[Snort-users] Snort / Pulled Pork Confusion

AllowOverride allowoverride at ...11827...
Thu Oct 4 12:07:33 EDT 2012


that makes sense... thanks

On Wed, 2012-10-03 at 15:14 -0600, JJC wrote:
> You can also specify that you want pulledpork to keep the files
> individually however it will still prepend the indivdual filenames
> with their source (i.e. VRT-backdoor.rules).  The idea here is that
> you may be running multiple rulesets that have the same filenames.
> 
> On Wed, Oct 3, 2012 at 3:08 PM, Jack <kingofnerds at ...11827...> wrote:
>         Pulled Pork combines all the files into one file. You need to
>         make
>         sure to add the line: "include $RULE_PATH/snort.rules" to the
>         snort.conf file, or the pulled pork rules will never be read
>         into
>         memory when snort starts.
>         
>         On Wed, Oct 3, 2012 at 4:59 PM, Turnbough, Bradley E.
>         <bturnbough at ...15650...> wrote:
>         > Guys,
>         >
>         >
>         >
>         > I’m having a little trouble wrapping my head around the
>         snort and pulled
>         > pork interaction.  In the snort.conf file, the following
>         rules are defined
>         > (by default):
>         >
>         >
>         >
>         > include $RULE_PATH/attack-responses.rules
>         >
>         > include $RULE_PATH/backdoor.rules
>         >
>         > include $RULE_PATH/bad-traffic.rules
>         >
>         > include $RULE_PATH/blacklist.rules
>         >
>         > include $RULE_PATH/botnet-cnc.rules
>         >
>         > include $RULE_PATH/chat.rules
>         >
>         > include $RULE_PATH/content-replace.rules
>         >
>         > include $RULE_PATH/ddos.rules
>         >
>         > include $RULE_PATH/dns.rules
>         >
>         > include $RULE_PATH/dos.rules
>         >
>         > include $RULE_PATH/exploit.rules
>         >
>         > include $RULE_PATH/file-identify.rules
>         >
>         > include $RULE_PATH/finger.rules
>         >
>         > include $RULE_PATH/ftp.rules
>         >
>         > include $RULE_PATH/icmp.rules
>         >
>         > include $RULE_PATH/icmp-info.rules
>         >
>         > include $RULE_PATH/imap.rules
>         >
>         > include $RULE_PATH/info.rules
>         >
>         > include $RULE_PATH/misc.rules
>         >
>         > include $RULE_PATH/multimedia.rules
>         >
>         > include $RULE_PATH/mysql.rules
>         >
>         > include $RULE_PATH/netbios.rules
>         >
>         > include $RULE_PATH/nntp.rules
>         >
>         > include $RULE_PATH/oracle.rules
>         >
>         > include $RULE_PATH/other-ids.rules
>         >
>         > include $RULE_PATH/p2p.rules
>         >
>         > include $RULE_PATH/phishing-spam.rules
>         >
>         > include $RULE_PATH/policy.rules
>         >
>         > include $RULE_PATH/pop2.rules
>         >
>         > include $RULE_PATH/pop3.rules
>         >
>         > include $RULE_PATH/rpc.rules
>         >
>         > include $RULE_PATH/rservices.rules
>         >
>         > include $RULE_PATH/scada.rules
>         >
>         > include $RULE_PATH/scan.rules
>         >
>         > include $RULE_PATH/shellcode.rules
>         >
>         > include $RULE_PATH/smtp.rules
>         >
>         > include $RULE_PATH/snmp.rules
>         >
>         > include $RULE_PATH/specific-threats.rules
>         >
>         > include $RULE_PATH/spyware-put.rules
>         >
>         > include $RULE_PATH/sql.rules
>         >
>         > include $RULE_PATH/telnet.rules
>         >
>         > include $RULE_PATH/tftp.rules
>         >
>         > include $RULE_PATH/virus.rules
>         >
>         > include $RULE_PATH/voip.rules
>         >
>         > include $RULE_PATH/web-activex.rules
>         >
>         > include $RULE_PATH/web-attacks.rules
>         >
>         > include $RULE_PATH/web-cgi.rules
>         >
>         > include $RULE_PATH/web-client.rules
>         >
>         > include $RULE_PATH/web-coldfusion.rules
>         >
>         > include $RULE_PATH/web-frontpage.rules
>         >
>         > include $RULE_PATH/web-iis.rules
>         >
>         > include $RULE_PATH/web-misc.rules
>         >
>         > include $RULE_PATH/web-php.rules
>         >
>         > include $RULE_PATH/x11.rules
>         >
>         >
>         >
>         >
>         >
>         > When I compile snort, the $RULE_PATH directory isn’t
>         created.  I create it
>         > by `mkdir /opt/snort/rules`.  I then run pulled pork with
>         the following
>         > command:
>         >
>         >
>         >
>         > ./pulledpork.pl -c /opt/pulledpork/etc/pulledpork.conf
>         -o /opt/snort/rules/
>         > -i /opt/pulledpork/etc/disablesid.conf -T –H
>         >
>         >
>         >
>         > The only file that shows up is `snort.rules`  where are all
>         of the other
>         > files that are specified in the snort.conf?
>         >
>         >
>         >
>         >
>         >
>         > This e-mail transmission contains information that is
>         confidential and may
>         > be privileged. It is intended only for the addressee(s)
>         named above. If you
>         > receive this e-mail in error, please do not read, copy or
>         disseminate it in
>         > any manner. If you are not the intended recipient, any
>         disclosure, copying,
>         > distribution or use of the contents of this information is
>         prohibited.
>         > Please reply to the message immediately by informing the
>         sender that the
>         > message was misdirected. After replying, please erase it
>         from your computer
>         > system. Your assistance in correcting this error is
>         appreciated.
>         >
>         
>         >
>         ------------------------------------------------------------------------------
>         > Don't let slow site performance ruin your business. Deploy
>         New Relic APM
>         > Deploy New Relic app performance management and know exactly
>         > what is happening inside your Ruby, Python, PHP, Java,
>         and .NET app
>         > Try New Relic at no cost today and get our sweet Data Nerd
>         shirt too!
>         > http://p.sf.net/sfu/newrelic-dev2dev
>         > _______________________________________________
>         > Snort-users mailing list
>         > Snort-users at lists.sourceforge.net
>         > Go to this URL to change user options or unsubscribe:
>         > https://lists.sourceforge.net/lists/listinfo/snort-users
>         > Snort-users list archive:
>         > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>         >
>         > Please visit http://blog.snort.org to stay current on all
>         the latest Snort
>         > news!
>         
>         
>         
>         --
>         _____________________________________
>          ---- In the end Nerds will Rule the World ----
>         
>         ------------------------------------------------------------------------------
>         Don't let slow site performance ruin your business. Deploy New
>         Relic APM
>         Deploy New Relic app performance management and know exactly
>         what is happening inside your Ruby, Python, PHP, Java,
>         and .NET app
>         Try New Relic at no cost today and get our sweet Data Nerd
>         shirt too!
>         http://p.sf.net/sfu/newrelic-dev2dev
>         _______________________________________________
>         Snort-users mailing list
>         Snort-users at lists.sourceforge.net
>         Go to this URL to change user options or unsubscribe:
>         https://lists.sourceforge.net/lists/listinfo/snort-users
>         Snort-users list archive:
>         http://www.geocrawler.com/redir-sf.php3?list=snort-users
>         
>         Please visit http://blog.snort.org to stay current on all the
>         latest Snort news!
> 
> ------------------------------------------------------------------------------
> Don't let slow site performance ruin your business. Deploy New Relic APM
> Deploy New Relic app performance management and know exactly
> what is happening inside your Ruby, Python, PHP, Java, and .NET app
> Try New Relic at no cost today and get our sweet Data Nerd shirt too!
> http://p.sf.net/sfu/newrelic-dev2dev
> _______________________________________________ Snort-users mailing list Snort-users at lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!





More information about the Snort-users mailing list