[Snort-sigs] typical errors when trying pulledpork

PR oly562 at ...2420...
Sun Sep 9 02:57:29 EDT 2012


i followed the snortinstallguide293.pdf...for ubuntu 12.04 LTS however i
noticed a typo stating 10.04, whatever, i moved along, 

i did this when i installed:

created a barnyard2.waldo file following instructions from snort manual
howto whatever for ubuntu 10.04. im on 12.04 but no matter. linux is
linux to me.

sudo tar zxvf barnyard2-1.9.tar.gz
cd firnsy-barnyard2*
sudo autoreconf -fvi -I ./m4
sudo ./configure --with-mysql
--with-mysql-libraries=/usr/lib/i386-linux-gnu
sudo make
sudo make install
sudo cp etc/barnyard2.conf /usr/local/snort/etc
sudo mkdir /var/log/barnyard2
sudo chmod 666 /var/log/barnyard2
sudo touch /var/log/snort/barnyard2.waldo
sudo chown snort.snort /var/log/snort/barnyard2.waldo

also:

echo "create database snort;" | mysql -u root -p
mysql -u root -p -D snort < ./schemas/create_mysql

echo "grant create, insert, select, delete, update on snort.* to
snort at ...42... \
identified by 'XXXXXXX'" | mysql -u root -p

also:

sudo vi /usr/local/snort/etc/barnyard2.conf
config reference_file: /etc/snort/reference.config
config classification_file: /etc/snort/classification.config
config gen_file: /etc/snort/gen-msg.map
config sid_file: /etc/snort/sid-msg.map
#config hostname: thor
#config interface: eth0
#output database: log, mysql, user=root password=test dbname=db
host=localhost;

reference_file: /usr/local/snort/etc/reference.config
classification_file: /usr/local/snort/etc/classification.config
gen_file: /usr/local/snort/etc/gen-msg.map
sid_file: /usr/local/snort/etc/sid-msg.map
config hostname: localhost
config interface: eth1
output database: log, mysql, user=snort password=XXXXXX dbname=snort \
host=localhost

i of course modified the location of directories... 

here is the command and stdout when starting snort....

**(note the dir tree)**

/usr/local/etc/snort/bin/snort -u snort -g snort
-c /usr/local/etc/snort/etc/snort.conf -i eth0
Running in IDS mode

        --== Initializing Snort ==--
Initializing Output Plugins!
Initializing Preprocessors!
Initializing Plug-ins!
Parsing Rules file "/usr/local/etc/snort/etc/snort.conf"
PortVar 'HTTP_PORTS' defined :  [ 80:81 311 591 593 901 1220 1414 1741
1830 2301 2381 2809 3128 3702 4343 4848 5250 7001 7145 7510 7777 7779
8000 8008 8014 8028 8080 8088 8090 8118 8123 8180:8181 8243 8280 8800
8888 8899 9000 9080 9090:9091 9443 9999 11371 55555 ]
PortVar 'SHELLCODE_PORTS' defined :  [ 0:79 81:65535 ]
PortVar 'ORACLE_PORTS' defined :  [ 1024:65535 ]
PortVar 'SSH_PORTS' defined :  [ 22 ]
PortVar 'FTP_PORTS' defined :  [ 21 2100 3535 ]
PortVar 'SIP_PORTS' defined :  [ 5060:5061 5600 ]
PortVar 'FILE_DATA_PORTS' defined :  [ 80:81 110 143 311 591 593 901
1220 1414 1741 1830 2301 2381 2809 3128 3702 4343 4848 5250 7001 7145
7510 7777 7779 8000 8008 8014 8028 8080 8088 8090 8118 8123 8180:8181
8243 8280 8800 8888 8899 9000 9080 9090:9091 9443 9999 11371 55555 ]
PortVar 'GTP_PORTS' defined :  [ 2123 2152 3386 ]
Detection:
   Search-Method = AC-Full-Q
    Split Any/Any group = enabled
    Search-Method-Optimizations = enabled
    Maximum pattern length = 20
Tagged Packet Limit: 256
Loading dynamic
engine /usr/local/etc/snort/lib/snort_dynamicengine/libsf_engine.so...
done
Loading all dynamic detection libs
from /usr/local/etc/snort/lib/snort_dynamicrules...
  Loading dynamic detection
library /usr/local/etc/snort/lib/snort_dynamicrules/web-client.so...
done
  Loading dynamic detection
library /usr/local/etc/snort/lib/snort_dynamicrules/exploit.so... done
  Loading dynamic detection
library /usr/local/etc/snort/lib/snort_dynamicrules/smtp.so... done
  Loading dynamic detection
library /usr/local/etc/snort/lib/snort_dynamicrules/web-activex.so...
done
  Loading dynamic detection
library /usr/local/etc/snort/lib/snort_dynamicrules/icmp.so... done
  Loading dynamic detection
library /usr/local/etc/snort/lib/snort_dynamicrules/specific-threats.so... done
  Loading dynamic detection
library /usr/local/etc/snort/lib/snort_dynamicrules/snmp.so... done
  Loading dynamic detection
library /usr/local/etc/snort/lib/snort_dynamicrules/multimedia.so...
done
  Loading dynamic detection
library /usr/local/etc/snort/lib/snort_dynamicrules/bad-traffic.so...
done
  Loading dynamic detection
library /usr/local/etc/snort/lib/snort_dynamicrules/misc.so... done
  Loading dynamic detection
library /usr/local/etc/snort/lib/snort_dynamicrules/chat.so... done
  Loading dynamic detection
library /usr/local/etc/snort/lib/snort_dynamicrules/netbios.so... done
  Loading dynamic detection
library /usr/local/etc/snort/lib/snort_dynamicrules/web-iis.so... done
  Loading dynamic detection
library /usr/local/etc/snort/lib/snort_dynamicrules/p2p.so... done
  Loading dynamic detection
library /usr/local/etc/snort/lib/snort_dynamicrules/dos.so... done
  Loading dynamic detection
library /usr/local/etc/snort/lib/snort_dynamicrules/web-misc.so... done
  Loading dynamic detection
library /usr/local/etc/snort/lib/snort_dynamicrules/imap.so... done
  Loading dynamic detection
library /usr/local/etc/snort/lib/snort_dynamicrules/nntp.so... done
  Finished Loading all dynamic detection libs
from /usr/local/etc/snort/lib/snort_dynamicrules
Loading all dynamic preprocessor libs
from /usr/local/etc/snort/lib/snort_dynamicpreprocessor/...
  Loading dynamic preprocessor
library /usr/local/etc/snort/lib/snort_dynamicpreprocessor//libsf_reputation_preproc.so... done
  Loading dynamic preprocessor
library /usr/local/etc/snort/lib/snort_dynamicpreprocessor//libsf_ssh_preproc.so... done
  Loading dynamic preprocessor
library /usr/local/etc/snort/lib/snort_dynamicpreprocessor//libsf_ssl_preproc.so... done
  Loading dynamic preprocessor
library /usr/local/etc/snort/lib/snort_dynamicpreprocessor//libsf_ftptelnet_preproc.so... done
  Loading dynamic preprocessor
library /usr/local/etc/snort/lib/snort_dynamicpreprocessor//libsf_dnp3_preproc.so... done
  Loading dynamic preprocessor
library /usr/local/etc/snort/lib/snort_dynamicpreprocessor//libsf_smtp_preproc.so... done
  Loading dynamic preprocessor
library /usr/local/etc/snort/lib/snort_dynamicpreprocessor//libsf_imap_preproc.so... done
  Loading dynamic preprocessor
library /usr/local/etc/snort/lib/snort_dynamicpreprocessor//libsf_gtp_preproc.so... done
  Loading dynamic preprocessor
library /usr/local/etc/snort/lib/snort_dynamicpreprocessor//libsf_dce2_preproc.so... done
  Loading dynamic preprocessor
library /usr/local/etc/snort/lib/snort_dynamicpreprocessor//libsf_dns_preproc.so... done
  Loading dynamic preprocessor
library /usr/local/etc/snort/lib/snort_dynamicpreprocessor//libsf_sip_preproc.so... done
  Loading dynamic preprocessor
library /usr/local/etc/snort/lib/snort_dynamicpreprocessor//libsf_sdf_preproc.so... done
  Loading dynamic preprocessor
library /usr/local/etc/snort/lib/snort_dynamicpreprocessor//libsf_pop_preproc.so... done
  Loading dynamic preprocessor
library /usr/local/etc/snort/lib/snort_dynamicpreprocessor//libsf_modbus_preproc.so... done
  Finished Loading all dynamic preprocessor libs
from /usr/local/etc/snort/lib/snort_dynamicpreprocessor/
Log directory = /var/log/snort
WARNING: ip4 normalizations disabled because not inline.
WARNING: tcp normalizations disabled because not inline.
WARNING: icmp4 normalizations disabled because not inline.
WARNING: ip6 normalizations disabled because not inline.
WARNING: icmp6 normalizations disabled because not inline.
Frag3 global config:
    Max frags: 65536
    Fragment memory cap: 4194304 bytes
Frag3 engine config:
    Bound Address: default
    Target-based policy: WINDOWS
    Fragment timeout: 180 seconds
    Fragment min_ttl:   1
    Fragment Anomalies: Alert
    Overlap Limit:     10
    Min fragment Length:     100
Stream5 global config:
    Track TCP sessions: ACTIVE
    Max TCP sessions: 262144
    Memcap (for reassembly packet storage): 8388608
    Track UDP sessions: ACTIVE
    Max UDP sessions: 131072
    Track ICMP sessions: INACTIVE
    Track IP sessions: INACTIVE
    Log info if session memory consumption exceeds 1048576
    Send up to 2 active responses
    Wait at least 5 seconds between responses
    Protocol Aware Flushing: ACTIVE
        Maximum Flush Point: 16000
Stream5 TCP Policy config:
    Bound Address: default
    Reassembly Policy: WINDOWS
    Timeout: 180 seconds
    Limit on TCP Overlaps: 10
    Maximum number of bytes to queue per session: 1048576
    Maximum number of segs to queue per session: 2621
    Options:
        Require 3-Way Handshake: YES
        3-Way Handshake Timeout: 180
        Detect Anomalies: YES
    Reassembly Ports:
      21 client (Footprint) 
      22 client (Footprint) 
      23 client (Footprint) 
      25 client (Footprint) 
      42 client (Footprint) 
      53 client (Footprint) 
      79 client (Footprint) 
      80 client (Footprint) server (Footprint)
      81 client (Footprint) server (Footprint)
      109 client (Footprint) 
      110 client (Footprint) 
      111 client (Footprint) 
      113 client (Footprint) 
      119 client (Footprint) 
      135 client (Footprint) 
      136 client (Footprint) 
      137 client (Footprint) 
      139 client (Footprint) 
      143 client (Footprint) 
      161 client (Footprint) 
      additional ports configured but not printed.
Stream5 UDP Policy config:
    Timeout: 180 seconds
HttpInspect Config:
    GLOBAL CONFIG
      Max Pipeline Requests:    0
      Inspection Type:          STATELESS
      Detect Proxy Usage:       NO
      IIS Unicode Map Filename: /usr/local/etc/snort/etc/unicode.map
      IIS Unicode Map Codepage: 1252
      Memcap used for logging URI and Hostname: 150994944
      Max Gzip Memory: 838860
      Max Gzip Sessions: 9532
      Gzip Compress Depth: 65535
      Gzip Decompress Depth: 65535
    DEFAULT SERVER CONFIG:
      Server profile: All
      Ports (PAF): 80 81 311 591 593 901 1220 1414 1741 1830 2301 2381
2809 3128 3702 4343 4848 5250 7001 7145 7510 7777 7779 8000 8008 8014
8028 8080 8088 8090 8118 8123 8180 8181 8243 8280 8800 8888 8899 9000
9080 9090 9091 9443 9999 11371 55555 
      Server Flow Depth: 0
      Client Flow Depth: 0
      Max Chunk Length: 500000
      Small Chunk Length Evasion: chunk size <= 10, threshold >= 5 times
      Max Header Field Length: 750
      Max Number Header Fields: 100
      Max Number of WhiteSpaces allowed with header folding: 200
      Inspect Pipeline Requests: YES
      URI Discovery Strict Mode: NO
      Allow Proxy Usage: NO
      Disable Alerting: NO
      Oversize Dir Length: 500
      Only inspect URI: NO
      Normalize HTTP Headers: NO
      Inspect HTTP Cookies: YES
      Inspect HTTP Responses: YES
      Extract Gzip from responses: YES
      Unlimited decompression of gzip data from responses: YES
      Normalize Javascripts in HTTP Responses: YES
      Max Number of WhiteSpaces allowed with Javascript Obfuscation in
HTTP responses: 200
      Normalize HTTP Cookies: NO
      Enable XFF and True Client IP: NO
      Log HTTP URI data: NO
      Log HTTP Hostname data: NO
      Extended ASCII code support in URI: NO
      Ascii: YES alert: NO
      Double Decoding: YES alert: NO
      %U Encoding: YES alert: YES
      Bare Byte: YES alert: NO
      UTF 8: YES alert: NO
      IIS Unicode: YES alert: NO
      Multiple Slash: YES alert: NO
      IIS Backslash: YES alert: NO
      Directory Traversal: YES alert: NO
      Web Root Traversal: YES alert: NO
      Apache WhiteSpace: YES alert: NO
      IIS Delimiter: YES alert: NO
      IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG
      Non-RFC Compliant Characters: 0x00 0x01 0x02 0x03 0x04 0x05 0x06
0x07 
      Whitespace Characters: 0x09 0x0b 0x0c 0x0d 
rpc_decode arguments:
    Ports to decode RPC on: 111 32770 32771 32772 32773 32774 32775
32776 32777 32778 32779 
    alert_fragments: INACTIVE
    alert_large_fragments: INACTIVE
    alert_incomplete: INACTIVE
    alert_multiple_requests: INACTIVE
FTPTelnet Config:
    GLOBAL CONFIG
      Inspection Type: stateful
      Check for Encrypted Traffic: YES alert: NO
      Continue to check encrypted data: YES
    TELNET CONFIG:
      Ports: 23 
      Are You There Threshold: 20
      Normalize: YES
      Detect Anomalies: YES
    FTP CONFIG:
      FTP Server: default
        Ports (PAF): 21 2100 3535 
        Check for Telnet Cmds: YES alert: YES
        Ignore Telnet Cmd Operations: YES alert: YES
        Identify open data channels: NO
      FTP Client: default
        Check for Bounce Attacks: YES alert: YES
        Check for Telnet Cmds: YES alert: YES
        Ignore Telnet Cmd Operations: YES alert: YES
        Max Response Length: 256
SMTP Config:
    Ports: 25 465 587 691 
    Inspection Type: Stateful
    Normalize: ATRN AUTH BDAT DATA DEBUG EHLO EMAL ESAM ESND ESOM ETRN
EVFY EXPN HELO HELP IDENT MAIL NOOP ONEX QUEU QUIT RCPT RSET SAML SEND
STARTTLS SOML TICK TIME TURN TURNME VERB VRFY X-EXPS XADR XAUTH XCIR
XEXCH50 XGEN XLICENSE X-LINK2STATE XQUE XSTA XTRN XUSR CHUNKING X-ADAT
X-DRCP X-ERCP X-EXCH50 
    Ignore Data: No
    Ignore TLS Data: No
    Ignore SMTP Alerts: No
    Max Command Line Length: 512
    Max Specific Command Line Length: 
       ATRN:255 AUTH:246 BDAT:255 DATA:246 DEBUG:255 
       EHLO:500 EMAL:255 ESAM:255 ESND:255 ESOM:255 
       ETRN:246 EVFY:255 EXPN:255 HELO:500 HELP:500 
       IDENT:255 MAIL:260 NOOP:255 ONEX:246 QUEU:246 
       QUIT:246 RCPT:300 RSET:246 SAML:246 SEND:246 
       SIZE:255 STARTTLS:246 SOML:246 TICK:246 TIME:246 
       TURN:246 TURNME:246 VERB:246 VRFY:255 X-EXPS:246 
       XADR:246 XAUTH:246 XCIR:246 XEXCH50:246 XGEN:246 
       XLICENSE:246 X-LINK2STATE:246 XQUE:246 XSTA:246 XTRN:246 
       XUSR:246 
    Max Header Line Length: 1000
    Max Response Line Length: 512
    X-Link2State Alert: Yes
    Drop on X-Link2State Alert: No
    Alert on commands: None
    Alert on unknown commands: No
    SMTP Memcap: 838860
    MIME Max Mem: 838860
    Base64 Decoding: Enabled
    Base64 Decoding Depth: Unlimited
    Quoted-Printable Decoding: Enabled
    Quoted-Printable Decoding Depth: Unlimited
    Unix-to-Unix Decoding: Enabled
    Unix-to-Unix Decoding Depth: Unlimited
    Non-Encoded MIME attachment Extraction: Enabled
    Non-Encoded MIME attachment Extraction Depth: Unlimited
    Log Attachment filename: Enabled
    Log MAIL FROM Address: Enabled
    Log RCPT TO Addresses: Enabled
    Log Email Headers: Enabled
    Email Hdrs Log Depth: 1464
SSH config: 
    Autodetection: ENABLED
    Challenge-Response Overflow Alert: ENABLED
    SSH1 CRC32 Alert: ENABLED
    Server Version String Overflow Alert: ENABLED
    Protocol Mismatch Alert: ENABLED
    Bad Message Direction Alert: DISABLED
    Bad Payload Size Alert: DISABLED
    Unrecognized Version Alert: DISABLED
    Max Encrypted Packets: 20  
    Max Server Version String Length: 100  
    MaxClientBytes: 19600 (Default) 
    Ports:
	22
DCE/RPC 2 Preprocessor Configuration
  Global Configuration
    DCE/RPC Defragmentation: Enabled
    Memcap: 102400 KB
    Events: co 
    SMB Fingerprint policy: Disabled
  Server Default Configuration
    Policy: WinXP
    Detect ports (PAF)
      SMB: 139 445 
      TCP: 135 
      UDP: 135 
      RPC over HTTP server: 593 
      RPC over HTTP proxy: None
    Autodetect ports (PAF)
      SMB: None
      TCP: 1025-65535 
      UDP: 1025-65535 
      RPC over HTTP server: 1025-65535 
      RPC over HTTP proxy: None
    Invalid SMB shares: C$ D$ ADMIN$ 
    Maximum SMB command chaining: 3 commands
DNS config: 
    DNS Client rdata txt Overflow Alert: ACTIVE
    Obsolete DNS RR Types Alert: INACTIVE
    Experimental DNS RR Types Alert: INACTIVE
    Ports: 53
SSLPP config:
    Encrypted packets: not inspected
    Ports:
      443      465      563      636      989
      992      993      994      995     7801
     7802     7900     7901     7902     7903
     7904     7905     7906     7907     7908
     7909     7910     7911     7912     7913
     7914     7915     7916     7917     7918
     7919     7920
    Server side data is trusted
Sensitive Data preprocessor config: 
    Global Alert Threshold: 25
    Masked Output: DISABLED
SIP config: 
    Max number of sessions: 40000  
    Max number of dialogs in a session: 4 (Default) 
    Status: ENABLED
    Ignore media channel: DISABLED
    Max URI length: 512  
    Max Call ID length: 80  
    Max Request name length: 20 (Default) 
    Max From length: 256 (Default) 
    Max To length: 256 (Default) 
    Max Via length: 1024 (Default) 
    Max Contact length: 512  
    Max Content length: 2048  
    Ports:
	5060	5061	5600
    Methods:
	  invite cancel ack bye register options refer subscribe update join
info message notify benotify do qauth sprack publish service unsubscribe
prack
IMAP Config:
    Ports: 143 
    IMAP Memcap: 838860
    Base64 Decoding: Enabled
    Base64 Decoding Depth: Unlimited
    Quoted-Printable Decoding: Enabled
    Quoted-Printable Decoding Depth: Unlimited
    Unix-to-Unix Decoding: Enabled
    Unix-to-Unix Decoding Depth: Unlimited
    Non-Encoded MIME attachment Extraction: Enabled
    Non-Encoded MIME attachment Extraction Depth: Unlimited
POP Config:
    Ports: 110 
    POP Memcap: 838860
    Base64 Decoding: Enabled
    Base64 Decoding Depth: Unlimited
    Quoted-Printable Decoding: Enabled
    Quoted-Printable Decoding Depth: Unlimited
    Unix-to-Unix Decoding: Enabled
    Unix-to-Unix Decoding Depth: Unlimited
    Non-Encoded MIME attachment Extraction: Enabled
    Non-Encoded MIME attachment Extraction Depth: Unlimited
Modbus config: 
    Ports:
	502
DNP3 config: 
    Memcap: 262144
    Check Link-Layer CRCs: ENABLED
    Ports:
	20000
Reputation config: 
WARNING: Can't find any whitelist/blacklist entries. Reputation
Preprocessor disabled.

+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
3029 Snort rules read
    3029 detection rules
    0 decoder rules
    0 preprocessor rules
3029 Option Chains linked into 179 Chain Headers
0 Dynamic rules
+++++++++++++++++++++++++++++++++++++++++++++++++++

+-------------------[Rule Port
Counts]---------------------------------------
|             tcp     udp    icmp      ip
|     src    1361       4       0       0
|     dst    1459      64       0       0
|     any     118      47      28      27
|      nc      51      12       1       0
|     s+d       0       1       0       0
+----------------------------------------------------------------------------

+-----------------------[detection-filter-config]------------------------------
| memory-cap : 1048576 bytes
+-----------------------[detection-filter-rules]-------------------------------
-------------------------------------------------------------------------------

+-----------------------[rate-filter-config]-----------------------------------
| memory-cap : 1048576 bytes
+-----------------------[rate-filter-rules]------------------------------------
| none
-------------------------------------------------------------------------------

+-----------------------[event-filter-config]----------------------------------
| memory-cap : 1048576 bytes
+-----------------------[event-filter-global]----------------------------------
+-----------------------[event-filter-local]-----------------------------------
| none
+-----------------------[suppression]------------------------------------------
| none
-------------------------------------------------------------------------------
Rule application order:
activation->dynamic->pass->drop->sdrop->reject->alert->log
Verifying Preprocessor Configurations!
WARNING: 'ignore_any_rules' option for Stream5 UDP disabled because of
UDP rule with flow or flowbits option.
ICMP tracking disabled, no ICMP sessions allocated
IP tracking disabled, no IP sessions allocated
WARNING: flowbits key 'file.hta' is set but not ever checked.
WARNING: flowbits key 'backdoor.donalddick.1.5.b.3.conn' is checked but
not ever set.
WARNING: flowbits key 'file.plf' is set but not ever checked.
WARNING: flowbits key 'file.mid' is set but not ever checked.
WARNING: flowbits key 'file.wrf' is set but not ever checked.
WARNING: flowbits key 'backdoor.fearless.runtime' is checked but not
ever set.
WARNING: flowbits key 'file.application' is set but not ever checked.
WARNING: flowbits key 'waprox.init' is set but not ever checked.
WARNING: flowbits key 'file.autodesk_max' is set but not ever checked.
WARNING: flowbits key 'file.autodesk_ma' is set but not ever checked.
WARNING: flowbits key 'file.cnt' is set but not ever checked.
WARNING: flowbits key 'file.ffmpeg' is set but not ever checked.
WARNING: flowbits key 'file.aom' is set but not ever checked.
WARNING: flowbits key 'file.esignal' is set but not ever checked.
WARNING: flowbits key 'file.rt' is set but not ever checked.
WARNING: flowbits key 'file.msproducer' is set but not ever checked.
WARNING: flowbits key 'file.3gp' is set but not ever checked.
WARNING: flowbits key 'file.rss' is set but not ever checked.
WARNING: flowbits key 'file.docx' is set but not ever checked.
WARNING: flowbits key 'file.machobe' is set but not ever checked.
WARNING: flowbits key 'file.addin' is set but not ever checked.
WARNING: flowbits key 'file.arj' is set but not ever checked.
WARNING: flowbits key 'file.mppl' is set but not ever checked.
WARNING: flowbits key 'file.dat' is set but not ever checked.
WARNING: flowbits key 'file.m4p' is set but not ever checked.
WARNING: flowbits key 'file.job' is set but not ever checked.
WARNING: flowbits key 'file.lzh' is set but not ever checked.
WARNING: flowbits key 'file.mime' is set but not ever checked.
WARNING: flowbits key 'file.rat' is set but not ever checked.
WARNING: flowbits key 'file.flac' is set but not ever checked.
WARNING: flowbits key 'file.oless.v3' is set but not ever checked.
WARNING: flowbits key 'backdoor.asylum.connect' is checked but not ever
set.
WARNING: flowbits key 'file.xm' is set but not ever checked.
WARNING: flowbits key 'file.bat' is set but not ever checked.
WARNING: flowbits key 'file.m4r' is set but not ever checked.
WARNING: flowbits key 'file.plp' is set but not ever checked.
WARNING: flowbits key 'file.wk4' is set but not ever checked.
WARNING: flowbits key 'file.fon' is set but not ever checked.
WARNING: flowbits key 'file.screnc' is set but not ever checked.
WARNING: flowbits key 'file.symantec' is set but not ever checked.
WARNING: flowbits key 'file.bmp' is set but not ever checked.
WARNING: flowbits key 'asteriskmi' is set but not ever checked.
WARNING: flowbits key 'file.mp4' is set but not ever checked.
WARNING: flowbits key 'file.rdp' is set but not ever checked.
WARNING: flowbits key 'soliddb' is set but not ever checked.
WARNING: flowbits key 'file.s3m' is set but not ever checked.
WARNING: flowbits key 'file.wma' is set but not ever checked.
WARNING: flowbits key 'file.pkp' is set but not ever checked.
WARNING: flowbits key 'file.postscript' is set but not ever checked.
WARNING: flowbits key 'file.cab' is set but not ever checked.
WARNING: flowbits key 'file.bzip' is set but not ever checked.
WARNING: flowbits key 'file.rmp' is set but not ever checked.
WARNING: flowbits key 'file.realplayer' is set but not ever checked.
WARNING: flowbits key 'dorkbot.ircinit' is set but not ever checked.
WARNING: flowbits key 'file.cue' is set but not ever checked.
WARNING: flowbits key 'file.wmp_playlist' is set but not ever checked.
WARNING: flowbits key 'ipp.application' is checked but not ever set.
WARNING: flowbits key 'file.jar.agent_helper' is set but not ever
checked.
WARNING: flowbits key 'file.k3g' is set but not ever checked.
WARNING: flowbits key 'oracle.connect' is checked but not ever set.
WARNING: flowbits key 'file.skm' is set but not ever checked.
WARNING: flowbits key 'file.bak' is set but not ever checked.
WARNING: flowbits key 'file.pecompact' is set but not ever checked.
WARNING: flowbits key 'file.mkv' is set but not ever checked.
WARNING: flowbits key 'file.m4v' is set but not ever checked.
WARNING: flowbits key 'file.binhex' is set but not ever checked.
WARNING: flowbits key 'trojan.nervos' is set but not ever checked.
WARNING: flowbits key 'file.macho64le' is set but not ever checked.
WARNING: flowbits key 'file.ram' is set but not ever checked.
WARNING: flowbits key 'file.ht3' is set but not ever checked.
WARNING: flowbits key 'file.svg' is set but not ever checked.
WARNING: flowbits key 'file.sln' is set but not ever checked.
WARNING: flowbits key 'file.ivr' is set but not ever checked.
WARNING: flowbits key 'file.cws' is set but not ever checked.
WARNING: flowbits key 'file.sis' is set but not ever checked.
WARNING: flowbits key 'file.tiff.big' is set but not ever checked.
WARNING: flowbits key 'file.cov' is set but not ever checked.
WARNING: flowbits key 'vnc.auth' is checked but not ever set.
WARNING: flowbits key 'file.emf' is set but not ever checked.
WARNING: flowbits key 'file.rar' is set but not ever checked.
WARNING: flowbits key 'smtp.contenttype.attachment' is checked but not
ever set.
WARNING: flowbits key 'file.fli' is set but not ever checked.
WARNING: flowbits key 'file.csv' is set but not ever checked.
WARNING: flowbits key 'AOLAdmin1.1.connection' is checked but not ever
set.
WARNING: flowbits key 'file.vmd' is set but not ever checked.
WARNING: flowbits key 'file.m4a' is set but not ever checked.
WARNING: flowbits key 'file.cyb' is set but not ever checked.
WARNING: flowbits key 'RTMP.sysMemCall' is set but not ever checked.
WARNING: flowbits key 'file.7zip' is set but not ever checked.
WARNING: flowbits key 'file.gzip' is set but not ever checked.
WARNING: flowbits key 'file.vqf' is set but not ever checked.
WARNING: flowbits key 'file.collada' is set but not ever checked.
WARNING: flowbits key 'file.m4b' is set but not ever checked.
WARNING: flowbits key 'file.siplog' is set but not ever checked.
WARNING: flowbits key 'ABSystemSpy_Inforetrieve1' is set but not ever
checked.
WARNING: flowbits key 'file.3g2' is set but not ever checked.
WARNING: flowbits key 'file.cur' is set but not ever checked.
WARNING: flowbits key 'file.maki' is set but not ever checked.
WARNING: flowbits key 'file.oless.v4' is set but not ever checked.
WARNING: flowbits key 'file.vwr' is set but not ever checked.
WARNING: flowbits key 'file.pptx' is set but not ever checked.
WARNING: flowbits key 'file.cy3' is set but not ever checked.
WARNING: flowbits key 'file.cryptff' is set but not ever checked.
WARNING: flowbits key 'dce.spoolss.4.call' is checked but not ever set.
WARNING: flowbits key 'file.dvr-ms' is set but not ever checked.
WARNING: flowbits key 'file.mht' is set but not ever checked.
WARNING: flowbits key 'file.nab' is set but not ever checked.
WARNING: flowbits key 'file.webm' is set but not ever checked.
WARNING: flowbits key 'file.mov' is set but not ever checked.
WARNING: flowbits key 'file.dbp' is set but not ever checked.
WARNING: flowbits key 'file.qt' is set but not ever checked.
WARNING: flowbits key 'file.tnef' is set but not ever checked.
WARNING: flowbits key 'file.hlp' is set but not ever checked.
WARNING: flowbits key 'smb.neoteris' is checked but not ever set.
WARNING: flowbits key 'file.daz_ds' is set but not ever checked.
WARNING: flowbits key 'file.eml' is set but not ever checked.
WARNING: flowbits key 'file.rp' is set but not ever checked.
WARNING: flowbits key 'file.machole' is set but not ever checked.
WARNING: flowbits key 'backdoor.y3krat_15.client.response' is checked
but not ever set.
WARNING: flowbits key 'file.file.tar' is set but not ever checked.
WARNING: flowbits key 'file.macho64be' is set but not ever checked.
WARNING: flowbits key 'file.htm' is set but not ever checked.
WARNING: flowbits key 'file.search-ms' is set but not ever checked.
WARNING: flowbits key 'file.rmf' is set but not ever checked.
WARNING: flowbits key 'file.amf' is set but not ever checked.
WARNING: flowbits key 'file.mpeg' is set but not ever checked.
WARNING: flowbits key 'file.wps' is set but not ever checked.
WARNING: flowbits key 'file.crx' is set but not ever checked.
214 out of 1024 flowbits in use.

[ Port Based Pattern Matching Memory ]
+- [ Aho-Corasick Summary ] -------------------------------------
| Storage Format    : Full-Q 
| Finite Automaton  : DFA
| Alphabet Size     : 256 Chars
| Sizeof State      : Variable (1,2,4 bytes)
| Instances         : 147
|     1 byte states : 136
|     2 byte states : 11
|     4 byte states : 0
| Characters        : 46772
| States            : 36133
| Transitions       : 3332808
| State Density     : 36.0%
| Patterns          : 3136
| Match States      : 3021
| Memory (MB)       : 17.90
|   Patterns        : 0.23
|   Match Lists     : 0.34
|   DFA
|     1 byte states : 0.74
|     2 byte states : 16.45
|     4 byte states : 0.00
+----------------------------------------------------------------
[ Number of patterns truncated to 20 bytes: 466 ]
pcap DAQ configured to passive.
Acquiring network traffic from "eth0".
Reload thread starting...
Reload thread started, thread 0xa6725b40 (2256)
Decoding Ethernet
Set gid to 116
Set uid to 107

        --== Initialization Complete ==--

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.9.3.1 IPv6 GRE (Build 40) 
   ''''    By Martin Roesch & The Snort Team:
http://www.snort.org/snort/snort-team
           Copyright (C) 1998-2012 Sourcefire, Inc., et al.
           Using libpcap version 1.1.1
           Using PCRE version: 8.12 2011-01-15
           Using ZLIB version: 1.2.3.4

           Rules Engine: SF_SNORT_DETECTION_ENGINE  Version 1.16  <Build
18>
           Rules Object: nntp  Version 1.0  <Build 1>
           Rules Object: imap  Version 1.0  <Build 1>
           Rules Object: web-misc  Version 1.0  <Build 1>
           Rules Object: dos  Version 1.0  <Build 1>
           Rules Object: p2p  Version 1.0  <Build 1>
           Rules Object: web-iis  Version 1.0  <Build 1>
           Rules Object: netbios  Version 1.0  <Build 1>
           Rules Object: chat  Version 1.0  <Build 1>
           Rules Object: misc  Version 1.0  <Build 1>
           Rules Object: bad-traffic  Version 1.0  <Build 1>
           Rules Object: multimedia  Version 1.0  <Build 1>
           Rules Object: snmp  Version 1.0  <Build 1>
           Rules Object: specific-threats  Version 1.0  <Build 1>
           Rules Object: icmp  Version 1.0  <Build 1>
           Rules Object: web-activex  Version 1.0  <Build 1>
           Rules Object: smtp  Version 1.0  <Build 1>
           Rules Object: exploit  Version 1.0  <Build 1>
           Rules Object: web-client  Version 1.0  <Build 1>
           Preprocessor Object: SF_MODBUS (IPV6)  Version 1.1  <Build 1>
           Preprocessor Object: SF_POP (IPV6)  Version 1.0  <Build 1>
           Preprocessor Object: SF_SDF (IPV6)  Version 1.1  <Build 1>
           Preprocessor Object: SF_SIP (IPV6)  Version 1.1  <Build 1>
           Preprocessor Object: SF_DNS (IPV6)  Version 1.1  <Build 4>
           Preprocessor Object: SF_DCERPC2 (IPV6)  Version 1.0  <Build
3>
           Preprocessor Object: SF_GTP (IPV6)  Version 1.1  <Build 1>
           Preprocessor Object: SF_IMAP (IPV6)  Version 1.0  <Build 1>
           Preprocessor Object: SF_SMTP (IPV6)  Version 1.1  <Build 9>
           Preprocessor Object: SF_DNP3 (IPV6)  Version 1.1  <Build 1>
           Preprocessor Object: SF_FTPTELNET (IPV6)  Version 1.2  <Build
13>
           Preprocessor Object: SF_SSLPP (IPV6)  Version 1.1  <Build 4>
           Preprocessor Object: SF_SSH (IPV6)  Version 1.1  <Build 3>
           Preprocessor Object: SF_REPUTATION (IPV6)  Version 1.1
<Build 1>
Commencing packet processing (pid=2256)

Looks good so far... however, mysql isn't taking any input yet, i
haven't started barnyard2, and what is the ./m4 for? that autoreconf
didnt error out but i look like it didn't do anything either.. should
have showed a little stdout. lol


more on barnyard2 to follow






On Sat, 2012-09-08 at 07:56 -0400, Joel Esler wrote:

> Are you outputting in binary (tcpdump) format, or are you outputting in unified2?
> 
> --
> Joel Esler
> Sent from my iPad 
> 
> On Sep 8, 2012, at 2:15 AM, PR <oly562 at ...2420...> wrote:
> 
> > snort wont start up... trying to view the logs - of course they are not
> > viewable with less/more.
> > example:
> > less /var/log/snort/snort.log.1346948607 
> > "/var/log/snort/snort.log.1346948607" may be a binary file.  See it
> > anyway?
> > 
> > 
> > here is the latest set of warnings:
> > 
> > # ./pulledpork.pl -c /usr/local/etc/pulledpork-0.6.1/etc/pulledpork.conf
> > -I Security
> > 
> >    http://code.google.com/p/pulledpork/
> >      _____ ____
> >     `----,\    )
> >      `--==\\  /    PulledPork v0.6.1 the Smoking Pig <////~
> >       `--==\\/
> >     .-~~~~-.Y|\\_  Copyright (C) 2009-2011 JJ Cummings
> >  @_/        /  66\_  cummingsj at ...2420...
> >    |    \   \   _(")
> >     \   /-| ||'--'  Rules give me wings!
> >      \_\  \_\\
> > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> > 
> > Checking latest MD5 for snortrules-snapshot-2920.tar.gz....
> >    They Match
> >    Done!
> > Prepping rules from snortrules-snapshot-2920.tar.gz for work....
> >    Done!
> > Reading rules...
> > Generating Stub Rules....
> >    An error occurred: !! WARNING: The database output plugins are
> > considered deprecated as
> > 
> >    An error occurred: WARNING: ip4 normalizations disabled because not
> > inline.
> > 
> >    An error occurred: WARNING: tcp normalizations disabled because not
> > inline.
> > 
> >    An error occurred: WARNING: icmp4 normalizations disabled because not
> > inline.
> > 
> >    An error occurred: WARNING: ip6 normalizations disabled because not
> > inline.
> > 
> >    An error occurred: WARNING: icmp6 normalizations disabled because not
> > inline.
> > 
> >    Done
> > Reading rules...
> > Reading rules...
> > Reading rules...
> > Activating Security rulesets....
> >    Done
> > Setting Flowbit State....
> >    Enabled 637 flowbits
> >    Enabled 47 flowbits
> >    Enabled 4 flowbits
> >    Enabled 2 flowbits
> >    Done
> > Writing /etc/snort/rules/snort.rules....
> >    Done
> > Writing /usr/local/etc/snort/rules/so_rules.rules....
> >    Done
> > Generating sid-msg.map....
> >    Done
> > Writing /usr/local/etc/snort/sid-msg.map....
> >    Done
> > Writing /var/log/sid_changes.log....
> >    Done
> > Rule Stats....
> >    New:-------0
> >    Deleted:---0
> >    Enabled Rules:----6129
> >    Dropped Rules:----0
> >    Disabled Rules:---6875
> >    Total Rules:------13004
> >    Done
> > Please review /var/log/sid_changes.log for additional details
> > Fly Piggy Fly/crash....!
> > 
> > 
> > more to follow.. sighs...
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > On Fri, 2012-09-07 at 20:25 -0700, PR wrote:
> >> ha ha you funny dr jones... said like shorty ;)
> >> 
> >> On Fri, 2012-09-07 at 22:16 -0400, Joel Esler wrote:
> >>> I don't have a template for that question.  Others, yes. 
> >>> 
> >>> --
> >>> Joel Esler
> >>> Sent from my iPad 
> >>> 
> >>> On Sep 7, 2012, at 9:30 PM, PR <oly562 at ...2420...> wrote:
> >>> 
> >>>> yep thanks for the templated noobish user response. ;) 
> >>>> 
> >>>> On Fri, 2012-09-07 at 18:17 -0400, Joel Esler wrote:
> >>>>> If you are not a subscriber, yes. You'll need to wait your 15 minutes. 
> >>>>> 
> >>>>> But no, 2.9.2 is no longer supported. Please see the bottom of http://www.snort.org/vrt/rules/eol_policyfor currently supported versions and when they will expire. 
> >>>>> 
> >>>>> --
> >>>>> Joel Esler
> >>>>> 
> >>>>> On Sep 7, 2012, at 4:17 PM, PR <oly562 at ...2420...> wrote:
> >>>>> 
> >>>>>> i guess i should wait 15 mins? i dont think i can grab another since i
> >>>>>> dont pay for rules... what do you think? should i just go for it?
> >>>>>> 
> >>>>>> 
> >>>>>> 
> >>>>>> On Fri, 2012-09-07 at 13:15 -0700, PR wrote:
> >>>>>>> next error... i mv'd this file, guess i should put it back...
> >>>>>>> 
> >>>>>>> ./pulledpork.pl -c /usr/local/etc/pulledpork-0.6.1/etc/pulledpork.conf
> >>>>>>> -I Security
> >>>>>>> 
> >>>>>>>  http://code.google.com/p/pulledpork/
> >>>>>>>    _____ ____
> >>>>>>>   `----,\    )
> >>>>>>>    `--==\\  /    PulledPork v0.6.1 the Smoking Pig <////~
> >>>>>>>     `--==\\/
> >>>>>>>   .-~~~~-.Y|\\_  Copyright (C) 2009-2011 JJ Cummings
> >>>>>>> @_/        /  66\_  cummingsj at ...2420...
> >>>>>>>  |    \   \   _(")
> >>>>>>>   \   /-| ||'--'  Rules give me wings!
> >>>>>>>    \_\  \_\\
> >>>>>>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> >>>>>>> 
> >>>>>>> Checking latest MD5 for snortrules-snapshot-2920.tar.gz....
> >>>>>>> Rules tarball download of snortrules-snapshot-2920.tar.gz....
> >>>>>>>  They Match
> >>>>>>>  Done!
> >>>>>>> Prepping rules from snortrules-snapshot-2920.tar.gz for work....
> >>>>>>>  Done!
> >>>>>>> Reading rules...
> >>>>>>> Generating Stub Rules....
> >>>>>>>  An error occurred: ERROR: Unable to open rules file
> >>>>>>> "/usr/local/etc/snort/database.conf": No such file or directory.
> >>>>>>> 
> >>>>>>>  An error occurred: Fatal Error, Quitting..
> >>>>>>> 
> >>>>>>> 
> >>>>>>> more to follow....
> >>>>>>> 
> >>>>>>> On Fri, 2012-09-07 at 12:30 -0700, PR wrote:
> >>>>>>>> opps, i figured out my mistake lolol...
> >>>>>>>> 
> >>>>>>>> ok but now i run into the same prob as before. versioning!
> >>>>>>>> 
> >>>>>>>> 
> >>>>>>>> here is what i get when i do the cmd properly at tail of stdout:
> >>>>>>>> 
> >>>>>>>> The specified Snort binary does not exist!
> >>>>>>>> Please correct the value or specify the FULL rules tarball name in the
> >>>>>>>> pulledpork.conf!
> >>>>>>>> at ./pulledpork.pl line 1736.
> >>>>>>>> 
> >>>>>>>> i will goto pulledpork.pl line 1736 now. brb.......
> >>>>>>>> 
> >>>>>>>> 
> >>>>>>>> 
> >>>>>>>> ok, i thought, no i swear it says on snort.org page, pulledpork will
> >>>>>>>> automajically decide which version to download/upgrade rules too.
> >>>>>>>> 
> >>>>>>>> 
> >>>>>>>> -*> Snort! <*-
> >>>>>>>> o"  )~   Version 2.9.2 IPv6 GRE (Build 78) 
> >>>>>>>> ''''    By Martin Roesch & The Snort Team:
> >>>>>>>> 
> >>>>>>>> so...... let me guess 2.9.2 isnt "supported" here is what i think, i
> >>>>>>>> think it's too hard for anyone to simply update rules unless you always
> >>>>>>>> update your snort program to the same version, thats just ludacrious!
> >>>>>>>> 
> >>>>>>>> yes im running acidbase, yes it was loaded with apt-get install
> >>>>>>>> snort-mysql snort acidbase, so what... 
> >>>>>>>> 
> >>>>>>>> i can move files and confs to point in right direction, not the issue,
> >>>>>>>> its the updating of the snort program and ONLY allowing automation to
> >>>>>>>> those who either 
> >>>>>>>> 1. pay
> >>>>>>>> 2. pay to have you guys install
> >>>>>>>> 3. pay to stay current
> >>>>>>>> 4. pay pay pay, rather than providing a script that keeps the snort
> >>>>>>>> program updated no matter what version you have in reason like 2.9.x
> >>>>>>>> 5. How about fixing that perl script on the server side to allows us to
> >>>>>>>> download the files automajically as it claims
> >>>>>>>> 
> >>>>>>>> i used snort since the begging, it always was easy to update so forth, 
> >>>>>>>> but now, it's getting silly. 
> >>>>>>>> 
> >>>>>>>> ok, there im done ranting, however, i still need FREE input, like
> >>>>>>>> community input.
> >>>>>>>> 
> >>>>>>>> if not, as usual i will just figure it out, may take a while but i'll
> >>>>>>>> get it, i have before, and can do again. im complaining becuz its not
> >>>>>>>> simple anymore. or as simple as it can be to download some rules
> >>>>>>>> automatically.
> >>>>>>>> 
> >>>>>>>> sighs.... you can comment if you like, but i know each of you have been
> >>>>>>>> here before at some point in your snorting career... 
> >>>>>>>> 
> >>>>>>>> 
> >>>>>>>> 
> >>>>>>>> On Fri, 2012-09-07 at 12:13 -0700, PR wrote:
> >>>>>>>>> hi all,
> >>>>>>>>> 
> >>>>>>>>> 
> >>>>>>>>> 1. modified and created dirs for what pulledpork.conf requires as root
> >>>>>>>>> user.
> >>>>>>>>> 
> >>>>>>>>> 
> >>>>>>>>> 2. ran this cmd:
> >>>>>>>>> 
> >>>>>>>>> root at ...3729...:/usr/local/etc/pulledpork-0.6.1/etc# ./pulledpork.conf -c /usr/local/etc/pulledpork-0.6.1/etc/pulledpork.conf -I Security
> >>>>>>>>> 
> >>>>>>>>> 
> >>>>>>>>> 3. got this error:
> >>>>>>>>> 
> >>>>>>>>> root at ...3729...:/usr/local/etc/pulledpork-0.6.1/etc# ./pulledpork.conf -c /usr/local/etc/pulledpork-0.6.1/etc/pulledpork.conf -I Security
> >>>>>>>>> ./pulledpork.conf: line 21: 6d31c34a34b8e7d8a42751d16b50e3dda634XXXX:
> >>>>>>>>> command not found
> >>>>>>>>> ./pulledpork.conf: line 21: snortrules-snapshot.tar.gz: command not
> >>>>>>>>> found
> >>>>>>>>> 
> >>>>>>>>> 
> >>>>>>>>> 4. here is the conf in entirety:
> >>>>>>>>> 
> >>>>>>>>> # more pulledpork.conf 
> >>>>>>>>> # Config file for pulledpork
> >>>>>>>>> # Be sure to read through the entire configuration file
> >>>>>>>>> # If you specify any of these items on the command line, it WILL take 
> >>>>>>>>> # precedence over any value that you specify in this file!
> >>>>>>>>> 
> >>>>>>>>> #######
> >>>>>>>>> #######  The below section defines what your oinkcode is (required
> >>>>>>>>> for 
> >>>>>>>>> #######  VRT rules), defines a temp path (must be writable) and also 
> >>>>>>>>> #######  defines what version of rules that you are getting (for your 
> >>>>>>>>> #######  snort version and subscription etc...)
> >>>>>>>>> ####### 
> >>>>>>>>> 
> >>>>>>>>> # The rule_url value replaces the old base_url and rule_file
> >>>>>>>>> configuration
> >>>>>>>>> # options.  You can now specify one or as many rule_urls as you like,
> >>>>>>>>> they 
> >>>>>>>>> # must appear as http://what.site.com/|rulesfile.tar.gz|1234567.  You
> >>>>>>>>> can specif
> >>>>>>>>> y
> >>>>>>>>> # each on an individual line, or you can specify them in a , separated
> >>>>>>>>> list
> >>>>>>>>> # i.e. rule_url=http://x.y.z/|a.tar.gz|123,http://z.y.z/|b.tar.gz|456
> >>>>>>>>> # note that the url, rule file, and oinkcode itself are separated by a
> >>>>>>>>> pipe |
> >>>>>>>>> # i.e. url|tarball|123456789, 
> >>>>>>>>> #rule_url=https://www.snort.org/reg-rules/|
> >>>>>>>>> snortrules-snapshot.tar.gz|<oinkcode>
> >>>>>>>>> 
> >>>>>>>>> 
> >>>>>>>>> 
> >>>>>>>>> ##*** ( here is line 21 )***
> >>>>>>>>> 
> >>>>>>>>> rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|
> >>>>>>>>> 6d31c34a34b
> >>>>>>>>> 8e7d8a42751d16b50e3dda634XXXX
> >>>>>>>>> 
> >>>>>>>>> # get the rule docs!
> >>>>>>>>> #rule_url=https://www.snort.org/reg-rules/|opensource.gz|
> >>>>>>>>> 6d31c34a34b8e7d8a42751d
> >>>>>>>>> 16b50e3dda634XXXX
> >>>>>>>>> 
> >>>>>>>>> 
> >>>>>>>>> 
> >>>>>>>>> #rule_url=https://rules.emergingthreats.net/|emerging.rules.tar.gz|
> >>>>>>>>> open
> >>>>>>>>> # THE FOLLOWING URL is for etpro downloads, note the tarball name
> >>>>>>>>> change!
> >>>>>>>>> # and the et oinkcode requirement!
> >>>>>>>>> #rule_url=https://rules.emergingthreats.net/|etpro.rules.tar.gz|<et
> >>>>>>>>> oinkcode>
> >>>>>>>>> # NOTE above that the VRT snortrules-snapshot does not contain the
> >>>>>>>>> version
> >>>>>>>>> # portion of the tarball name, this is because PP now automatically
> >>>>>>>>> populates
> >>>>>>>>> # this value for you, if, however you put the version information in,
> >>>>>>>>> PP will
> >>>>>>>>> # NOT populate this value but will use your value!
> >>>>>>>>> 
> >>>>>>>>> # Specify rule categories to ignore from the tarball in a comma
> >>>>>>>>> separated list
> >>>>>>>>> # with no spaces.  There are four ways to do this:
> >>>>>>>>> # 1) Specify the category name with no suffix at all to ignore the
> >>>>>>>>> category
> >>>>>>>>> #    regardless of what rule-type it is, ie: netbios
> >>>>>>>>> # 2) Specify the category name with a '.rules' suffix to ignore only
> >>>>>>>>> gid 1
> >>>>>>>>> #    rulefiles located in the /rules directory of the tarball, ie:
> >>>>>>>>> policy.rules
> >>>>>>>>> # 3) Specify the category name with a '.preproc' suffix to ignore only
> >>>>>>>>> #    preprocessor rules located in the /preproc_rules directory of the
> >>>>>>>>> tarball,
> >>>>>>>>> #    ie: sensitive-data.preproc
> >>>>>>>>> # 4) Specify the category name with a '.so' suffix to ignore only
> >>>>>>>>> shared-object
> >>>>>>>>> #    rules located in the /so_rules directory of the tarball, ie:
> >>>>>>>>> netbios.so
> >>>>>>>>> # The example below ignores dos rules wherever they may appear,
> >>>>>>>>> sensitive-
> >>>>>>>>> # data preprocessor rules, p2p so-rules (while including gid 1 p2p
> >>>>>>>>> rules),
> >>>>>>>>> # and netbios gid-1 rules (while including netbios so-rules):
> >>>>>>>>> # ignore = dos,sensitive-data.preproc,p2p.so,netbios.rules
> >>>>>>>>> # These defaults are reasonable for the VRT ruleset with Snort
> >>>>>>>>> 2.9.0.x.
> >>>>>>>>> ignore=deleted.rules,experimental.rules,local.rules
> >>>>>>>>> # IMPORTANT, if you are NOT yet using 2.8.6 then you MUST comment out
> >>>>>>>>> the
> >>>>>>>>> # previous ignore line and uncomment the following!
> >>>>>>>>> #
> >>>>>>>>> ignore=deleted,experimental,local,decoder,preprocessor,sensitive-data
> >>>>>>>>> 
> >>>>>>>>> # Define your Oinkcode - DEPRICATED, SEE RULE_URL
> >>>>>>>>> # oinkcode=replacethiswithyouroinkcode
> >>>>>>>>> 
> >>>>>>>>> # What is our temp path, be sure this path has a bit of space for
> >>>>>>>>> rule 
> >>>>>>>>> # extraction and manipulation, no trailing slash
> >>>>>>>>> temp_path=/tmp
> >>>>>>>>> 
> >>>>>>>>> #######
> >>>>>>>>> #######  The below section is for rule processing.  This section is 
> >>>>>>>>> #######  required if you are not specifying the configuration using
> >>>>>>>>> #######  runtime switches.  Note that runtime switches do SUPERSEED 
> >>>>>>>>> #######  any values that you have specified here!
> >>>>>>>>> #######
> >>>>>>>>> 
> >>>>>>>>> # What path you want the .rules file containing all of the processed 
> >>>>>>>>> # rules? (this value has changed as of 0.4.0, previously we copied 
> >>>>>>>>> # all of the rules, now we are creating a single large rules file
> >>>>>>>>> # but still keeping a separate file for your so_rules!
> >>>>>>>>> rule_path=/usr/local/etc/snort/rules/snort.rules
> >>>>>>>>> 
> >>>>>>>>> # What path you want the .rules files to be written to, this is UNIQUE
> >>>>>>>>> # from the rule_path and cannot be used in conjunction, this is to be
> >>>>>>>>> used with 
> >>>>>>>>> the
> >>>>>>>>> # -k runtime flag, this can be set at runtime using the -K flag or
> >>>>>>>>> specified
> >>>>>>>>> # here.  If specified here, the -k option must also be passed at
> >>>>>>>>> runtime, however
> >>>>>>>>> # specifying -K <path> at runtime forces the -k option to also be set
> >>>>>>>>> 
> >>>>>>>>> 
> >>>>>>>>> ###(created all the dirs and pointed to currently snort.conf )
> >>>>>>>>> 
> >>>>>>>>> # out_path=/usr/local/etc/snort/rules/
> >>>>>>>>> 
> >>>>>>>>> # If you are running any rules in your local.rules file, we need to
> >>>>>>>>> # know about them to properly build a sid-msg.map that will contain
> >>>>>>>>> your
> >>>>>>>>> # local.rules metadata (msg) information.  You can specify other rules
> >>>>>>>>> # files that are local to your system here by adding a comma and more
> >>>>>>>>> paths...
> >>>>>>>>> # remember that the FULL path must be specified for EACH value.
> >>>>>>>>> # local_rules=/path/to/these.rules,/path/to/those.rules
> >>>>>>>>> ###(yadda)
> >>>>>>>>> 
> >>>>>>>>> local_rules=/usr/local/etc/snort/rules/local.rules
> >>>>>>>>> 
> >>>>>>>>> # Where should I put the sid-msg.map file?
> >>>>>>>>> sid_msg=/usr/local/etc/snort/sid-msg.map
> >>>>>>>>> 
> >>>>>>>>> # Where do you want me to put the sid changelog?  This is a changelog 
> >>>>>>>>> # that pulledpork maintains of all new sids that are imported
> >>>>>>>>> sid_changelog=/var/log/sid_changes.log
> >>>>>>>>> # this value is optional
> >>>>>>>>> 
> >>>>>>>>> #######
> >>>>>>>>> #######  The below section is for so_rule processing only.  If you
> >>>>>>>>> don't
> >>>>>>>>> #######  need to use them.. then comment this section out!
> >>>>>>>>> #######  Alternately, if you are not using pulledpork to process 
> >>>>>>>>> #######  so_rules, you can specify -T at runtime to bypass this
> >>>>>>>>> altogether
> >>>>>>>>> #######
> >>>>>>>>> 
> >>>>>>>>> # What path you want the .so files to actually go to *i.e. where is it
> >>>>>>>>> # defined in your snort.conf, needs a trailing slash
> >>>>>>>>> sorule_path=/usr/local/lib/snort_dynamicrules/
> >>>>>>>>> 
> >>>>>>>>> # Path to the snort binary, we need this to generate the stub files
> >>>>>>>>> #snort_path=/usr/local/bin/snort
> >>>>>>>>> 
> >>>>>>>>> (modified current path)
> >>>>>>>>> 
> >>>>>>>>> snort_path=/usr/sbin/snort
> >>>>>>>>> 
> >>>>>>>>> # We need to know where your snort.conf file lives so that we can
> >>>>>>>>> # generate the stub files
> >>>>>>>>> 
> >>>>>>>>> config_path=/usr/local/etc/snort/snort.conf
> >>>>>>>>> 
> >>>>>>>>> # This is the file that contains all of the shared object rules that
> >>>>>>>>> pulledpork
> >>>>>>>>> # has processed, note that this has changed as of 0.4.0 just like the
> >>>>>>>>> rules_path
> >>>>>>>>> !
> >>>>>>>>> sostub_path=/usr/local/etc/snort/rules/so_rules.rules
> >>>>>>>>> 
> >>>>>>>>> # Define your distro, this is for the precompiled shared object libs!
> >>>>>>>>> # Valid Distro Types=Debian-Lenny, Ubuntu-6.01.1, Ubuntu-8.04
> >>>>>>>>> # CentOS-4.6, Centos-4-8, CentOS-5.0, Centos-5-4
> >>>>>>>>> # FC-5, FC-9, FC-11, FC-12, RHEL-5.0
> >>>>>>>>> # FreeBSD-6.3, FreeBSD-7-2, FreeBSD-7-3, FreeBSD-7.0, FreeBSD-8-0,
> >>>>>>>>> FreeBSD-8-1
> >>>>>>>>> # OpenSUSE-11-3
> >>>>>>>>> distro=FreeBSD-8.0
> >>>>>>>>> 
> >>>>>>>>> #######  This next section is optional, but probably pretty useful to
> >>>>>>>>> you.
> >>>>>>>>> #######  Please read thoroughly!
> >>>>>>>>> 
> >>>>>>>>> # What do you want to backup and archive?  This is a comma separated
> >>>>>>>>> list
> >>>>>>>>> # of file or directory values.  If a directory is specified, PP will
> >>>>>>>>> recurse
> >>>>>>>>> # through said directory and all subdirectories to archive all files.
> >>>>>>>>> # The following example backs up all snort config files, rules,
> >>>>>>>>> pulledpork
> >>>>>>>>> # config files, and snort shared object binary rules.
> >>>>>>>>> #
> >>>>>>>>> backup=/usr/local/etc/snort,/usr/local/etc/pulledpork,/usr/local/lib/snort_dyn
> >>>>>>>>> amicrules/
> >>>>>>>>> 
> >>>>>>>>> # what path and filename should we use for the backup tarball?
> >>>>>>>>> # note that an epoch time value and the .tgz extension is
> >>>>>>>>> automatically added
> >>>>>>>>> # to the backup_file name on completeion i.e. the written file is:
> >>>>>>>>> # pp_backup.1295886020.tgz
> >>>>>>>>> # backup_file=/tmp/pp_backup
> >>>>>>>>> 
> >>>>>>>>> # Where do you want the signature docs to be copied, if this is
> >>>>>>>>> commented 
> >>>>>>>>> # out then they will not be copied / extracted.  Note that extracting
> >>>>>>>>> them 
> >>>>>>>>> # will add considerable runtime to pulledpork.
> >>>>>>>>> # docs=/path/to/base/www
> >>>>>>>>> 
> >>>>>>>>> # The following option, state_order, allows you to more finely control
> >>>>>>>>> the order
> >>>>>>>>> # that pulledpork performs the modify operations, specifically the
> >>>>>>>>> enablesid
> >>>>>>>>> # disablesid and dropsid functions.  An example use case here would be
> >>>>>>>>> to
> >>>>>>>>> # disable an entire category and later enable only a rule or two out
> >>>>>>>>> of it.
> >>>>>>>>> # the valid values are disable, drop, and enable.
> >>>>>>>>> # state_order=disable,drop,enable
> >>>>>>>>> 
> >>>>>>>>> 
> >>>>>>>>> # Define the path to the pid files of any running process that you
> >>>>>>>>> want to
> >>>>>>>>> # HUP after PP has completed its run.
> >>>>>>>>> #
> >>>>>>>>> pid_path=/var/run/snort.pid,/var/run/barnyard.pid,/var/run/barnyard2.pid
> >>>>>>>>> # and so on...
> >>>>>>>>> # pid_path=/var/run/snort_eth0.pid
> >>>>>>>>> 
> >>>>>>>>> # This defines the version of snort that you are using, for use ONLY
> >>>>>>>>> if the 
> >>>>>>>>> # proper snort binary is not on the system that you are fetching the
> >>>>>>>>> rules with
> >>>>>>>>> # Defining this value will set the Textonly flag, and thus will NOT
> >>>>>>>>> allow
> >>>>>>>>> # you to use shared object rules.  This value MUST contain all 4 minor
> >>>>>>>>> version
> >>>>>>>>> # numbers. ET rules are now also dependant on this, verify supported
> >>>>>>>>> ET versions
> >>>>>>>>> # prior to simply throwing rubbish in this variable kthx!
> >>>>>>>>> # snort_version=2.9.0.0
> >>>>>>>>> 
> >>>>>>>>> # Here you can specify what rule modification files to run
> >>>>>>>>> automatically.
> >>>>>>>>> # simply uncomment and specify the apt path.
> >>>>>>>>> # enablesid=/usr/local/etc/snort/enablesid.conf
> >>>>>>>>> # dropsid=/usr/local/etc/snort/dropsid.conf
> >>>>>>>>> # disablesid=/usr/local/etc/snort/disablesid.conf
> >>>>>>>>> # modifysid=/usr/local/etc/snort/modifysid.conf
> >>>>>>>>> 
> >>>>>>>>> # What is the base ruleset that you want to use, please uncomment to
> >>>>>>>>> use
> >>>>>>>>> # and see the README.RULESETS for a description of the options.  
> >>>>>>>>> # Note that setting this value will disable all ET rulesets if you
> >>>>>>>>> are 
> >>>>>>>>> # Running such rulesets
> >>>>>>>>> # ips_policy=security
> >>>>>>>>> 
> >>>>>>>>> ####### Remember, a number of these values are optional.. if you
> >>>>>>>>> don't 
> >>>>>>>>> ####### need to process so_rules, simply comment out the so_rule
> >>>>>>>>> section
> >>>>>>>>> ####### you can also specify -T at runtime to process only GID 1
> >>>>>>>>> rules.
> >>>>>>>>> 
> >>>>>>>>> version=0.6.0
> >>>>>>>>> 
> >>>>>>>>> 
> >>>>>>>>> 5. your thoughts? your suggestions?
> >>>>>>>>> 
> >>>>>>>>> thanks, pete
> >>>> 
> > 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20120908/de171f9d/attachment.html>


More information about the Snort-sigs mailing list