[Snort-users] PulledPork and missing sets

Lay, James james.lay at ...15009...
Wed Jul 6 15:10:12 EDT 2011


Ya helps if I add the -k....8-|.....is it Friday yet??

James

> -----Original Message-----
> From: Lay, James [mailto:james.lay at ...15009...]
> Sent: Wednesday, July 06, 2011 11:24 AM
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] PulledPork and missing sets
> 
> Hey all,
> 
> So....I'm still evaluating pp vs. oinkmaster.  After I run pulled pork
I
> have 46 emerging threats rulesets, yet the downloaded tarball shows 53
> rulesets....why?  Thanks for any help.
> 
> James
> 
> 
> 
> The pp run:
> sudo perl /opt/bin/pulledpork.pl -c
> /opt/etc/snort/pulledpork/pulledpork.conf -T
> 
> 
> Pulledpork.conf:
>
rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot-2905.tar.g
> z|<oinkcode>
>
rule_url=https://rules.emergingthreats.net/|emerging.rules.tar.gz|open-n
> ogpl
> 
> ignore=deleted.rules,experimental.rules,local.rules
> temp_path=/tmp
> out_path=/opt/etc/snort/rules/
> rule_path=/opt/etc/snort/rules/snort.rules
> local_rules=/opt/etc/snort/rules/local.rules
> sid_msg=/opt/etc/snort/sid-msg.map
> sid_changelog=/var/log/sid_changes.log
> sorule_path=/opt/lib/snort_dynamicrules/
> snort_path=/opt/bin/snort
> config_path=/opt/etc/snort/snort.conf
> sostub_path=/opt/etc/snort/rules/so_rules.rules
> 
> 
> 
> Results of the run:
> Checking latest MD5 for snortrules-snapshot-2905.tar.gz....
>         No Match
>         Done
> Rules tarball download of snortrules-snapshot-2905.tar.gz....
>         They Match
>         Done!
> Prepping rules from snortrules-snapshot-2905.tar.gz for work....
>         Done!
> Checking latest MD5 for emerging.rules.tar.gz....
>         No Match
>         Done
> Rules tarball download of emerging.rules.tar.gz....
>         They Match
>         Done!
> Prepping rules from emerging.rules.tar.gz for work....
>         Done!
> Reading rules...
> Setting Flowbit State....
>         Enabled 57 flowbits
>         Enabled 25 flowbits
>         Done
> Writing /opt/etc/snort/rules/snort.rules....
>         Done
> Generating sid-msg.map....
>         Done
> Writing /opt/etc/snort/sid-msg.map....
>         Done
> Writing /var/log/sid_changes.log....
>         Done
> Rule Stats....
>         New:-------26715
>         Deleted:---0
>         Enabled Rules:----19385
>         Dropped Rules:----0
>         Disabled Rules:---7330
>         Total Rules:------26715
>         Done
> Please review /var/log/sid_changes.log for additional details
> 
> 
> After the run 46 rulesets:
> ET-emerging-activex.rules
> ET-emerging-attack_response.rules
> ET-emerging-botcc-BLOCK.rules
> ET-emerging-botcc.rules
> ET-emerging-chat.rules
> ET-emerging-ciarmy.rules
> ET-emerging-compromised-BLOCK.rules
> ET-emerging-compromised.rules
> ET-emerging-current_events.rules
> ET-emerging-deleted.rules
> ET-emerging-dns.rules
> ET-emerging-dos.rules
> ET-emerging-drop-BLOCK.rules
> ET-emerging-drop.rules
> ET-emerging-dshield-BLOCK.rules
> ET-emerging-dshield.rules
> ET-emerging-exploit.rules
> ET-emerging-ftp.rules
> ET-emerging-games.rules
> ET-emerging-inappropriate.rules
> ET-emerging-malware.rules
> ET-emerging-misc.rules
> ET-emerging-mobile_malware.rules
> ET-emerging-netbios.rules
> ET-emerging-p2p.rules
> ET-emerging-policy.rules
> ET-emerging-rbn-BLOCK.rules
> ET-emerging-rbn.rules
> ET-emerging-scada.rules
> ET-emerging-scan.rules
> ET-emerging-shellcode.rules
> ET-emerging-smtp.rules
> ET-emerging-snmp.rules
> ET-emerging-sql.rules
> ET-emerging-telnet.rules
> ET-emerging-tftp.rules
> ET-emerging-tor-BLOCK.rules
> ET-emerging-tor.rules
> ET-emerging-trojan.rules
> ET-emerging-user_agents.rules
> ET-emerging-virus.rules
> ET-emerging-voip.rules
> ET-emerging-web_client.rules
> ET-emerging-web_server.rules
> ET-emerging-web_specific_apps.rules
> ET-emerging-worm.rules
> 
> Downloaded ET tarball shows 53 rulesets:
> emerging-activex.rules
> emerging-attack_response.rules
> emerging-botcc-BLOCK.rules
> emerging-botcc.rules
> emerging-chat.rules
> emerging-ciarmy.rules
> emerging-compromised-BLOCK.rules
> emerging-compromised.rules
> emerging-current_events.rules
> emerging-deleted.rules
> emerging-dns.rules
> emerging-dos.rules
> emerging-drop-BLOCK.rules
> emerging-drop.rules
> emerging-dshield-BLOCK.rules
> emerging-dshield.rules
> emerging-exploit.rules
> emerging-ftp.rules
> emerging-games.rules
> emerging-icmp_info.rules
> emerging-icmp.rules
> emerging-imap.rules
> emerging-inappropriate.rules
> emerging-malware.rules
> emerging-misc.rules
> emerging-mobile_malware.rules
> emerging-netbios.rules
> emerging-p2p.rules
> emerging-policy.rules
> emerging-pop3.rules
> emerging-rbn-BLOCK.rules
> emerging-rbn-malvertisers-BLOCK.rules
> emerging-rbn-malvertisers.rules
> emerging-rbn.rules
> emerging-rpc.rules
> emerging-scada.rules
> emerging-scan.rules
> emerging-shellcode.rules
> emerging-smtp.rules
> emerging-snmp.rules
> emerging-sql.rules
> emerging-telnet.rules
> emerging-tftp.rules
> emerging-tor-BLOCK.rules
> emerging-tor.rules
> emerging-trojan.rules
> emerging-user_agents.rules
> emerging-virus.rules
> emerging-voip.rules
> emerging-web_client.rules
> emerging-web_server.rules
> emerging-web_specific_apps.rules
> emerging-worm.rules
> 
>
------------------------------------------------------------------------
----
> --
> All of the data generated in your IT infrastructure is seriously
valuable.
> Why? It contains a definitive record of application performance,
security
> threats, fraudulent activity, and more. Splunk takes this data and
makes
> sense of it. IT sense. And common sense.
> http://p.sf.net/sfu/splunk-d2d-c2
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> Please see http://www.snort.org/docs for documentation




More information about the Snort-users mailing list