[Snort-users] Snort / Pulled Pork Confusion

AllowOverride allowoverride at ...11827...
Thu Oct 4 11:59:09 EDT 2012


pretty confusing isn't it

On Wed, 2012-10-03 at 17:08 -0400, Jack wrote:
> Pulled Pork combines all the files into one file. You need to make
> sure to add the line: "include $RULE_PATH/snort.rules" to the
> snort.conf file, or the pulled pork rules will never be read into
> memory when snort starts.
> 
> On Wed, Oct 3, 2012 at 4:59 PM, Turnbough, Bradley E.
> <bturnbough at ...15650...> wrote:
> > Guys,
> >
> >
> >
> > I’m having a little trouble wrapping my head around the snort and pulled
> > pork interaction.  In the snort.conf file, the following rules are defined
> > (by default):
> >
> >
> >
> > include $RULE_PATH/attack-responses.rules
> >
> > include $RULE_PATH/backdoor.rules
> >
> > include $RULE_PATH/bad-traffic.rules
> >
> > include $RULE_PATH/blacklist.rules
> >
> > include $RULE_PATH/botnet-cnc.rules
> >
> > include $RULE_PATH/chat.rules
> >
> > include $RULE_PATH/content-replace.rules
> >
> > include $RULE_PATH/ddos.rules
> >
> > include $RULE_PATH/dns.rules
> >
> > include $RULE_PATH/dos.rules
> >
> > include $RULE_PATH/exploit.rules
> >
> > include $RULE_PATH/file-identify.rules
> >
> > include $RULE_PATH/finger.rules
> >
> > include $RULE_PATH/ftp.rules
> >
> > include $RULE_PATH/icmp.rules
> >
> > include $RULE_PATH/icmp-info.rules
> >
> > include $RULE_PATH/imap.rules
> >
> > include $RULE_PATH/info.rules
> >
> > include $RULE_PATH/misc.rules
> >
> > include $RULE_PATH/multimedia.rules
> >
> > include $RULE_PATH/mysql.rules
> >
> > include $RULE_PATH/netbios.rules
> >
> > include $RULE_PATH/nntp.rules
> >
> > include $RULE_PATH/oracle.rules
> >
> > include $RULE_PATH/other-ids.rules
> >
> > include $RULE_PATH/p2p.rules
> >
> > include $RULE_PATH/phishing-spam.rules
> >
> > include $RULE_PATH/policy.rules
> >
> > include $RULE_PATH/pop2.rules
> >
> > include $RULE_PATH/pop3.rules
> >
> > include $RULE_PATH/rpc.rules
> >
> > include $RULE_PATH/rservices.rules
> >
> > include $RULE_PATH/scada.rules
> >
> > include $RULE_PATH/scan.rules
> >
> > include $RULE_PATH/shellcode.rules
> >
> > include $RULE_PATH/smtp.rules
> >
> > include $RULE_PATH/snmp.rules
> >
> > include $RULE_PATH/specific-threats.rules
> >
> > include $RULE_PATH/spyware-put.rules
> >
> > include $RULE_PATH/sql.rules
> >
> > include $RULE_PATH/telnet.rules
> >
> > include $RULE_PATH/tftp.rules
> >
> > include $RULE_PATH/virus.rules
> >
> > include $RULE_PATH/voip.rules
> >
> > include $RULE_PATH/web-activex.rules
> >
> > include $RULE_PATH/web-attacks.rules
> >
> > include $RULE_PATH/web-cgi.rules
> >
> > include $RULE_PATH/web-client.rules
> >
> > include $RULE_PATH/web-coldfusion.rules
> >
> > include $RULE_PATH/web-frontpage.rules
> >
> > include $RULE_PATH/web-iis.rules
> >
> > include $RULE_PATH/web-misc.rules
> >
> > include $RULE_PATH/web-php.rules
> >
> > include $RULE_PATH/x11.rules
> >
> >
> >
> >
> >
> > When I compile snort, the $RULE_PATH directory isn’t created.  I create it
> > by `mkdir /opt/snort/rules`.  I then run pulled pork with the following
> > command:
> >
> >
> >
> > ./pulledpork.pl -c /opt/pulledpork/etc/pulledpork.conf -o /opt/snort/rules/
> > -i /opt/pulledpork/etc/disablesid.conf -T –H
> >
> >
> >
> > The only file that shows up is `snort.rules`  where are all of the other
> > files that are specified in the snort.conf?
> >
> >
> >
> >
> >
> > This e-mail transmission contains information that is confidential and may
> > be privileged. It is intended only for the addressee(s) named above. If you
> > receive this e-mail in error, please do not read, copy or disseminate it in
> > any manner. If you are not the intended recipient, any disclosure, copying,
> > distribution or use of the contents of this information is prohibited.
> > Please reply to the message immediately by informing the sender that the
> > message was misdirected. After replying, please erase it from your computer
> > system. Your assistance in correcting this error is appreciated.
> >
> > ------------------------------------------------------------------------------
> > Don't let slow site performance ruin your business. Deploy New Relic APM
> > Deploy New Relic app performance management and know exactly
> > what is happening inside your Ruby, Python, PHP, Java, and .NET app
> > Try New Relic at no cost today and get our sweet Data Nerd shirt too!
> > http://p.sf.net/sfu/newrelic-dev2dev
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> > Please visit http://blog.snort.org to stay current on all the latest Snort
> > news!
> 
> 
> 





More information about the Snort-users mailing list