[Snort-users] Snort / Pulled Pork Confusion

AllowOverride allowoverride at ...11827...
Thu Oct 4 19:55:21 EDT 2012


ok, what am i doing wrong now:

1.

# /usr/local/bin/pulledpork.pl -c /etc/snort/etc/pulledpork.conf -T -l

    http://code.google.com/p/pulledpork/
      _____ ____
     `----,\    )
      `--==\\  /    PulledPork v0.6.1 the Smoking Pig <////~
       `--==\\/
     .-~~~~-.Y|\\_  Copyright (C) 2009-2011 JJ Cummings
  @_/        /  66\_  cummingsj at ...11827...
    |    \   \   _(")
     \   /-| ||'--'  Rules give me wings!
      \_\  \_\\
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Checking latest MD5 for snortrules-snapshot-2931.tar.gz....
Rules tarball download of snortrules-snapshot-2931.tar.gz....
	A 500 error occurred, please verify that you have recently updated your
root certificates!


2. 

Oct  4 16:48:00 jupiter barnyard2[17701]: Running in Continuous mode
Oct  4 16:48:00 jupiter barnyard2[17701]: 
Oct  4 16:48:00 jupiter barnyard2[17701]:         --== Initializing
Barnyard2 ==--
Oct  4 16:48:00 jupiter barnyard2[17701]: Initializing Input Plugins!
Oct  4 16:48:00 jupiter barnyard2[17701]: Initializing Output Plugins!
Oct  4 16:48:00 jupiter barnyard2[17701]: Parsing config file
"/etc/snort/etc/barnyard2.conf"


Oct  4 16:48:20 jupiter barnyard2[17701]: Log directory
= /var/log/barnyard2
Oct  4 16:48:20 jupiter barnyard2[17701]: Initializing daemon mode
Oct  4 16:48:21 jupiter barnyard2[17704]: Daemon initialized, signaled
parent pid: 17701
Oct  4 16:48:21 jupiter barnyard2[17704]: PID path stat checked out ok,
PID path set to /var/run/
Oct  4 16:48:21 jupiter barnyard2[17704]: Writing PID "17704" to file
"/var/run//barnyard2_eth0.pid"
Oct  4 16:48:21 jupiter barnyard2[17701]: Daemon parent exiting
Oct  4 16:48:21 jupiter barnyard2[17704]: FATAL ERROR: database:
mysql_error: Access denied for user 'snort'@'localhost' (using password:
YES)



sighs.... little community help .. thanks...

On Thu, 2012-10-04 at 16:27 +0000, Jeremy Hoel wrote:
> Just an FYI to you directly..
> 
> So here's one reason I like the single file names.. I don't have to
> worry about if they change or new rules get added.  I tell pulledpork
> what changes to make to what rules (disable, change ips, etc) and I
> never look back. They can change the locations of things and all I
> need to know is at the end there will always be one snort.rules file
> and my local.rules file.  pp updates the sid/gen map and when I
> install snort I use a quick sed command to remove all the rule lines
> in the original .conf and put the snort.rule line in and never look at
> it again.
> 
> If they decide to add new rules files then you have to go back and add
> those to the snort.conf. I don't want to miss anything, so I let the
> tools handle it all.
> 
> barnyard2 has nothing to do with rules at all.. nothing. It just needs
> to know where the map files are at, the ones that pulledpork updates
> for you to include your local rules.
> 
> 
> 
> On Thu, Oct 4, 2012 at 4:07 PM, AllowOverride <allowoverride at ...11827...> wrote:
> > that makes sense... thanks
> >
> > On Wed, 2012-10-03 at 15:14 -0600, JJC wrote:
> >> You can also specify that you want pulledpork to keep the files
> >> individually however it will still prepend the indivdual filenames
> >> with their source (i.e. VRT-backdoor.rules).  The idea here is that
> >> you may be running multiple rulesets that have the same filenames.
> >>
> >> On Wed, Oct 3, 2012 at 3:08 PM, Jack <kingofnerds at ...11827...> wrote:
> >>         Pulled Pork combines all the files into one file. You need to
> >>         make
> >>         sure to add the line: "include $RULE_PATH/snort.rules" to the
> >>         snort.conf file, or the pulled pork rules will never be read
> >>         into
> >>         memory when snort starts.
> >>
> >>         On Wed, Oct 3, 2012 at 4:59 PM, Turnbough, Bradley E.
> >>         <bturnbough at ...15650...> wrote:
> >>         > Guys,
> >>         >
> >>         >
> >>         >
> >>         > I’m having a little trouble wrapping my head around the
> >>         snort and pulled
> >>         > pork interaction.  In the snort.conf file, the following
> >>         rules are defined
> >>         > (by default):
> >>         >
> >>         >
> >>         >
> >>         > include $RULE_PATH/attack-responses.rules
> >>         >
> >>         > include $RULE_PATH/backdoor.rules
> >>         >
> >>         > include $RULE_PATH/bad-traffic.rules
> >>         >
> >>         > include $RULE_PATH/blacklist.rules
> >>         >
> >>         > include $RULE_PATH/botnet-cnc.rules
> >>         >
> >>         > include $RULE_PATH/chat.rules
> >>         >
> >>         > include $RULE_PATH/content-replace.rules
> >>         >
> >>         > include $RULE_PATH/ddos.rules
> >>         >
> >>         > include $RULE_PATH/dns.rules
> >>         >
> >>         > include $RULE_PATH/dos.rules
> >>         >
> >>         > include $RULE_PATH/exploit.rules
> >>         >
> >>         > include $RULE_PATH/file-identify.rules
> >>         >
> >>         > include $RULE_PATH/finger.rules
> >>         >
> >>         > include $RULE_PATH/ftp.rules
> >>         >
> >>         > include $RULE_PATH/icmp.rules
> >>         >
> >>         > include $RULE_PATH/icmp-info.rules
> >>         >
> >>         > include $RULE_PATH/imap.rules
> >>         >
> >>         > include $RULE_PATH/info.rules
> >>         >
> >>         > include $RULE_PATH/misc.rules
> >>         >
> >>         > include $RULE_PATH/multimedia.rules
> >>         >
> >>         > include $RULE_PATH/mysql.rules
> >>         >
> >>         > include $RULE_PATH/netbios.rules
> >>         >
> >>         > include $RULE_PATH/nntp.rules
> >>         >
> >>         > include $RULE_PATH/oracle.rules
> >>         >
> >>         > include $RULE_PATH/other-ids.rules
> >>         >
> >>         > include $RULE_PATH/p2p.rules
> >>         >
> >>         > include $RULE_PATH/phishing-spam.rules
> >>         >
> >>         > include $RULE_PATH/policy.rules
> >>         >
> >>         > include $RULE_PATH/pop2.rules
> >>         >
> >>         > include $RULE_PATH/pop3.rules
> >>         >
> >>         > include $RULE_PATH/rpc.rules
> >>         >
> >>         > include $RULE_PATH/rservices.rules
> >>         >
> >>         > include $RULE_PATH/scada.rules
> >>         >
> >>         > include $RULE_PATH/scan.rules
> >>         >
> >>         > include $RULE_PATH/shellcode.rules
> >>         >
> >>         > include $RULE_PATH/smtp.rules
> >>         >
> >>         > include $RULE_PATH/snmp.rules
> >>         >
> >>         > include $RULE_PATH/specific-threats.rules
> >>         >
> >>         > include $RULE_PATH/spyware-put.rules
> >>         >
> >>         > include $RULE_PATH/sql.rules
> >>         >
> >>         > include $RULE_PATH/telnet.rules
> >>         >
> >>         > include $RULE_PATH/tftp.rules
> >>         >
> >>         > include $RULE_PATH/virus.rules
> >>         >
> >>         > include $RULE_PATH/voip.rules
> >>         >
> >>         > include $RULE_PATH/web-activex.rules
> >>         >
> >>         > include $RULE_PATH/web-attacks.rules
> >>         >
> >>         > include $RULE_PATH/web-cgi.rules
> >>         >
> >>         > include $RULE_PATH/web-client.rules
> >>         >
> >>         > include $RULE_PATH/web-coldfusion.rules
> >>         >
> >>         > include $RULE_PATH/web-frontpage.rules
> >>         >
> >>         > include $RULE_PATH/web-iis.rules
> >>         >
> >>         > include $RULE_PATH/web-misc.rules
> >>         >
> >>         > include $RULE_PATH/web-php.rules
> >>         >
> >>         > include $RULE_PATH/x11.rules
> >>         >
> >>         >
> >>         >
> >>         >
> >>         >
> >>         > When I compile snort, the $RULE_PATH directory isn’t
> >>         created.  I create it
> >>         > by `mkdir /opt/snort/rules`.  I then run pulled pork with
> >>         the following
> >>         > command:
> >>         >
> >>         >
> >>         >
> >>         > ./pulledpork.pl -c /opt/pulledpork/etc/pulledpork.conf
> >>         -o /opt/snort/rules/
> >>         > -i /opt/pulledpork/etc/disablesid.conf -T –H
> >>         >
> >>         >
> >>         >
> >>         > The only file that shows up is `snort.rules`  where are all
> >>         of the other
> >>         > files that are specified in the snort.conf?
> >>         >
> >>         >
> >>         >
> >>         >
> >>         >
> >>         > This e-mail transmission contains information that is
> >>         confidential and may
> >>         > be privileged. It is intended only for the addressee(s)
> >>         named above. If you
> >>         > receive this e-mail in error, please do not read, copy or
> >>         disseminate it in
> >>         > any manner. If you are not the intended recipient, any
> >>         disclosure, copying,
> >>         > distribution or use of the contents of this information is
> >>         prohibited.
> >>         > Please reply to the message immediately by informing the
> >>         sender that the
> >>         > message was misdirected. After replying, please erase it
> >>         from your computer
> >>         > system. Your assistance in correcting this error is
> >>         appreciated.
> >>         >
> >>
> >>         >
> >>         ------------------------------------------------------------------------------
> >>         > Don't let slow site performance ruin your business. Deploy
> >>         New Relic APM
> >>         > Deploy New Relic app performance management and know exactly
> >>         > what is happening inside your Ruby, Python, PHP, Java,
> >>         and .NET app
> >>         > Try New Relic at no cost today and get our sweet Data Nerd
> >>         shirt too!
> >>         > http://p.sf.net/sfu/newrelic-dev2dev
> >>         > _______________________________________________
> >>         > Snort-users mailing list
> >>         > Snort-users at lists.sourceforge.net
> >>         > Go to this URL to change user options or unsubscribe:
> >>         > https://lists.sourceforge.net/lists/listinfo/snort-users
> >>         > Snort-users list archive:
> >>         > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >>         >
> >>         > Please visit http://blog.snort.org to stay current on all
> >>         the latest Snort
> >>         > news!
> >>
> >>
> >>
> >>         --
> >>         _____________________________________
> >>          ---- In the end Nerds will Rule the World ----
> >>
> >>         ------------------------------------------------------------------------------
> >>         Don't let slow site performance ruin your business. Deploy New
> >>         Relic APM
> >>         Deploy New Relic app performance management and know exactly
> >>         what is happening inside your Ruby, Python, PHP, Java,
> >>         and .NET app
> >>         Try New Relic at no cost today and get our sweet Data Nerd
> >>         shirt too!
> >>         http://p.sf.net/sfu/newrelic-dev2dev
> >>         _______________________________________________
> >>         Snort-users mailing list
> >>         Snort-users at lists.sourceforge.net
> >>         Go to this URL to change user options or unsubscribe:
> >>         https://lists.sourceforge.net/lists/listinfo/snort-users
> >>         Snort-users list archive:
> >>         http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >>
> >>         Please visit http://blog.snort.org to stay current on all the
> >>         latest Snort news!
> >>
> >> ------------------------------------------------------------------------------
> >> Don't let slow site performance ruin your business. Deploy New Relic APM
> >> Deploy New Relic app performance management and know exactly
> >> what is happening inside your Ruby, Python, PHP, Java, and .NET app
> >> Try New Relic at no cost today and get our sweet Data Nerd shirt too!
> >> http://p.sf.net/sfu/newrelic-dev2dev
> >> _______________________________________________ Snort-users mailing list Snort-users at lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
> >
> >
> > ------------------------------------------------------------------------------
> > Don't let slow site performance ruin your business. Deploy New Relic APM
> > Deploy New Relic app performance management and know exactly
> > what is happening inside your Ruby, Python, PHP, Java, and .NET app
> > Try New Relic at no cost today and get our sweet Data Nerd shirt too!
> > http://p.sf.net/sfu/newrelic-dev2dev
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> > Please visit http://blog.snort.org to stay current on all the latest Snort news!





More information about the Snort-users mailing list