[Snort-users] Snort / Pulled Pork Confusion

JJC cummingsj at ...11827...
Wed Oct 3 17:14:58 EDT 2012


Yes

On Wed, Oct 3, 2012 at 3:11 PM, Turnbough, Bradley E. <bturnbough at ...15650...
> wrote:

> So, should I then comment out the 50 or so default rules?
>
>
> -----Original Message-----
> From: Jack [mailto:kingofnerds at ...11827...]
> Sent: Wednesday, October 03, 2012 4:08 PM
> To: Turnbough, Bradley E.
> Cc: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] Snort / Pulled Pork Confusion
>
> Pulled Pork combines all the files into one file. You need to make sure to
> add the line: "include $RULE_PATH/snort.rules" to the snort.conf file, or
> the pulled pork rules will never be read into memory when snort starts.
>
> On Wed, Oct 3, 2012 at 4:59 PM, Turnbough, Bradley E.
> <bturnbough at ...15650...> wrote:
> > Guys,
> >
> >
> >
> > I'm having a little trouble wrapping my head around the snort and
> > pulled pork interaction.  In the snort.conf file, the following rules
> > are defined (by default):
> >
> >
> >
> > include $RULE_PATH/attack-responses.rules
> >
> > include $RULE_PATH/backdoor.rules
> >
> > include $RULE_PATH/bad-traffic.rules
> >
> > include $RULE_PATH/blacklist.rules
> >
> > include $RULE_PATH/botnet-cnc.rules
> >
> > include $RULE_PATH/chat.rules
> >
> > include $RULE_PATH/content-replace.rules
> >
> > include $RULE_PATH/ddos.rules
> >
> > include $RULE_PATH/dns.rules
> >
> > include $RULE_PATH/dos.rules
> >
> > include $RULE_PATH/exploit.rules
> >
> > include $RULE_PATH/file-identify.rules
> >
> > include $RULE_PATH/finger.rules
> >
> > include $RULE_PATH/ftp.rules
> >
> > include $RULE_PATH/icmp.rules
> >
> > include $RULE_PATH/icmp-info.rules
> >
> > include $RULE_PATH/imap.rules
> >
> > include $RULE_PATH/info.rules
> >
> > include $RULE_PATH/misc.rules
> >
> > include $RULE_PATH/multimedia.rules
> >
> > include $RULE_PATH/mysql.rules
> >
> > include $RULE_PATH/netbios.rules
> >
> > include $RULE_PATH/nntp.rules
> >
> > include $RULE_PATH/oracle.rules
> >
> > include $RULE_PATH/other-ids.rules
> >
> > include $RULE_PATH/p2p.rules
> >
> > include $RULE_PATH/phishing-spam.rules
> >
> > include $RULE_PATH/policy.rules
> >
> > include $RULE_PATH/pop2.rules
> >
> > include $RULE_PATH/pop3.rules
> >
> > include $RULE_PATH/rpc.rules
> >
> > include $RULE_PATH/rservices.rules
> >
> > include $RULE_PATH/scada.rules
> >
> > include $RULE_PATH/scan.rules
> >
> > include $RULE_PATH/shellcode.rules
> >
> > include $RULE_PATH/smtp.rules
> >
> > include $RULE_PATH/snmp.rules
> >
> > include $RULE_PATH/specific-threats.rules
> >
> > include $RULE_PATH/spyware-put.rules
> >
> > include $RULE_PATH/sql.rules
> >
> > include $RULE_PATH/telnet.rules
> >
> > include $RULE_PATH/tftp.rules
> >
> > include $RULE_PATH/virus.rules
> >
> > include $RULE_PATH/voip.rules
> >
> > include $RULE_PATH/web-activex.rules
> >
> > include $RULE_PATH/web-attacks.rules
> >
> > include $RULE_PATH/web-cgi.rules
> >
> > include $RULE_PATH/web-client.rules
> >
> > include $RULE_PATH/web-coldfusion.rules
> >
> > include $RULE_PATH/web-frontpage.rules
> >
> > include $RULE_PATH/web-iis.rules
> >
> > include $RULE_PATH/web-misc.rules
> >
> > include $RULE_PATH/web-php.rules
> >
> > include $RULE_PATH/x11.rules
> >
> >
> >
> >
> >
> > When I compile snort, the $RULE_PATH directory isn't created.  I
> > create it by `mkdir /opt/snort/rules`.  I then run pulled pork with
> > the following
> > command:
> >
> >
> >
> > ./pulledpork.pl -c /opt/pulledpork/etc/pulledpork.conf -o
> > /opt/snort/rules/ -i /opt/pulledpork/etc/disablesid.conf -T -H
> >
> >
> >
> > The only file that shows up is `snort.rules`  where are all of the
> > other files that are specified in the snort.conf?
> >
> >
> >
> >
> >
> > This e-mail transmission contains information that is confidential and
> > may be privileged. It is intended only for the addressee(s) named
> > above. If you receive this e-mail in error, please do not read, copy
> > or disseminate it in any manner. If you are not the intended
> > recipient, any disclosure, copying, distribution or use of the contents
> of this information is prohibited.
> > Please reply to the message immediately by informing the sender that
> > the message was misdirected. After replying, please erase it from your
> > computer system. Your assistance in correcting this error is appreciated.
> >
> > ----------------------------------------------------------------------
> > -------- Don't let slow site performance ruin your business. Deploy
> > New Relic APM Deploy New Relic app performance management and know
> > exactly what is happening inside your Ruby, Python, PHP, Java, and
> > .NET app Try New Relic at no cost today and get our sweet Data Nerd
> > shirt too!
> > http://p.sf.net/sfu/newrelic-dev2dev
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> > Please visit http://blog.snort.org to stay current on all the latest
> > Snort news!
>
>
>
> --
> _____________________________________
>  ---- In the end Nerds will Rule the World ----
> This e-mail transmission contains information that is confidential and may
> be privileged. It is intended only for the addressee(s) named above. If you
> receive this e-mail in error, please do not read, copy or disseminate it in
> any manner. If you are not the intended recipient, any disclosure, copying,
> distribution or use of the contents of this information is prohibited.
> Please reply to the message immediately by informing the sender that the
> message was misdirected. After replying, please erase it from your computer
> system. Your assistance in correcting this error is appreciated.
>
>
> ------------------------------------------------------------------------------
> Don't let slow site performance ruin your business. Deploy New Relic APM
> Deploy New Relic app performance management and know exactly
> what is happening inside your Ruby, Python, PHP, Java, and .NET app
> Try New Relic at no cost today and get our sweet Data Nerd shirt too!
> http://p.sf.net/sfu/newrelic-dev2dev
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20121003/fe8518a2/attachment.html>


More information about the Snort-users mailing list