[Snort-sigs] I'm getting close, I smell more bacon

JJC cummingsj at ...2420...
Fri Sep 14 11:22:50 EDT 2012


Absolutely... so pretty straightforward.. everything that you specified at
runtime can be specified in the pulledpork.conf file that can then be
called (as you have done) using the -c <path to pulledpork.conf> runtime
flag..

You have a few errors:

   1. If you are planning on using SO rules, you must specify an arch
   2. You have specified the path to an existing directory as the exact
   same path that you want to write your snort rules to.  You will need to add
   an additional /filename and specify said filename in your snort.conf as the
   rules file...
   3. Was there a guide that you used to get to this point or?

JJC

On Fri, Sep 14, 2012 at 9:10 AM, Joel Esler <jesler at ...435...> wrote:

> JJ, can you help out here?
>
> On Sep 14, 2012, at 3:34 AM, PR <oly562 at ...2420...> wrote:
>
> > ok, i commented out ET rules. bah, i will deal with that later.
> >
> >
> > 1. i ran
> >
> > ./pulledpork.pl -s /etc/snort/so_rules -p /usr/local/bin/snort
> > -C /etc/snort.conf -i /etc/snort/disablesid.conf
> > -b /etc/snort/dropsid.conf -e /etc/snort/enablesid.conf
> > -M /etc/snort/modifysid.conf -e /etc/snort/enablesid.conf
> > -c /etc/snort/pulledpork.conf -o /etc/snort/rules/
> >
> >
> > 2. I got:
> >
> > Use of uninitialized value $arch in regexp compilation
> > at ./pulledpork.pl line 271.
> >       Done!
> > Reading rules...
> > Generating Stub Rules....
> > Something failed in the gen_stubs sub, please verify your shared object
> > config!
> >       Done
> > Reading rules...
> > Reading rules...
> > Processing /etc/snort/enablesid.conf....
> >       Modified 0 rules
> >       Done
> > Processing /etc/snort/dropsid.conf....
> >       Modified 0 rules
> >       Done
> > Processing /etc/snort/disablesid.conf....
> >       Modified 0 rules
> >       Done
> > Modifying Sids....
> >       Done!
> > Setting Flowbit State....
> >       Enabled 11 flowbits
> >       Enabled 1 flowbits
> >       Done
> > Writing /etc/snort/rules....
> > Unable to write /etc/snort/rules - Is a directory
> > at ./pulledpork.pl line 1083.
> >       main::rule_write('HASH(0x8f682ac)', '/etc/snort/rules', 1, undef)
> > called at ./pulledpork.pl line 1870
> >
> >
> > 3. also, do i need to define all that stuff in cmdline, couldn't i just
> > uncomment the /etc/snort/disablesid.confs in pulledpork.conf? just
> > wondering.
> >
> >
> > Thanks!!! any input is really appreciated. i'm learning more and more
> > every day. Pretty soon i will be asking about rule creation lol
> >
> >
> >
>
>
>
> ------------------------------------------------------------------------------
> Got visibility?
> Most devs has no idea what their production app looks like.
> Find out how fast your code is with AppDynamics Lite.
> http://ad.doubleclick.net/clk;262219671;13503038;y?
> http://info.appdynamics.com/FreeJavaPerformanceDownload.html
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20120914/f19ea4c3/attachment.html>


More information about the Snort-sigs mailing list