[Snort-users] Snort / Pulled Pork Confusion

Jefferson, Shawn Shawn.Jefferson at ...14448...
Thu Oct 4 22:22:47 EDT 2012


I apologize if this message came across as antagonistic, I didn't mean for it to be.  I was genuinely curious, because I think that pulledpork is better than the way things used to be with snort, oinkmaster and all the many rule files, flowbits, etc...



----- Original Message -----
From: AllowOverride <allowoverride at ...11827...>
To: Jefferson, Shawn
Cc: Michael Steele <michaels at ...9077...>; 'JJC' <cummingsj at ...11827...>; snort-users at lists.sourceforge.net <snort-users at lists.sourceforge.net>
Sent: Thu Oct 04 18:00:15 2012
Subject: Re: [Snort-users] Snort / Pulled Pork Confusion

i love the attitude... keep it up. 

On Thu, 2012-10-04 at 16:17 -0600, Jefferson, Shawn wrote:
> I’m curious what you think is confusing about it?  You can quite
> easily disable whole categories with Pulledpork, or ignore them from
> the tarball completely.  In fact, if we are talking about managing
> rules, PP gives you so much more… for instance, automatically enabling
> rules that set flowbits if another rule that is already enabled relies
> on it.  A noob rule operator will probably miss that.  PP makes things
> easier.  Also there is the whole “security/balanced” ruleset
> management that PP does for you as well-perfect for the noob (and
> advanced rule operators alike.)
> 
>  
> 
>  
> 
>  
> 
>  
> 
>  
> 
> From: Michael Steele [mailto:michaels at ...9077...] 
> Sent: Thursday, October 04, 2012 3:05 PM
> To: 'JJC'
> Cc: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] Snort / Pulled Pork Confusion
> 
> 
>  
> 
> Dumping all the rules into one bucket might be easier in the long run
> for an experienced rule operator, but for the new rule operator, it
> might get a little confusing.
> 
>  
> 
> I know separators were discussed earlier, but development on PP is at
> a crawl, or non-existent L
> 
>  
> 
> One solution for those that use the –k switch would be for Sourcefire
> to prepend ‘vrt-’ to the distributed *.rules in the official
> distributed rule tarball, and change the snort.conf to reflect the
> ‘vrt-*.rule‘. At least that way, what you see in the official
> distributed rule tarball, is what you are seeing in the rules folder
> after using the –k switch in PP.
> 
>  
> 
> Kindest regards,
> 
> Michael...
> 
>  
> 
> From: JJC [mailto:cummingsj at ...11827...] 
> Sent: Thursday, October 04, 2012 2:57 PM
> To: AllowOverride
> Cc: snort-users at lists.sourceforge.net; Turnbough, Bradley E.
> Subject: Re: [Snort-users] Snort / Pulled Pork Confusion
> 
>  
> 
> The logic here is quite simple... new rule categories and files are
> included in the rules tarball, they are automatically included in your
> live ruleset this way.  This is one of but many solid logical
> arguments.
> 
> On Thu, Oct 4, 2012 at 10:07 AM, AllowOverride
> <allowoverride at ...11827...> wrote:
> 
> one file???? sighs... how is that quicker, show me the smack reports
> 
> 
> On Wed, 2012-10-03 at 21:13 +0000, Jeremy Hoel wrote:
> 
> 
> > pulledpork puts all the rules together into one file.. so you can
> > remove/comment out all the lines for the 'include
> $RULE_PATH/*.rules'
> > and just have include $RULE_PATH/snort.rules' line.  Just one is
> > needed.
> >
> >
> >
> >
> > On Wed, Oct 3, 2012 at 8:59 PM, Turnbough, Bradley E.
> > <bturnbough at ...15650...> wrote:
> > > Guys,
> > >
> > >
> > >
> > > I’m having a little trouble wrapping my head around the snort and
> pulled
> > > pork interaction.  In the snort.conf file, the following rules are
> defined
> > > (by default):
> > >
> > >
> > >
> > > include $RULE_PATH/attack-responses.rules
> > >
> > > include $RULE_PATH/backdoor.rules
> > >
> > > include $RULE_PATH/bad-traffic.rules
> > >
> > > include $RULE_PATH/blacklist.rules
> > >
> > > include $RULE_PATH/botnet-cnc.rules
> > >
> > > include $RULE_PATH/chat.rules
> > >
> > > include $RULE_PATH/content-replace.rules
> > >
> > > include $RULE_PATH/ddos.rules
> > >
> > > include $RULE_PATH/dns.rules
> > >
> > > include $RULE_PATH/dos.rules
> > >
> > > include $RULE_PATH/exploit.rules
> > >
> > > include $RULE_PATH/file-identify.rules
> > >
> > > include $RULE_PATH/finger.rules
> > >
> > > include $RULE_PATH/ftp.rules
> > >
> > > include $RULE_PATH/icmp.rules
> > >
> > > include $RULE_PATH/icmp-info.rules
> > >
> > > include $RULE_PATH/imap.rules
> > >
> > > include $RULE_PATH/info.rules
> > >
> > > include $RULE_PATH/misc.rules
> > >
> > > include $RULE_PATH/multimedia.rules
> > >
> > > include $RULE_PATH/mysql.rules
> > >
> > > include $RULE_PATH/netbios.rules
> > >
> > > include $RULE_PATH/nntp.rules
> > >
> > > include $RULE_PATH/oracle.rules
> > >
> > > include $RULE_PATH/other-ids.rules
> > >
> > > include $RULE_PATH/p2p.rules
> > >
> > > include $RULE_PATH/phishing-spam.rules
> > >
> > > include $RULE_PATH/policy.rules
> > >
> > > include $RULE_PATH/pop2.rules
> > >
> > > include $RULE_PATH/pop3.rules
> > >
> > > include $RULE_PATH/rpc.rules
> > >
> > > include $RULE_PATH/rservices.rules
> > >
> > > include $RULE_PATH/scada.rules
> > >
> > > include $RULE_PATH/scan.rules
> > >
> > > include $RULE_PATH/shellcode.rules
> > >
> > > include $RULE_PATH/smtp.rules
> > >
> > > include $RULE_PATH/snmp.rules
> > >
> > > include $RULE_PATH/specific-threats.rules
> > >
> > > include $RULE_PATH/spyware-put.rules
> > >
> > > include $RULE_PATH/sql.rules
> > >
> > > include $RULE_PATH/telnet.rules
> > >
> > > include $RULE_PATH/tftp.rules
> > >
> > > include $RULE_PATH/virus.rules
> > >
> > > include $RULE_PATH/voip.rules
> > >
> > > include $RULE_PATH/web-activex.rules
> > >
> > > include $RULE_PATH/web-attacks.rules
> > >
> > > include $RULE_PATH/web-cgi.rules
> > >
> > > include $RULE_PATH/web-client.rules
> > >
> > > include $RULE_PATH/web-coldfusion.rules
> > >
> > > include $RULE_PATH/web-frontpage.rules
> > >
> > > include $RULE_PATH/web-iis.rules
> > >
> > > include $RULE_PATH/web-misc.rules
> > >
> > > include $RULE_PATH/web-php.rules
> > >
> > > include $RULE_PATH/x11.rules
> > >
> > >
> > >
> > >
> > >
> > > When I compile snort, the $RULE_PATH directory isn’t created.  I
> create it
> > > by `mkdir /opt/snort/rules`.  I then run pulled pork with the
> following
> > > command:
> > >
> > >
> > >
> > > ./pulledpork.pl -c /opt/pulledpork/etc/pulledpork.conf
> -o /opt/snort/rules/
> > > -i /opt/pulledpork/etc/disablesid.conf -T –H
> > >
> > >
> > >
> > > The only file that shows up is `snort.rules`  where are all of the
> other
> > > files that are specified in the snort.conf?
> > >
> > >
> > >
> > >
> > >
> > > This e-mail transmission contains information that is confidential
> and may
> > > be privileged. It is intended only for the addressee(s) named
> above. If you
> > > receive this e-mail in error, please do not read, copy or
> disseminate it in
> > > any manner. If you are not the intended recipient, any disclosure,
> copying,
> > > distribution or use of the contents of this information is
> prohibited.
> > > Please reply to the message immediately by informing the sender
> that the
> > > message was misdirected. After replying, please erase it from your
> computer
> > > system. Your assistance in correcting this error is appreciated.
> > >
> > >
> ------------------------------------------------------------------------------
> > > Don't let slow site performance ruin your business. Deploy New
> Relic APM
> > > Deploy New Relic app performance management and know exactly
> > > what is happening inside your Ruby, Python, PHP, Java, and .NET
> app
> > > Try New Relic at no cost today and get our sweet Data Nerd shirt
> too!
> > > http://p.sf.net/sfu/newrelic-dev2dev
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users at lists.sourceforge.net
> > > Go to this URL to change user options or unsubscribe:
> > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > Snort-users list archive:
> > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> > >
> > > Please visit http://blog.snort.org to stay current on all the
> latest Snort
> > > news!
> >
> >
> ------------------------------------------------------------------------------
> > Don't let slow site performance ruin your business. Deploy New Relic
> APM
> > Deploy New Relic app performance management and know exactly
> > what is happening inside your Ruby, Python, PHP, Java, and .NET app
> > Try New Relic at no cost today and get our sweet Data Nerd shirt
> too!
> > http://p.sf.net/sfu/newrelic-dev2dev
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> > Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
> 
> 
> ------------------------------------------------------------------------------
> Don't let slow site performance ruin your business. Deploy New Relic
> APM
> Deploy New Relic app performance management and know exactly
> what is happening inside your Ruby, Python, PHP, Java, and .NET app
> Try New Relic at no cost today and get our sweet Data Nerd shirt too!
> http://p.sf.net/sfu/newrelic-dev2dev
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
> 
> 
>  
> 
> 
> ------------------------------------------------------------------------------
> Don't let slow site performance ruin your business. Deploy New Relic APM
> Deploy New Relic app performance management and know exactly
> what is happening inside your Ruby, Python, PHP, Java, and .NET app
> Try New Relic at no cost today and get our sweet Data Nerd shirt too!
> http://p.sf.net/sfu/newrelic-dev2dev
> _______________________________________________ Snort-users mailing list Snort-users at lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!



More information about the Snort-users mailing list