[Snort-users] Snort / Pulled Pork Confusion

JJC cummingsj at ...11827...
Thu Oct 4 19:42:06 EDT 2012


Development is still going, but I'm only one person and I have a fulltime
job also.  That said, I hope to have a new release that includes many
changes discussed (some already in SVN) in the near future...

JJC

On Thu, Oct 4, 2012 at 4:04 PM, Michael Steele <michaels at ...9077...>wrote:

> Dumping all the rules into one bucket might be easier in the long run for
> an experienced rule operator, but for the new rule operator, it might get a
> little confusing.****
>
> ** **
>
> I know separators were discussed earlier, but development on PP is at a
> crawl, or non-existent L****
>
> ** **
>
> One solution for those that use the –k switch would be for Sourcefire to
> prepend ‘vrt-’ to the distributed *.rules in the official distributed rule
> tarball, and change the snort.conf to reflect the ‘vrt-*.rule‘. At least
> that way, what you see in the official distributed rule tarball, is what
> you are seeing in the rules folder after using the –k switch in PP.****
>
> ** **
>
> Kindest regards,****
>
> Michael...****
>
> ** **
>
> *From:* JJC [mailto:cummingsj at ...11827...]
> *Sent:* Thursday, October 04, 2012 2:57 PM
> *To:* AllowOverride
>
> *Cc:* snort-users at lists.sourceforge.net; Turnbough, Bradley E.
> *Subject:* Re: [Snort-users] Snort / Pulled Pork Confusion****
>
> ** **
>
> The logic here is quite simple... new rule categories and files are
> included in the rules tarball, they are automatically included in your live
> ruleset this way.  This is one of but many solid logical arguments.****
>
> On Thu, Oct 4, 2012 at 10:07 AM, AllowOverride <allowoverride at ...11827...>
> wrote:****
>
> one file???? sighs... how is that quicker, show me the smack reports****
>
>
> On Wed, 2012-10-03 at 21:13 +0000, Jeremy Hoel wrote:****
>
> > pulledpork puts all the rules together into one file.. so you can
> > remove/comment out all the lines for the 'include $RULE_PATH/*.rules'
> > and just have include $RULE_PATH/snort.rules' line.  Just one is
> > needed.
> >
> >
> >
> >
> > On Wed, Oct 3, 2012 at 8:59 PM, Turnbough, Bradley E.
> > <bturnbough at ...15650...> wrote:
> > > Guys,
> > >
> > >
> > >
> > > I’m having a little trouble wrapping my head around the snort and
> pulled
> > > pork interaction.  In the snort.conf file, the following rules are
> defined
> > > (by default):
> > >
> > >
> > >
> > > include $RULE_PATH/attack-responses.rules
> > >
> > > include $RULE_PATH/backdoor.rules
> > >
> > > include $RULE_PATH/bad-traffic.rules
> > >
> > > include $RULE_PATH/blacklist.rules
> > >
> > > include $RULE_PATH/botnet-cnc.rules
> > >
> > > include $RULE_PATH/chat.rules
> > >
> > > include $RULE_PATH/content-replace.rules
> > >
> > > include $RULE_PATH/ddos.rules
> > >
> > > include $RULE_PATH/dns.rules
> > >
> > > include $RULE_PATH/dos.rules
> > >
> > > include $RULE_PATH/exploit.rules
> > >
> > > include $RULE_PATH/file-identify.rules
> > >
> > > include $RULE_PATH/finger.rules
> > >
> > > include $RULE_PATH/ftp.rules
> > >
> > > include $RULE_PATH/icmp.rules
> > >
> > > include $RULE_PATH/icmp-info.rules
> > >
> > > include $RULE_PATH/imap.rules
> > >
> > > include $RULE_PATH/info.rules
> > >
> > > include $RULE_PATH/misc.rules
> > >
> > > include $RULE_PATH/multimedia.rules
> > >
> > > include $RULE_PATH/mysql.rules
> > >
> > > include $RULE_PATH/netbios.rules
> > >
> > > include $RULE_PATH/nntp.rules
> > >
> > > include $RULE_PATH/oracle.rules
> > >
> > > include $RULE_PATH/other-ids.rules
> > >
> > > include $RULE_PATH/p2p.rules
> > >
> > > include $RULE_PATH/phishing-spam.rules
> > >
> > > include $RULE_PATH/policy.rules
> > >
> > > include $RULE_PATH/pop2.rules
> > >
> > > include $RULE_PATH/pop3.rules
> > >
> > > include $RULE_PATH/rpc.rules
> > >
> > > include $RULE_PATH/rservices.rules
> > >
> > > include $RULE_PATH/scada.rules
> > >
> > > include $RULE_PATH/scan.rules
> > >
> > > include $RULE_PATH/shellcode.rules
> > >
> > > include $RULE_PATH/smtp.rules
> > >
> > > include $RULE_PATH/snmp.rules
> > >
> > > include $RULE_PATH/specific-threats.rules
> > >
> > > include $RULE_PATH/spyware-put.rules
> > >
> > > include $RULE_PATH/sql.rules
> > >
> > > include $RULE_PATH/telnet.rules
> > >
> > > include $RULE_PATH/tftp.rules
> > >
> > > include $RULE_PATH/virus.rules
> > >
> > > include $RULE_PATH/voip.rules
> > >
> > > include $RULE_PATH/web-activex.rules
> > >
> > > include $RULE_PATH/web-attacks.rules
> > >
> > > include $RULE_PATH/web-cgi.rules
> > >
> > > include $RULE_PATH/web-client.rules
> > >
> > > include $RULE_PATH/web-coldfusion.rules
> > >
> > > include $RULE_PATH/web-frontpage.rules
> > >
> > > include $RULE_PATH/web-iis.rules
> > >
> > > include $RULE_PATH/web-misc.rules
> > >
> > > include $RULE_PATH/web-php.rules
> > >
> > > include $RULE_PATH/x11.rules
> > >
> > >
> > >
> > >
> > >
> > > When I compile snort, the $RULE_PATH directory isn’t created.  I
> create it
> > > by `mkdir /opt/snort/rules`.  I then run pulled pork with the following
> > > command:
> > >
> > >
> > >
> > > ./pulledpork.pl -c /opt/pulledpork/etc/pulledpork.conf -o
> /opt/snort/rules/
> > > -i /opt/pulledpork/etc/disablesid.conf -T –H
> > >
> > >
> > >
> > > The only file that shows up is `snort.rules`  where are all of the
> other
> > > files that are specified in the snort.conf?
> > >
> > >
> > >
> > >
> > >
> > > This e-mail transmission contains information that is confidential and
> may
> > > be privileged. It is intended only for the addressee(s) named above.
> If you
> > > receive this e-mail in error, please do not read, copy or disseminate
> it in
> > > any manner. If you are not the intended recipient, any disclosure,
> copying,
> > > distribution or use of the contents of this information is prohibited.
> > > Please reply to the message immediately by informing the sender that
> the
> > > message was misdirected. After replying, please erase it from your
> computer
> > > system. Your assistance in correcting this error is appreciated.
> > >
> > >
> ------------------------------------------------------------------------------
> > > Don't let slow site performance ruin your business. Deploy New Relic
> APM
> > > Deploy New Relic app performance management and know exactly
> > > what is happening inside your Ruby, Python, PHP, Java, and .NET app
> > > Try New Relic at no cost today and get our sweet Data Nerd shirt too!
> > > http://p.sf.net/sfu/newrelic-dev2dev
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users at lists.sourceforge.net
> > > Go to this URL to change user options or unsubscribe:
> > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > Snort-users list archive:
> > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> > >
> > > Please visit http://blog.snort.org to stay current on all the latest
> Snort
> > > news!
> >
> >
> ------------------------------------------------------------------------------
> > Don't let slow site performance ruin your business. Deploy New Relic APM
> > Deploy New Relic app performance management and know exactly
> > what is happening inside your Ruby, Python, PHP, Java, and .NET app
> > Try New Relic at no cost today and get our sweet Data Nerd shirt too!
> > http://p.sf.net/sfu/newrelic-dev2dev
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> > Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
>
>
> ------------------------------------------------------------------------------
> Don't let slow site performance ruin your business. Deploy New Relic APM
> Deploy New Relic app performance management and know exactly
> what is happening inside your Ruby, Python, PHP, Java, and .NET app
> Try New Relic at no cost today and get our sweet Data Nerd shirt too!
> http://p.sf.net/sfu/newrelic-dev2dev
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!****
>
> ** **
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20121004/fc6ca341/attachment.html>


More information about the Snort-users mailing list