[Snort-sigs] I'm getting close, I smell more bacon

PR oly562 at ...2420...
Fri Sep 14 13:11:19 EDT 2012


Hi and thanks JJ, appreciate your time in this matter.

Yes see enclosed is the manual/howto for ubuntu distro. however i did
not specify that.

i will specify more in the pulledpork.conf for disablesids, and such.

as for so rules. im a little confused what they are for.

i am reading the manual 2.9.3 from snort.org now. large manual which is
good.

the most issues i have had is absolute path. in one .conf it states,
full path, and the ./rules was changed back to ../rules as it is located
in /etc/snort - this is where i put everything, so_rules, gen-msg so
forth. perms may be an issue. each howto says a little something diff so
i just start from scratch each time it doesn't work - snort, barnyard2,
or pulledpork fails.

as for this build, it is going smoother, and surely i will save the
working configs once i understand so rules better, and other features.

snort works, barnyard2 works, but pulledpork is the issue right now, and
will be until figure out what i am doing. i used to use oinkmaster, but
now i will use PP per snort.org suggestions.

more to follow, thanks again,, pete

On Fri, 2012-09-14 at 09:22 -0600, JJC wrote:
> Absolutely... so pretty straightforward.. everything that you
> specified at runtime can be specified in the pulledpork.conf file that
> can then be called (as you have done) using the -c <path to
> pulledpork.conf> runtime flag.. 
> 
> 
> You have a few errors:
>      1. If you are planning on using SO rules, you must specify an
>         arch
>      2. You have specified the path to an existing directory as the
>         exact same path that you want to write your snort rules to.
>          You will need to add an additional /filename and specify said
>         filename in your snort.conf as the rules file...
>      3. Was there a guide that you used to get to this point or?
> JJC
> 
> On Fri, Sep 14, 2012 at 9:10 AM, Joel Esler <jesler at ...435...>
> wrote:
>         JJ, can you help out here?
>         
>         On Sep 14, 2012, at 3:34 AM, PR <oly562 at ...2420...> wrote:
>         
>         > ok, i commented out ET rules. bah, i will deal with that
>         later.
>         >
>         >
>         > 1. i ran
>         >
>         > ./pulledpork.pl -s /etc/snort/so_rules
>         -p /usr/local/bin/snort
>         > -C /etc/snort.conf -i /etc/snort/disablesid.conf
>         > -b /etc/snort/dropsid.conf -e /etc/snort/enablesid.conf
>         > -M /etc/snort/modifysid.conf -e /etc/snort/enablesid.conf
>         > -c /etc/snort/pulledpork.conf -o /etc/snort/rules/
>         >
>         >
>         > 2. I got:
>         >
>         > Use of uninitialized value $arch in regexp compilation
>         > at ./pulledpork.pl line 271.
>         >       Done!
>         > Reading rules...
>         > Generating Stub Rules....
>         > Something failed in the gen_stubs sub, please verify your
>         shared object
>         > config!
>         >       Done
>         > Reading rules...
>         > Reading rules...
>         > Processing /etc/snort/enablesid.conf....
>         >       Modified 0 rules
>         >       Done
>         > Processing /etc/snort/dropsid.conf....
>         >       Modified 0 rules
>         >       Done
>         > Processing /etc/snort/disablesid.conf....
>         >       Modified 0 rules
>         >       Done
>         > Modifying Sids....
>         >       Done!
>         > Setting Flowbit State....
>         >       Enabled 11 flowbits
>         >       Enabled 1 flowbits
>         >       Done
>         > Writing /etc/snort/rules....
>         > Unable to write /etc/snort/rules - Is a directory
>         > at ./pulledpork.pl line 1083.
>         >       main::rule_write('HASH(0x8f682ac)',
>         '/etc/snort/rules', 1, undef)
>         > called at ./pulledpork.pl line 1870
>         >
>         >
>         > 3. also, do i need to define all that stuff in cmdline,
>         couldn't i just
>         > uncomment the /etc/snort/disablesid.confs in
>         pulledpork.conf? just
>         > wondering.
>         >
>         >
>         > Thanks!!! any input is really appreciated. i'm learning more
>         and more
>         > every day. Pretty soon i will be asking about rule creation
>         lol
>         >
>         >
>         >
>         
>         
>         ------------------------------------------------------------------------------
>         Got visibility?
>         Most devs has no idea what their production app looks like.
>         Find out how fast your code is with AppDynamics Lite.
>         http://ad.doubleclick.net/clk;262219671;13503038;y?
>         http://info.appdynamics.com/FreeJavaPerformanceDownload.html
>         _______________________________________________
>         Snort-sigs mailing list
>         Snort-sigs at lists.sourceforge.net
>         https://lists.sourceforge.net/lists/listinfo/snort-sigs
>         http://www.snort.org
>         
>         
>         Please visit http://blog.snort.org for the latest news about
>         Snort!
> 
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: deb_snort_howto.pdf
Type: application/pdf
Size: 30014 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20120914/70259730/attachment.pdf>


More information about the Snort-sigs mailing list