[Snort-users] pulledpork question: do not nuke tarball post-processing and some feature requests

Tony Robinson deusexmachina667 at ...11827...
Sat Dec 8 12:32:10 EST 2012


Hey fellas,

This is a question regarding pulledpork. I would e-mail JJ directly, but I
feel this may be beneficial to future users, so I want to ask here
(besides, one of you may know the answer to this or may have done this
yourselves!)

I'm working on autosnort and dropping in pulled pork integration. I've got
it to work properly, however I'm running into a problem where it is working
*too* well - pp nukes its working directory after running. I want the
tarball in the directory for my script to extract the config files out of
the tarball's etc directory (except sid-msg.map and snort.conf --
sid-msg.map is obvious, but I pulled snort.conf directly from
labs.snort.organd do not want it overwritten during the install). I've
got a work-around
in place that I think will work for now. I read from the pp mailing list
that the script *sort
of*<https://groups.google.com/forum/?fromgroups=#!topic/pulledpork-users/sN-tiK7arE8>supports
processing from local rule tarballs so I wanted to try the
following as a work-around:

1) call pulled pork with -g to just grab the rules tarball.
2) use my script to untar the tarball, grab the conf files and copy them
for the snort install
3) call pulled pork again with the -n option in addition to other options I
want for rule processing. let pulled pork work its magic here

If you are open for pulled pork feature requests however, I would like to
request the following:

1) an option to not nuke the rules tarball post-download
--I can see the subroutine where the temp directory is cleaned out, would
it be as simple as defining a variable for do not clean, a flag for do not
clean and adding in the 'if' statement where the routine is called, to run
cleanup only if this flag is NOT present? Perl isn't my native language,
but if its as simple as that, I would be willing to try and write this
functionality in, test it out and contribute it.

2) an option to copy the config files out of the rule tarball's 'etc'
directory (with the exception of sid-msg.map (and in my case, snort.conf))
-I know how to do this in bash:
-untar the tarball
-use a for loop to copy the files from /tmp/etc directory listing piped to
grep -v used to remove snort.conf and sid-msg.map from the directory
listing, to the defined etc directory for the actual snort installation
-- Have no clue where to even start for doing this in Perl.
-Is this considered out of scope since it isn't strictly rule management?

Cheers,

DA

-- 
when does reality end? when does fantasy begin?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20121208/d8d31bd0/attachment.html>


More information about the Snort-users mailing list