rules
> # 3) Specify the category name with a '.preproc' suffix to ignore only
> #    preprocessor rules located in the /preproc_rules directory of the
> tarball,
> #    ie: sensitive-data.preproc
> # 4) Specify the category name with a '.so' suffix to ignore only
> shared-object
> #    rules located in the /so_rules directory of the tarball, ie:
> netbios.so
> # The example below ignores dos rules wherever they may appear,
> sensitive-
> # data preprocessor rules, p2p so-rules (while including gid 1 p2p
> rules),
> # and netbios gid-1 rules (while including netbios so-rules):
> # ignore = dos,sensitive-data.preproc,p2p.so,netbios.rules
> # These defaults are reasonable for the VRT ruleset with Snort
> 2.9.0.x.
> ignore=deleted.rules,experimental.rules,local.rules
> # IMPORTANT, if you are NOT yet using 2.8.6 then you MUST comment out
> the
> # previous ignore line and uncomment the following!
> #
> ignore=deleted,experimental,local,decoder,preprocessor,sensitive-data
> 
> # Define your Oinkcode - DEPRICATED, SEE RULE_URL
> # oinkcode=replacethiswithyouroinkcode
> 
> # What is our temp path, be sure this path has a bit of space for
> rule 
> # extraction and manipulation, no trailing slash
> temp_path=/tmp
> 
> #######
> #######  The below section is for rule processing.  This section is 
> #######  required if you are not specifying the configuration using
> #######  runtime switches.  Note that runtime switches do SUPERSEED 
> #######  any values that you have specified here!
> #######
> 
> # What path you want the .rules file containing all of the processed 
> # rules? (this value has changed as of 0.4.0, previously we copied 
> # all of the rules, now we are creating a single large rules file
> # but still keeping a separate file for your so_rules!
> rule_path=/usr/local/etc/snort/rules/snort.rules
> 
> # What path you want the .rules files to be written to, this is UNIQUE
> # from the rule_path and cannot be used in conjunction, this is to be
> used with 
> the
> # -k runtime flag, this can be set at runtime using the -K flag or
> specified
> # here.  If specified here, the -k option must also be passed at
> runtime, however
> # specifying -K <path> at runtime forces the -k option to also be set
> 
> 
> ###(created all the dirs and pointed to currently snort.conf )
> 
> # out_path=/usr/local/etc/snort/rules/
> 
> # If you are running any rules in your local.rules file, we need to
> # know about them to properly build a sid-msg.map that will contain
> your
> # local.rules metadata (msg) information.  You can specify other rules
> # files that are local to your system here by adding a comma and more
> paths...
> # remember that the FULL path must be specified for EACH value.
> # local_rules=/path/to/these.rules,/path/to/those.rules
> ###(yadda)
> 
> local_rules=/usr/local/etc/snort/rules/local.rules
> 
> # Where should I put the sid-msg.map file?
> sid_msg=/usr/local/etc/snort/sid-msg.map
> 
> # Where do you want me to put the sid changelog?  This is a changelog 
> # that pulledpork maintains of all new sids that are imported
> sid_changelog=/var/log/sid_changes.log
> # this value is optional
> 
> #######
> #######  The below section is for so_rule processing only.  If you
> don't
> #######  need to use them.. then comment this section out!
> #######  Alternately, if you are not using pulledpork to process 
> #######  so_rules, you can specify -T at runtime to bypass this
> altogether
> #######
> 
> # What path you want the .so files to actually go to *i.e. where is it
> # defined in your snort.conf, needs a trailing slash
> sorule_path=/usr/local/lib/snort_dynamicrules/
> 
> # Path to the snort binary, we need this to generate the stub files
> #snort_path=/usr/local/bin/snort
> 
> (modified current path)
> 
> snort_path=/usr/sbin/snort
> 
> # We need to know where your snort.conf file lives so that we can
> # generate the stub files
> 
> config_path=/usr/local/etc/snort/snort.conf
> 
> # This is the file that contains all of the shared object rules that
> pulledpork
> # has processed, note that this has changed as of 0.4.0 just like the
> rules_path
> !
> sostub_path=/usr/local/etc/snort/rules/so_rules.rules
> 
> # Define your distro, this is for the precompiled shared object libs!
> # Valid Distro Types=Debian-Lenny, Ubuntu-6.01.1, Ubuntu-8.04
> # CentOS-4.6, Centos-4-8, CentOS-5.0, Centos-5-4
> # FC-5, FC-9, FC-11, FC-12, RHEL-5.0
> # FreeBSD-6.3, FreeBSD-7-2, FreeBSD-7-3, FreeBSD-7.0, FreeBSD-8-0,
> FreeBSD-8-1
> # OpenSUSE-11-3
> distro=FreeBSD-8.0
> 
> #######  This next section is optional, but probably pretty useful to
> you.
> #######  Please read thoroughly!
> 
> # What do you want to backup and archive?  This is a comma separated
> list
> # of file or directory values.  If a directory is specified, PP will
> recurse
> # through said directory and all subdirectories to archive all files.
> # The following example backs up all snort config files, rules,
> pulledpork
> # config files, and snort shared object binary rules.
> #
> backup=/usr/local/etc/snort,/usr/local/etc/pulledpork,/usr/local/lib/snort_dyn
> amicrules/
> 
> # what path and filename should we use for the backup tarball?
> # note that an epoch time value and the .tgz extension is
> automatically added
> # to the backup_file name on completeion i.e. the written file is:
> # pp_backup.1295886020.tgz
> # backup_file=/tmp/pp_backup
> 
> # Where do you want the signature docs to be copied, if this is
> commented 
> # out then they will not be copied / extracted.  Note that extracting
> them 
> # will add considerable runtime to pulledpork.
> # docs=/path/to/base/www
> 
> # The following option, state_order, allows you to more finely control
> the order
> # that pulledpork performs the modify operations, specifically the
> enablesid
> # disablesid and dropsid functions.  An example use case here would be
> to
> # disable an entire category and later enable only a rule or two out
> of it.
> # the valid values are disable, drop, and enable.
> # state_order=disable,drop,enable
> 
> 
> # Define the path to the pid files of any running process that you
> want to
> # HUP after PP has completed its run.
> #
> pid_path=/var/run/snort.pid,/var/run/barnyard.pid,/var/run/barnyard2.pid
> # and so on...
> # pid_path=/var/run/snort_eth0.pid
> 
> # This defines the version of snort that you are using, for use ONLY
> if the 
> # proper snort binary is not on the system that you are fetching the
> rules with
> # Defining this value will set the Textonly flag, and thus will NOT
> allow
> # you to use shared object rules.  This value MUST contain all 4 minor
> version
> # numbers. ET rules are now also dependant on this, verify supported
> ET versions
> # prior to simply throwing rubbish in this variable kthx!
> # snort_version=2.9.0.0
> 
> # Here you can specify what rule modification files to run
> automatically.
> # simply uncomment and specify the apt path.
> # enablesid=/usr/local/etc/snort/enablesid.conf
> # dropsid=/usr/local/etc/snort/dropsid.conf
> # disablesid=/usr/local/etc/snort/disablesid.conf
> # modifysid=/usr/local/etc/snort/modifysid.conf
> 
> # What is the base ruleset that you want to use, please uncomment to
> use
> # and see the README.RULESETS for a description of the options.  
> # Note that setting this value will disable all ET rulesets if you
> are 
> # Running such rulesets
> # ips_policy=security
> 
> ####### Remember, a number of these values are optional.. if you
> don't 
> ####### need to process so_rules, simply comment out the so_rule
> section
> ####### you can also specify -T at runtime to process only GID 1
> rules.
> 
> version=0.6.0
> 
> 
> 5. your thoughts? your suggestions?
> 
> thanks, pete





More information about the Snort-sigs mailing list