[Snort-sigs] Manually download and install Snort Rules updates
snort at ...3751...
Mon Oct 20 16:44:04 EDT 2014
Yes, from PulledPork.conf file.
PulledPork v0.7 no longer maintains a separate file for so_rules, all rules go into the snort.rules file (except local.rule).
You may be able to just copy without hiccups, as long as all configurations and versions match. You will be better off having everything setup so you won't have to worry about it everytime you need to update.
Sent from Mobile
From: "Hanson.Webster at ...3973..." <Hanson.Webster at ...3973...>
Sent: 10/20/2014 11:25 PM
Cc: "snort-sigs at lists.sourceforge.net" <snort-sigs at lists.sourceforge.net>
Subject: Re: [Snort-sigs] Manually download and install Snort Rules updates
How do I know where Pulledpork reads the tarball from? Is it on the pulledpork.conf file or the pulledporl.pl script? Also could I just copy over the snort.rules and so_rules.rules files from one device to another?
From: Y M [mailto:snort at ...3751...]
Sent: Monday, October 20, 2014 3:34 PM
To: Webster, Hanson
Subject: RE: [Snort-sigs] Manually download and install Snort Rules updates
> From: Hanson.Webster at ...3973...
> To: snort-sigs at lists.sourceforge.net
> Date: Mon, 20 Oct 2014 19:16:55 +0000
> Subject: [Snort-sigs] Manually download and install Snort Rules updates
> I am getting an error when downloading Snort rules updates with pulledpork:
> Checking latest MD5 for snortrules-snapshot-2962.tar.gz....
> Error 500 when fetching https://www.snort.org/reg-rules/snortrules-snapshot-2962.tar.gz.md5 at /usr/local/snort/pulledpork/pulledpork.pl line 453
> main::md5file('5bdefe8b8ab9de3c9b8bc4d1f85a353d96d05f36', 'snortrules-snapshot-2962.tar.gz', '/tmp/', 'https://www.snort.org/reg-rules/') called at /usr/local/snort/pulledpork/pulledpork.pl line 1758
> I believe it is a network/firewall issue as this IDS is on a different segment of the network and the other SNORT devices we have are able to successfully download the rules. Until I can get our networking guys to fix this, is there a way to do this manually?
You can either download them directly from snort.org and scp them to the box or you can copy them from other sensors you have. In either case, you would place the rules tarball into the directory where PulledPork is configured to read the tarball from. For example, PulledPork is configured to read the tarball from /tmp; this is where you want to copy the tarball.
> Could I take the rules that are downloaded to one of the other devices and copy them to this box? Where would I find the rules and where would I copy them to?
Once the tarball is copied as explained above, you will run PulledPork with some extra parameters, in addition to the ones you have already, to update the rules locally -nP
-n Do everything other than download of new files (disablesid, etc)
-P Process rules even if no new rules were downloaded
This will force PulledPork to process the tarball from the local disk instead of downloading the tarball from the internet.
> Comprehensive Server Monitoring with Site24x7.
> Monitor 10 servers for $9/Month.
> Get alerted through email, SMS, voice calls or mobile push notifications.
> Take corrective actions from your mobile device.
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> Please visit http://blog.snort.org for the latest news about Snort!
More information about the Snort-sigs