[Snort-sigs] typical errors when trying pulledpork

PR oly562 at ...2420...
Fri Sep 7 21:29:34 EDT 2012


welp, here is where i am today at this moment in time....

i fanagled my way around, and it works, yet there is still some errors
im getting from 2.9.2. ps joel i didnt have to wait so i guess im a
subscriber lol. it's beens remember, i dont remember, and down below
shows just how long, i have 3 keys plus 1 new or old, i think thats the
newer one. i used one replicated and got the 2.9.2 rules. all i want is
for this to work from a debian/ubuntu build with as little hassle as
possible. looks like i got most of it, as pulledpork.pl via
pulledpork.conf was looking for older community rules, i assume that is
where you mean no support as in it's not automajic. anyfoo..

here are the results so far. im done for the day, i will now read any
responses in my email about all this.... maybe gain some new insite from
others, as usual i had to figure it all by myself:

# ./pulledpork.pl -c /usr/local/etc/pulledpork-0.6.1/etc/pulledpork.conf
-I Security

    http://code.google.com/p/pulledpork/
      _____ ____
     `----,\    )
      `--==\\  /    PulledPork v0.6.1 the Smoking Pig <////~
       `--==\\/
     .-~~~~-.Y|\\_  Copyright (C) 2009-2011 JJ Cummings
  @_/        /  66\_  cummingsj at ...2420...
    |    \   \   _(")
     \   /-| ||'--'  Rules give me wings!
      \_\  \_\\
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Checking latest MD5 for snortrules-snapshot-2920.tar.gz....
	They Match
	Done!
Prepping rules from snortrules-snapshot-2920.tar.gz for work....
	Done!
Reading rules...
Generating Stub Rules....
	An error occurred: !! WARNING: The database output plugins are
considered deprecated as

	An error occurred: WARNING: ip4 normalizations disabled because not
inline.

	An error occurred: WARNING: tcp normalizations disabled because not
inline.

	An error occurred: WARNING: icmp4 normalizations disabled because not
inline.

	An error occurred: WARNING: ip6 normalizations disabled because not
inline.

	An error occurred: WARNING: icmp6 normalizations disabled because not
inline.

	Done
Reading rules...
Reading rules...
Reading rules...
Activating Security rulesets....
	Done
Setting Flowbit State....
	Enabled 637 flowbits
	Enabled 47 flowbits
	Enabled 4 flowbits
	Enabled 2 flowbits
	Done
Writing /etc/snort/rules/snort.rules....
	Done
Writing /usr/local/etc/snort/rules/so_rules.rules....
	Done
Generating sid-msg.map....
	Done
Writing /usr/local/etc/snort/sid-msg.map....
	Done
Writing /var/log/sid_changes.log....
	Done
Rule Stats....
	New:-------0
	Deleted:---0
	Enabled Rules:----6129
	Dropped Rules:----0
	Disabled Rules:---6875
	Total Rules:------13004
	Done
Please review /var/log/sid_changes.log for additional details
Fly Piggy Fly!


suggestions about the error above? thanks. pete

On Fri, 2012-09-07 at 18:17 -0400, Joel Esler wrote:
> If you are not a subscriber, yes. You'll need to wait your 15 minutes. 
> 
> But no, 2.9.2 is no longer supported. Please see the bottom of http://www.snort.org/vrt/rules/eol_policyfor currently supported versions and when they will expire. 
> 
> --
> Joel Esler
> 
> On Sep 7, 2012, at 4:17 PM, PR <oly562 at ...2420...> wrote:
> 
> > i guess i should wait 15 mins? i dont think i can grab another since i
> > dont pay for rules... what do you think? should i just go for it?
> > 
> > 
> > 
> > On Fri, 2012-09-07 at 13:15 -0700, PR wrote:
> >> next error... i mv'd this file, guess i should put it back...
> >> 
> >> ./pulledpork.pl -c /usr/local/etc/pulledpork-0.6.1/etc/pulledpork.conf
> >> -I Security
> >> 
> >>    http://code.google.com/p/pulledpork/
> >>      _____ ____
> >>     `----,\    )
> >>      `--==\\  /    PulledPork v0.6.1 the Smoking Pig <////~
> >>       `--==\\/
> >>     .-~~~~-.Y|\\_  Copyright (C) 2009-2011 JJ Cummings
> >>  @_/        /  66\_  cummingsj at ...2420...
> >>    |    \   \   _(")
> >>     \   /-| ||'--'  Rules give me wings!
> >>      \_\  \_\\
> >> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> >> 
> >> Checking latest MD5 for snortrules-snapshot-2920.tar.gz....
> >> Rules tarball download of snortrules-snapshot-2920.tar.gz....
> >>    They Match
> >>    Done!
> >> Prepping rules from snortrules-snapshot-2920.tar.gz for work....
> >>    Done!
> >> Reading rules...
> >> Generating Stub Rules....
> >>    An error occurred: ERROR: Unable to open rules file
> >> "/usr/local/etc/snort/database.conf": No such file or directory.
> >> 
> >>    An error occurred: Fatal Error, Quitting..
> >> 
> >> 
> >> more to follow....
> >> 
> >> On Fri, 2012-09-07 at 12:30 -0700, PR wrote:
> >>> opps, i figured out my mistake lolol...
> >>> 
> >>> ok but now i run into the same prob as before. versioning!
> >>> 
> >>> 
> >>> here is what i get when i do the cmd properly at tail of stdout:
> >>> 
> >>> The specified Snort binary does not exist!
> >>> Please correct the value or specify the FULL rules tarball name in the
> >>> pulledpork.conf!
> >>> at ./pulledpork.pl line 1736.
> >>> 
> >>> i will goto pulledpork.pl line 1736 now. brb.......
> >>> 
> >>> 
> >>> 
> >>> ok, i thought, no i swear it says on snort.org page, pulledpork will
> >>> automajically decide which version to download/upgrade rules too.
> >>> 
> >>> 
> >>> -*> Snort! <*-
> >>>  o"  )~   Version 2.9.2 IPv6 GRE (Build 78) 
> >>>   ''''    By Martin Roesch & The Snort Team:
> >>> 
> >>> so...... let me guess 2.9.2 isnt "supported" here is what i think, i
> >>> think it's too hard for anyone to simply update rules unless you always
> >>> update your snort program to the same version, thats just ludacrious!
> >>> 
> >>> yes im running acidbase, yes it was loaded with apt-get install
> >>> snort-mysql snort acidbase, so what... 
> >>> 
> >>> i can move files and confs to point in right direction, not the issue,
> >>> its the updating of the snort program and ONLY allowing automation to
> >>> those who either 
> >>> 1. pay
> >>> 2. pay to have you guys install
> >>> 3. pay to stay current
> >>> 4. pay pay pay, rather than providing a script that keeps the snort
> >>> program updated no matter what version you have in reason like 2.9.x
> >>> 5. How about fixing that perl script on the server side to allows us to
> >>> download the files automajically as it claims
> >>> 
> >>> i used snort since the begging, it always was easy to update so forth, 
> >>> but now, it's getting silly. 
> >>> 
> >>> ok, there im done ranting, however, i still need FREE input, like
> >>> community input.
> >>> 
> >>> if not, as usual i will just figure it out, may take a while but i'll
> >>> get it, i have before, and can do again. im complaining becuz its not
> >>> simple anymore. or as simple as it can be to download some rules
> >>> automatically.
> >>> 
> >>> sighs.... you can comment if you like, but i know each of you have been
> >>> here before at some point in your snorting career... 
> >>> 
> >>> 
> >>> 
> >>> On Fri, 2012-09-07 at 12:13 -0700, PR wrote:
> >>>> hi all,
> >>>> 
> >>>> 
> >>>> 1. modified and created dirs for what pulledpork.conf requires as root
> >>>> user.
> >>>> 
> >>>> 
> >>>> 2. ran this cmd:
> >>>> 
> >>>> root at ...3729...:/usr/local/etc/pulledpork-0.6.1/etc# ./pulledpork.conf -c /usr/local/etc/pulledpork-0.6.1/etc/pulledpork.conf -I Security
> >>>> 
> >>>> 
> >>>> 3. got this error:
> >>>> 
> >>>> root at ...3729...:/usr/local/etc/pulledpork-0.6.1/etc# ./pulledpork.conf -c /usr/local/etc/pulledpork-0.6.1/etc/pulledpork.conf -I Security
> >>>> ./pulledpork.conf: line 21: 6d31c34a34b8e7d8a42751d16b50e3dda634XXXX:
> >>>> command not found
> >>>> ./pulledpork.conf: line 21: snortrules-snapshot.tar.gz: command not
> >>>> found
> >>>> 
> >>>> 
> >>>> 4. here is the conf in entirety:
> >>>> 
> >>>> # more pulledpork.conf 
> >>>> # Config file for pulledpork
> >>>> # Be sure to read through the entire configuration file
> >>>> # If you specify any of these items on the command line, it WILL take 
> >>>> # precedence over any value that you specify in this file!
> >>>> 
> >>>> #######
> >>>> #######  The below section defines what your oinkcode is (required
> >>>> for 
> >>>> #######  VRT rules), defines a temp path (must be writable) and also 
> >>>> #######  defines what version of rules that you are getting (for your 
> >>>> #######  snort version and subscription etc...)
> >>>> ####### 
> >>>> 
> >>>> # The rule_url value replaces the old base_url and rule_file
> >>>> configuration
> >>>> # options.  You can now specify one or as many rule_urls as you like,
> >>>> they 
> >>>> # must appear as http://what.site.com/|rulesfile.tar.gz|1234567.  You
> >>>> can specif
> >>>> y
> >>>> # each on an individual line, or you can specify them in a , separated
> >>>> list
> >>>> # i.e. rule_url=http://x.y.z/|a.tar.gz|123,http://z.y.z/|b.tar.gz|456
> >>>> # note that the url, rule file, and oinkcode itself are separated by a
> >>>> pipe |
> >>>> # i.e. url|tarball|123456789, 
> >>>> #rule_url=https://www.snort.org/reg-rules/|
> >>>> snortrules-snapshot.tar.gz|<oinkcode>
> >>>> 
> >>>> 
> >>>> 
> >>>> ##*** ( here is line 21 )***
> >>>> 
> >>>> rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|
> >>>> 6d31c34a34b
> >>>> 8e7d8a42751d16b50e3dda634XXXX
> >>>> 
> >>>> # get the rule docs!
> >>>> #rule_url=https://www.snort.org/reg-rules/|opensource.gz|
> >>>> 6d31c34a34b8e7d8a42751d
> >>>> 16b50e3dda634XXXX
> >>>> 
> >>>> 
> >>>> 
> >>>> #rule_url=https://rules.emergingthreats.net/|emerging.rules.tar.gz|
> >>>> open
> >>>> # THE FOLLOWING URL is for etpro downloads, note the tarball name
> >>>> change!
> >>>> # and the et oinkcode requirement!
> >>>> #rule_url=https://rules.emergingthreats.net/|etpro.rules.tar.gz|<et
> >>>> oinkcode>
> >>>> # NOTE above that the VRT snortrules-snapshot does not contain the
> >>>> version
> >>>> # portion of the tarball name, this is because PP now automatically
> >>>> populates
> >>>> # this value for you, if, however you put the version information in,
> >>>> PP will
> >>>> # NOT populate this value but will use your value!
> >>>> 
> >>>> # Specify rule categories to ignore from the tarball in a comma
> >>>> separated list
> >>>> # with no spaces.  There are four ways to do this:
> >>>> # 1) Specify the category name with no suffix at all to ignore the
> >>>> category
> >>>> #    regardless of what rule-type it is, ie: netbios
> >>>> # 2) Specify the category name with a '.rules' suffix to ignore only
> >>>> gid 1
> >>>> #    rulefiles located in the /rules directory of the tarball, ie:
> >>>> policy.rules
> >>>> # 3) Specify the category name with a '.preproc' suffix to ignore only
> >>>> #    preprocessor rules located in the /preproc_rules directory of the
> >>>> tarball,
> >>>> #    ie: sensitive-data.preproc
> >>>> # 4) Specify the category name with a '.so' suffix to ignore only
> >>>> shared-object
> >>>> #    rules located in the /so_rules directory of the tarball, ie:
> >>>> netbios.so
> >>>> # The example below ignores dos rules wherever they may appear,
> >>>> sensitive-
> >>>> # data preprocessor rules, p2p so-rules (while including gid 1 p2p
> >>>> rules),
> >>>> # and netbios gid-1 rules (while including netbios so-rules):
> >>>> # ignore = dos,sensitive-data.preproc,p2p.so,netbios.rules
> >>>> # These defaults are reasonable for the VRT ruleset with Snort
> >>>> 2.9.0.x.
> >>>> ignore=deleted.rules,experimental.rules,local.rules
> >>>> # IMPORTANT, if you are NOT yet using 2.8.6 then you MUST comment out
> >>>> the
> >>>> # previous ignore line and uncomment the following!
> >>>> #
> >>>> ignore=deleted,experimental,local,decoder,preprocessor,sensitive-data
> >>>> 
> >>>> # Define your Oinkcode - DEPRICATED, SEE RULE_URL
> >>>> # oinkcode=replacethiswithyouroinkcode
> >>>> 
> >>>> # What is our temp path, be sure this path has a bit of space for
> >>>> rule 
> >>>> # extraction and manipulation, no trailing slash
> >>>> temp_path=/tmp
> >>>> 
> >>>> #######
> >>>> #######  The below section is for rule processing.  This section is 
> >>>> #######  required if you are not specifying the configuration using
> >>>> #######  runtime switches.  Note that runtime switches do SUPERSEED 
> >>>> #######  any values that you have specified here!
> >>>> #######
> >>>> 
> >>>> # What path you want the .rules file containing all of the processed 
> >>>> # rules? (this value has changed as of 0.4.0, previously we copied 
> >>>> # all of the rules, now we are creating a single large rules file
> >>>> # but still keeping a separate file for your so_rules!
> >>>> rule_path=/usr/local/etc/snort/rules/snort.rules
> >>>> 
> >>>> # What path you want the .rules files to be written to, this is UNIQUE
> >>>> # from the rule_path and cannot be used in conjunction, this is to be
> >>>> used with 
> >>>> the
> >>>> # -k runtime flag, this can be set at runtime using the -K flag or
> >>>> specified
> >>>> # here.  If specified here, the -k option must also be passed at
> >>>> runtime, however
> >>>> # specifying -K <path> at runtime forces the -k option to also be set
> >>>> 
> >>>> 
> >>>> ###(created all the dirs and pointed to currently snort.conf )
> >>>> 
> >>>> # out_path=/usr/local/etc/snort/rules/
> >>>> 
> >>>> # If you are running any rules in your local.rules file, we need to
> >>>> # know about them to properly build a sid-msg.map that will contain
> >>>> your
> >>>> # local.rules metadata (msg) information.  You can specify other rules
> >>>> # files that are local to your system here by adding a comma and more
> >>>> paths...
> >>>> # remember that the FULL path must be specified for EACH value.
> >>>> # local_rules=/path/to/these.rules,/path/to/those.rules
> >>>> ###(yadda)
> >>>> 
> >>>> local_rules=/usr/local/etc/snort/rules/local.rules
> >>>> 
> >>>> # Where should I put the sid-msg.map file?
> >>>> sid_msg=/usr/local/etc/snort/sid-msg.map
> >>>> 
> >>>> # Where do you want me to put the sid changelog?  This is a changelog 
> >>>> # that pulledpork maintains of all new sids that are imported
> >>>> sid_changelog=/var/log/sid_changes.log
> >>>> # this value is optional
> >>>> 
> >>>> #######
> >>>> #######  The below section is for so_rule processing only.  If you
> >>>> don't
> >>>> #######  need to use them.. then comment this section out!
> >>>> #######  Alternately, if you are not using pulledpork to process 
> >>>> #######  so_rules, you can specify -T at runtime to bypass this
> >>>> altogether
> >>>> #######
> >>>> 
> >>>> # What path you want the .so files to actually go to *i.e. where is it
> >>>> # defined in your snort.conf, needs a trailing slash
> >>>> sorule_path=/usr/local/lib/snort_dynamicrules/
> >>>> 
> >>>> # Path to the snort binary, we need this to generate the stub files
> >>>> #snort_path=/usr/local/bin/snort
> >>>> 
> >>>> (modified current path)
> >>>> 
> >>>> snort_path=/usr/sbin/snort
> >>>> 
> >>>> # We need to know where your snort.conf file lives so that we can
> >>>> # generate the stub files
> >>>> 
> >>>> config_path=/usr/local/etc/snort/snort.conf
> >>>> 
> >>>> # This is the file that contains all of the shared object rules that
> >>>> pulledpork
> >>>> # has processed, note that this has changed as of 0.4.0 just like the
> >>>> rules_path
> >>>> !
> >>>> sostub_path=/usr/local/etc/snort/rules/so_rules.rules
> >>>> 
> >>>> # Define your distro, this is for the precompiled shared object libs!
> >>>> # Valid Distro Types=Debian-Lenny, Ubuntu-6.01.1, Ubuntu-8.04
> >>>> # CentOS-4.6, Centos-4-8, CentOS-5.0, Centos-5-4
> >>>> # FC-5, FC-9, FC-11, FC-12, RHEL-5.0
> >>>> # FreeBSD-6.3, FreeBSD-7-2, FreeBSD-7-3, FreeBSD-7.0, FreeBSD-8-0,
> >>>> FreeBSD-8-1
> >>>> # OpenSUSE-11-3
> >>>> distro=FreeBSD-8.0
> >>>> 
> >>>> #######  This next section is optional, but probably pretty useful to
> >>>> you.
> >>>> #######  Please read thoroughly!
> >>>> 
> >>>> # What do you want to backup and archive?  This is a comma separated
> >>>> list
> >>>> # of file or directory values.  If a directory is specified, PP will
> >>>> recurse
> >>>> # through said directory and all subdirectories to archive all files.
> >>>> # The following example backs up all snort config files, rules,
> >>>> pulledpork
> >>>> # config files, and snort shared object binary rules.
> >>>> #
> >>>> backup=/usr/local/etc/snort,/usr/local/etc/pulledpork,/usr/local/lib/snort_dyn
> >>>> amicrules/
> >>>> 
> >>>> # what path and filename should we use for the backup tarball?
> >>>> # note that an epoch time value and the .tgz extension is
> >>>> automatically added
> >>>> # to the backup_file name on completeion i.e. the written file is:
> >>>> # pp_backup.1295886020.tgz
> >>>> # backup_file=/tmp/pp_backup
> >>>> 
> >>>> # Where do you want the signature docs to be copied, if this is
> >>>> commented 
> >>>> # out then they will not be copied / extracted.  Note that extracting
> >>>> them 
> >>>> # will add considerable runtime to pulledpork.
> >>>> # docs=/path/to/base/www
> >>>> 
> >>>> # The following option, state_order, allows you to more finely control
> >>>> the order
> >>>> # that pulledpork performs the modify operations, specifically the
> >>>> enablesid
> >>>> # disablesid and dropsid functions.  An example use case here would be
> >>>> to
> >>>> # disable an entire category and later enable only a rule or two out
> >>>> of it.
> >>>> # the valid values are disable, drop, and enable.
> >>>> # state_order=disable,drop,enable
> >>>> 
> >>>> 
> >>>> # Define the path to the pid files of any running process that you
> >>>> want to
> >>>> # HUP after PP has completed its run.
> >>>> #
> >>>> pid_path=/var/run/snort.pid,/var/run/barnyard.pid,/var/run/barnyard2.pid
> >>>> # and so on...
> >>>> # pid_path=/var/run/snort_eth0.pid
> >>>> 
> >>>> # This defines the version of snort that you are using, for use ONLY
> >>>> if the 
> >>>> # proper snort binary is not on the system that you are fetching the
> >>>> rules with
> >>>> # Defining this value will set the Textonly flag, and thus will NOT
> >>>> allow
> >>>> # you to use shared object rules.  This value MUST contain all 4 minor
> >>>> version
> >>>> # numbers. ET rules are now also dependant on this, verify supported
> >>>> ET versions
> >>>> # prior to simply throwing rubbish in this variable kthx!
> >>>> # snort_version=2.9.0.0
> >>>> 
> >>>> # Here you can specify what rule modification files to run
> >>>> automatically.
> >>>> # simply uncomment and specify the apt path.
> >>>> # enablesid=/usr/local/etc/snort/enablesid.conf
> >>>> # dropsid=/usr/local/etc/snort/dropsid.conf
> >>>> # disablesid=/usr/local/etc/snort/disablesid.conf
> >>>> # modifysid=/usr/local/etc/snort/modifysid.conf
> >>>> 
> >>>> # What is the base ruleset that you want to use, please uncomment to
> >>>> use
> >>>> # and see the README.RULESETS for a description of the options.  
> >>>> # Note that setting this value will disable all ET rulesets if you
> >>>> are 
> >>>> # Running such rulesets
> >>>> # ips_policy=security
> >>>> 
> >>>> ####### Remember, a number of these values are optional.. if you
> >>>> don't 
> >>>> ####### need to process so_rules, simply comment out the so_rule
> >>>> section
> >>>> ####### you can also specify -T at runtime to process only GID 1
> >>>> rules.
> >>>> 
> >>>> version=0.6.0
> >>>> 
> >>>> 
> >>>> 5. your thoughts? your suggestions?
> >>>> 
> >>>> thanks, pete
> > 





More information about the Snort-sigs mailing list