[Snort-sigs] typical errors when trying pulledpork

PR oly562 at ...2420...
Fri Sep 7 16:17:26 EDT 2012


i guess i should wait 15 mins? i dont think i can grab another since i
dont pay for rules... what do you think? should i just go for it?



On Fri, 2012-09-07 at 13:15 -0700, PR wrote:
> next error... i mv'd this file, guess i should put it back...
> 
> ./pulledpork.pl -c /usr/local/etc/pulledpork-0.6.1/etc/pulledpork.conf
> -I Security
> 
>     http://code.google.com/p/pulledpork/
>       _____ ____
>      `----,\    )
>       `--==\\  /    PulledPork v0.6.1 the Smoking Pig <////~
>        `--==\\/
>      .-~~~~-.Y|\\_  Copyright (C) 2009-2011 JJ Cummings
>   @_/        /  66\_  cummingsj at ...2420...
>     |    \   \   _(")
>      \   /-| ||'--'  Rules give me wings!
>       \_\  \_\\
>  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> 
> Checking latest MD5 for snortrules-snapshot-2920.tar.gz....
> Rules tarball download of snortrules-snapshot-2920.tar.gz....
> 	They Match
> 	Done!
> Prepping rules from snortrules-snapshot-2920.tar.gz for work....
> 	Done!
> Reading rules...
> Generating Stub Rules....
> 	An error occurred: ERROR: Unable to open rules file
> "/usr/local/etc/snort/database.conf": No such file or directory.
> 
> 	An error occurred: Fatal Error, Quitting..
> 
> 
> more to follow....
> 
> On Fri, 2012-09-07 at 12:30 -0700, PR wrote:
> > opps, i figured out my mistake lolol...
> > 
> > ok but now i run into the same prob as before. versioning!
> > 
> > 
> > here is what i get when i do the cmd properly at tail of stdout:
> > 
> > The specified Snort binary does not exist!
> > Please correct the value or specify the FULL rules tarball name in the
> > pulledpork.conf!
> >  at ./pulledpork.pl line 1736.
> > 
> > i will goto pulledpork.pl line 1736 now. brb.......
> > 
> > 
> > 
> > ok, i thought, no i swear it says on snort.org page, pulledpork will
> > automajically decide which version to download/upgrade rules too.
> > 
> > 
> > -*> Snort! <*-
> >   o"  )~   Version 2.9.2 IPv6 GRE (Build 78) 
> >    ''''    By Martin Roesch & The Snort Team:
> > 
> > so...... let me guess 2.9.2 isnt "supported" here is what i think, i
> > think it's too hard for anyone to simply update rules unless you always
> > update your snort program to the same version, thats just ludacrious!
> > 
> > yes im running acidbase, yes it was loaded with apt-get install
> > snort-mysql snort acidbase, so what... 
> > 
> > i can move files and confs to point in right direction, not the issue,
> > its the updating of the snort program and ONLY allowing automation to
> > those who either 
> > 1. pay
> > 2. pay to have you guys install
> > 3. pay to stay current
> > 4. pay pay pay, rather than providing a script that keeps the snort
> > program updated no matter what version you have in reason like 2.9.x
> > 5. How about fixing that perl script on the server side to allows us to
> > download the files automajically as it claims
> > 
> > i used snort since the begging, it always was easy to update so forth, 
> > but now, it's getting silly. 
> > 
> > ok, there im done ranting, however, i still need FREE input, like
> > community input.
> > 
> > if not, as usual i will just figure it out, may take a while but i'll
> > get it, i have before, and can do again. im complaining becuz its not
> > simple anymore. or as simple as it can be to download some rules
> > automatically.
> > 
> > sighs.... you can comment if you like, but i know each of you have been
> > here before at some point in your snorting career... 
> > 
> > 
> > 
> > On Fri, 2012-09-07 at 12:13 -0700, PR wrote:
> > > hi all,
> > > 
> > > 
> > > 1. modified and created dirs for what pulledpork.conf requires as root
> > > user.
> > > 
> > > 
> > > 2. ran this cmd:
> > > 
> > > root at ...3729...:/usr/local/etc/pulledpork-0.6.1/etc# ./pulledpork.conf -c /usr/local/etc/pulledpork-0.6.1/etc/pulledpork.conf -I Security
> > > 
> > > 
> > > 3. got this error:
> > > 
> > > root at ...3729...:/usr/local/etc/pulledpork-0.6.1/etc# ./pulledpork.conf -c /usr/local/etc/pulledpork-0.6.1/etc/pulledpork.conf -I Security
> > > ./pulledpork.conf: line 21: 6d31c34a34b8e7d8a42751d16b50e3dda634XXXX:
> > > command not found
> > > ./pulledpork.conf: line 21: snortrules-snapshot.tar.gz: command not
> > > found
> > > 
> > > 
> > > 4. here is the conf in entirety:
> > > 
> > > # more pulledpork.conf 
> > > # Config file for pulledpork
> > > # Be sure to read through the entire configuration file
> > > # If you specify any of these items on the command line, it WILL take 
> > > # precedence over any value that you specify in this file!
> > > 
> > > #######
> > > #######  The below section defines what your oinkcode is (required
> > > for 
> > > #######  VRT rules), defines a temp path (must be writable) and also 
> > > #######  defines what version of rules that you are getting (for your 
> > > #######  snort version and subscription etc...)
> > > ####### 
> > > 
> > > # The rule_url value replaces the old base_url and rule_file
> > > configuration
> > > # options.  You can now specify one or as many rule_urls as you like,
> > > they 
> > > # must appear as http://what.site.com/|rulesfile.tar.gz|1234567.  You
> > > can specif
> > > y
> > > # each on an individual line, or you can specify them in a , separated
> > > list
> > > # i.e. rule_url=http://x.y.z/|a.tar.gz|123,http://z.y.z/|b.tar.gz|456
> > > # note that the url, rule file, and oinkcode itself are separated by a
> > > pipe |
> > > # i.e. url|tarball|123456789, 
> > > #rule_url=https://www.snort.org/reg-rules/|
> > > snortrules-snapshot.tar.gz|<oinkcode>
> > > 
> > > 
> > > 
> > > ##*** ( here is line 21 )***
> > > 
> > > rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|
> > > 6d31c34a34b
> > > 8e7d8a42751d16b50e3dda634XXXX
> > > 
> > > # get the rule docs!
> > > #rule_url=https://www.snort.org/reg-rules/|opensource.gz|
> > > 6d31c34a34b8e7d8a42751d
> > > 16b50e3dda634XXXX
> > > 
> > > 
> > > 
> > > #rule_url=https://rules.emergingthreats.net/|emerging.rules.tar.gz|
> > > open
> > > # THE FOLLOWING URL is for etpro downloads, note the tarball name
> > > change!
> > > # and the et oinkcode requirement!
> > > #rule_url=https://rules.emergingthreats.net/|etpro.rules.tar.gz|<et
> > > oinkcode>
> > > # NOTE above that the VRT snortrules-snapshot does not contain the
> > > version
> > > # portion of the tarball name, this is because PP now automatically
> > > populates
> > > # this value for you, if, however you put the version information in,
> > > PP will
> > > # NOT populate this value but will use your value!
> > > 
> > > # Specify rule categories to ignore from the tarball in a comma
> > > separated list
> > > # with no spaces.  There are four ways to do this:
> > > # 1) Specify the category name with no suffix at all to ignore the
> > > category
> > > #    regardless of what rule-type it is, ie: netbios
> > > # 2) Specify the category name with a '.rules' suffix to ignore only
> > > gid 1
> > > #    rulefiles located in the /rules directory of the tarball, ie:
> > > policy.rules
> > > # 3) Specify the category name with a '.preproc' suffix to ignore only
> > > #    preprocessor rules located in the /preproc_rules directory of the
> > > tarball,
> > > #    ie: sensitive-data.preproc
> > > # 4) Specify the category name with a '.so' suffix to ignore only
> > > shared-object
> > > #    rules located in the /so_rules directory of the tarball, ie:
> > > netbios.so
> > > # The example below ignores dos rules wherever they may appear,
> > > sensitive-
> > > # data preprocessor rules, p2p so-rules (while including gid 1 p2p
> > > rules),
> > > # and netbios gid-1 rules (while including netbios so-rules):
> > > # ignore = dos,sensitive-data.preproc,p2p.so,netbios.rules
> > > # These defaults are reasonable for the VRT ruleset with Snort
> > > 2.9.0.x.
> > > ignore=deleted.rules,experimental.rules,local.rules
> > > # IMPORTANT, if you are NOT yet using 2.8.6 then you MUST comment out
> > > the
> > > # previous ignore line and uncomment the following!
> > > #
> > > ignore=deleted,experimental,local,decoder,preprocessor,sensitive-data
> > > 
> > > # Define your Oinkcode - DEPRICATED, SEE RULE_URL
> > > # oinkcode=replacethiswithyouroinkcode
> > > 
> > > # What is our temp path, be sure this path has a bit of space for
> > > rule 
> > > # extraction and manipulation, no trailing slash
> > > temp_path=/tmp
> > > 
> > > #######
> > > #######  The below section is for rule processing.  This section is 
> > > #######  required if you are not specifying the configuration using
> > > #######  runtime switches.  Note that runtime switches do SUPERSEED 
> > > #######  any values that you have specified here!
> > > #######
> > > 
> > > # What path you want the .rules file containing all of the processed 
> > > # rules? (this value has changed as of 0.4.0, previously we copied 
> > > # all of the rules, now we are creating a single large rules file
> > > # but still keeping a separate file for your so_rules!
> > > rule_path=/usr/local/etc/snort/rules/snort.rules
> > > 
> > > # What path you want the .rules files to be written to, this is UNIQUE
> > > # from the rule_path and cannot be used in conjunction, this is to be
> > > used with 
> > > the
> > > # -k runtime flag, this can be set at runtime using the -K flag or
> > > specified
> > > # here.  If specified here, the -k option must also be passed at
> > > runtime, however
> > > # specifying -K <path> at runtime forces the -k option to also be set
> > > 
> > > 
> > > ###(created all the dirs and pointed to currently snort.conf )
> > > 
> > > # out_path=/usr/local/etc/snort/rules/
> > > 
> > > # If you are running any rules in your local.rules file, we need to
> > > # know about them to properly build a sid-msg.map that will contain
> > > your
> > > # local.rules metadata (msg) information.  You can specify other rules
> > > # files that are local to your system here by adding a comma and more
> > > paths...
> > > # remember that the FULL path must be specified for EACH value.
> > > # local_rules=/path/to/these.rules,/path/to/those.rules
> > > ###(yadda)
> > > 
> > > local_rules=/usr/local/etc/snort/rules/local.rules
> > > 
> > > # Where should I put the sid-msg.map file?
> > > sid_msg=/usr/local/etc/snort/sid-msg.map
> > > 
> > > # Where do you want me to put the sid changelog?  This is a changelog 
> > > # that pulledpork maintains of all new sids that are imported
> > > sid_changelog=/var/log/sid_changes.log
> > > # this value is optional
> > > 
> > > #######
> > > #######  The below section is for so_rule processing only.  If you
> > > don't
> > > #######  need to use them.. then comment this section out!
> > > #######  Alternately, if you are not using pulledpork to process 
> > > #######  so_rules, you can specify -T at runtime to bypass this
> > > altogether
> > > #######
> > > 
> > > # What path you want the .so files to actually go to *i.e. where is it
> > > # defined in your snort.conf, needs a trailing slash
> > > sorule_path=/usr/local/lib/snort_dynamicrules/
> > > 
> > > # Path to the snort binary, we need this to generate the stub files
> > > #snort_path=/usr/local/bin/snort
> > > 
> > > (modified current path)
> > > 
> > > snort_path=/usr/sbin/snort
> > > 
> > > # We need to know where your snort.conf file lives so that we can
> > > # generate the stub files
> > > 
> > > config_path=/usr/local/etc/snort/snort.conf
> > > 
> > > # This is the file that contains all of the shared object rules that
> > > pulledpork
> > > # has processed, note that this has changed as of 0.4.0 just like the
> > > rules_path
> > > !
> > > sostub_path=/usr/local/etc/snort/rules/so_rules.rules
> > > 
> > > # Define your distro, this is for the precompiled shared object libs!
> > > # Valid Distro Types=Debian-Lenny, Ubuntu-6.01.1, Ubuntu-8.04
> > > # CentOS-4.6, Centos-4-8, CentOS-5.0, Centos-5-4
> > > # FC-5, FC-9, FC-11, FC-12, RHEL-5.0
> > > # FreeBSD-6.3, FreeBSD-7-2, FreeBSD-7-3, FreeBSD-7.0, FreeBSD-8-0,
> > > FreeBSD-8-1
> > > # OpenSUSE-11-3
> > > distro=FreeBSD-8.0
> > > 
> > > #######  This next section is optional, but probably pretty useful to
> > > you.
> > > #######  Please read thoroughly!
> > > 
> > > # What do you want to backup and archive?  This is a comma separated
> > > list
> > > # of file or directory values.  If a directory is specified, PP will
> > > recurse
> > > # through said directory and all subdirectories to archive all files.
> > > # The following example backs up all snort config files, rules,
> > > pulledpork
> > > # config files, and snort shared object binary rules.
> > > #
> > > backup=/usr/local/etc/snort,/usr/local/etc/pulledpork,/usr/local/lib/snort_dyn
> > > amicrules/
> > > 
> > > # what path and filename should we use for the backup tarball?
> > > # note that an epoch time value and the .tgz extension is
> > > automatically added
> > > # to the backup_file name on completeion i.e. the written file is:
> > > # pp_backup.1295886020.tgz
> > > # backup_file=/tmp/pp_backup
> > > 
> > > # Where do you want the signature docs to be copied, if this is
> > > commented 
> > > # out then they will not be copied / extracted.  Note that extracting
> > > them 
> > > # will add considerable runtime to pulledpork.
> > > # docs=/path/to/base/www
> > > 
> > > # The following option, state_order, allows you to more finely control
> > > the order
> > > # that pulledpork performs the modify operations, specifically the
> > > enablesid
> > > # disablesid and dropsid functions.  An example use case here would be
> > > to
> > > # disable an entire category and later enable only a rule or two out
> > > of it.
> > > # the valid values are disable, drop, and enable.
> > > # state_order=disable,drop,enable
> > > 
> > > 
> > > # Define the path to the pid files of any running process that you
> > > want to
> > > # HUP after PP has completed its run.
> > > #
> > > pid_path=/var/run/snort.pid,/var/run/barnyard.pid,/var/run/barnyard2.pid
> > > # and so on...
> > > # pid_path=/var/run/snort_eth0.pid
> > > 
> > > # This defines the version of snort that you are using, for use ONLY
> > > if the 
> > > # proper snort binary is not on the system that you are fetching the
> > > rules with
> > > # Defining this value will set the Textonly flag, and thus will NOT
> > > allow
> > > # you to use shared object rules.  This value MUST contain all 4 minor
> > > version
> > > # numbers. ET rules are now also dependant on this, verify supported
> > > ET versions
> > > # prior to simply throwing rubbish in this variable kthx!
> > > # snort_version=2.9.0.0
> > > 
> > > # Here you can specify what rule modification files to run
> > > automatically.
> > > # simply uncomment and specify the apt path.
> > > # enablesid=/usr/local/etc/snort/enablesid.conf
> > > # dropsid=/usr/local/etc/snort/dropsid.conf
> > > # disablesid=/usr/local/etc/snort/disablesid.conf
> > > # modifysid=/usr/local/etc/snort/modifysid.conf
> > > 
> > > # What is the base ruleset that you want to use, please uncomment to
> > > use
> > > # and see the README.RULESETS for a description of the options.  
> > > # Note that setting this value will disable all ET rulesets if you
> > > are 
> > > # Running such rulesets
> > > # ips_policy=security
> > > 
> > > ####### Remember, a number of these values are optional.. if you
> > > don't 
> > > ####### need to process so_rules, simply comment out the so_rule
> > > section
> > > ####### you can also specify -T at runtime to process only GID 1
> > > rules.
> > > 
> > > version=0.6.0
> > > 
> > > 
> > > 5. your thoughts? your suggestions?
> > > 
> > > thanks, pete





More information about the Snort-sigs mailing list