[Snort-users] Snort / Pulled Pork Confusion

AllowOverride allowoverride at ...11827...
Thu Oct 4 12:06:44 EDT 2012


ok let me get this straight, we had to install snort and have a rules
file for it to run, or at least with local.rules, and now you are saying
we need pulledpork as the snort.conf is false in that is still has RULE
PATHS defined... very confusing,,, and on top of all that, define rules
in everything in barnyard2 but make sure to type it in cmdline, oh and
nnot able to connect to db locally remotely lol. this just is so
convoluted from the old snort... just put everything back the way it
was, drop daq, forget inline, and run tcpwrappers and a good firewall...
whats the whole point of ids anyway... you will be stuck in false
positive land for infinity... what you want is to protect your network,
now, snort inline, that makes sense, but trying to get everything to
work with base is not working anymore???

good gravy guys.... your firewall show drop repeat offenders, and allow
snort to log to db. run multiple snorts if you are worried to drop
packets, no one here has that much traffic, dont say you do, i wont
believe you. point is, put things back the way they were as in snort 1.x
thanks


On Wed, 2012-10-03 at 21:13 +0000, Jeremy Hoel wrote:
> pulledpork puts all the rules together into one file.. so you can
> remove/comment out all the lines for the 'include $RULE_PATH/*.rules'
> and just have include $RULE_PATH/snort.rules' line.  Just one is
> needed.
> 
> 
> 
> 
> On Wed, Oct 3, 2012 at 8:59 PM, Turnbough, Bradley E.
> <bturnbough at ...15650...> wrote:
> > Guys,
> >
> >
> >
> > I’m having a little trouble wrapping my head around the snort and pulled
> > pork interaction.  In the snort.conf file, the following rules are defined
> > (by default):
> >
> >
> >
> > include $RULE_PATH/attack-responses.rules
> >
> > include $RULE_PATH/backdoor.rules
> >
> > include $RULE_PATH/bad-traffic.rules
> >
> > include $RULE_PATH/blacklist.rules
> >
> > include $RULE_PATH/botnet-cnc.rules
> >
> > include $RULE_PATH/chat.rules
> >
> > include $RULE_PATH/content-replace.rules
> >
> > include $RULE_PATH/ddos.rules
> >
> > include $RULE_PATH/dns.rules
> >
> > include $RULE_PATH/dos.rules
> >
> > include $RULE_PATH/exploit.rules
> >
> > include $RULE_PATH/file-identify.rules
> >
> > include $RULE_PATH/finger.rules
> >
> > include $RULE_PATH/ftp.rules
> >
> > include $RULE_PATH/icmp.rules
> >
> > include $RULE_PATH/icmp-info.rules
> >
> > include $RULE_PATH/imap.rules
> >
> > include $RULE_PATH/info.rules
> >
> > include $RULE_PATH/misc.rules
> >
> > include $RULE_PATH/multimedia.rules
> >
> > include $RULE_PATH/mysql.rules
> >
> > include $RULE_PATH/netbios.rules
> >
> > include $RULE_PATH/nntp.rules
> >
> > include $RULE_PATH/oracle.rules
> >
> > include $RULE_PATH/other-ids.rules
> >
> > include $RULE_PATH/p2p.rules
> >
> > include $RULE_PATH/phishing-spam.rules
> >
> > include $RULE_PATH/policy.rules
> >
> > include $RULE_PATH/pop2.rules
> >
> > include $RULE_PATH/pop3.rules
> >
> > include $RULE_PATH/rpc.rules
> >
> > include $RULE_PATH/rservices.rules
> >
> > include $RULE_PATH/scada.rules
> >
> > include $RULE_PATH/scan.rules
> >
> > include $RULE_PATH/shellcode.rules
> >
> > include $RULE_PATH/smtp.rules
> >
> > include $RULE_PATH/snmp.rules
> >
> > include $RULE_PATH/specific-threats.rules
> >
> > include $RULE_PATH/spyware-put.rules
> >
> > include $RULE_PATH/sql.rules
> >
> > include $RULE_PATH/telnet.rules
> >
> > include $RULE_PATH/tftp.rules
> >
> > include $RULE_PATH/virus.rules
> >
> > include $RULE_PATH/voip.rules
> >
> > include $RULE_PATH/web-activex.rules
> >
> > include $RULE_PATH/web-attacks.rules
> >
> > include $RULE_PATH/web-cgi.rules
> >
> > include $RULE_PATH/web-client.rules
> >
> > include $RULE_PATH/web-coldfusion.rules
> >
> > include $RULE_PATH/web-frontpage.rules
> >
> > include $RULE_PATH/web-iis.rules
> >
> > include $RULE_PATH/web-misc.rules
> >
> > include $RULE_PATH/web-php.rules
> >
> > include $RULE_PATH/x11.rules
> >
> >
> >
> >
> >
> > When I compile snort, the $RULE_PATH directory isn’t created.  I create it
> > by `mkdir /opt/snort/rules`.  I then run pulled pork with the following
> > command:
> >
> >
> >
> > ./pulledpork.pl -c /opt/pulledpork/etc/pulledpork.conf -o /opt/snort/rules/
> > -i /opt/pulledpork/etc/disablesid.conf -T –H
> >
> >
> >
> > The only file that shows up is `snort.rules`  where are all of the other
> > files that are specified in the snort.conf?
> >
> >
> >
> >
> >
> > This e-mail transmission contains information that is confidential and may
> > be privileged. It is intended only for the addressee(s) named above. If you
> > receive this e-mail in error, please do not read, copy or disseminate it in
> > any manner. If you are not the intended recipient, any disclosure, copying,
> > distribution or use of the contents of this information is prohibited.
> > Please reply to the message immediately by informing the sender that the
> > message was misdirected. After replying, please erase it from your computer
> > system. Your assistance in correcting this error is appreciated.
> >
> > ------------------------------------------------------------------------------
> > Don't let slow site performance ruin your business. Deploy New Relic APM
> > Deploy New Relic app performance management and know exactly
> > what is happening inside your Ruby, Python, PHP, Java, and .NET app
> > Try New Relic at no cost today and get our sweet Data Nerd shirt too!
> > http://p.sf.net/sfu/newrelic-dev2dev
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> > Please visit http://blog.snort.org to stay current on all the latest Snort
> > news!
> 
> ------------------------------------------------------------------------------
> Don't let slow site performance ruin your business. Deploy New Relic APM
> Deploy New Relic app performance management and know exactly
> what is happening inside your Ruby, Python, PHP, Java, and .NET app
> Try New Relic at no cost today and get our sweet Data Nerd shirt too!
> http://p.sf.net/sfu/newrelic-dev2dev
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!





More information about the Snort-users mailing list