[Snort-users] pulledpork help

JJC cummingsj at ...11827...
Fri Oct 12 14:39:47 EDT 2012


Exactly, pulledpork automatically enumerates the snort tarball name based
on your currently installed snort version... Also as stated you can upgrade
your snort version, or you can manually retrieve the 2.9.3 tarball, or you
can specify a hardcoded snort version in your pulledpork.conf.

JJC

On Fri, Oct 12, 2012 at 12:23 PM, Jeremy Hoel <jthoel at ...11827...> wrote:

> Right, so the version it's looking for, in regards to rules is 2.9.3.0.
>
> The pulledpork.pl script pulls the version number if looks for from snort.
>
> You can either get the 2.9.3.0 rules or upgrade your snort to 2.9.3.1
>
>
> On Fri, Oct 12, 2012 at 6:20 PM, Tony Reusser <treusser at ...15879...>
> wrote:
> > [root at ...15880... snort]# snort -V
> >
> >    ,,_     -*> Snort! <*-
> >   o"  )~   Version 2.9.3 IPv6 GRE (Build 37)
> >    ''''    By Martin Roesch & The Snort Team:
> > http://www.snort.org/snort/snort-team
> >            Copyright (C) 1998-2012 Sourcefire, Inc., et al.
> >            Using libpcap version 1.0.0
> >            Using PCRE version: 8.31 2012-07-06
> >            Using ZLIB version: 1.2.3
> >
> >
> >
> >
> > -----Original Message-----
> > From: Jeremy Hoel [mailto:jthoel at ...11827...]
> > Sent: Friday, October 12, 2012 12:15 PM
> > To: Tony Reusser
> > Cc: snort-users at lists.sourceforge.net
> > Subject: Re: [Snort-users] pulledpork help
> >
> > What does 'snort -V' show?
> >
> >
> > On Fri, Oct 12, 2012 at 6:03 PM, Tony Reusser <treusser at ...15879...>
> wrote:
> >> My snort box:
> >>
> >>
> >>
> >> CentOS 6.3
> >>
> >> Snort vers 2.9.3
> >>
> >> Standard barnyard/pulledpork/mysql/BASE setup
> >>
> >>
> >>
> >> I'm fairly new to Snort.  I've had it up and running for a couple of
> >> months now.  About a month ago I downloaded the 2930 ruleset and
> >> successfully installed it using pulledpork.  I am not a subscriber, so
> >> I only get the 'registered user' rulesets 30 days late.  I'm fine with
> >> that as this whole thing is a learning process for me anyway.
> >>
> >>
> >>
> >> Because of that, I download the rule tarballs manually and place them
> >> in my /tmp folder on the snort machine.  I run pulledpork with the /n
> >> option to process without downloading.  With the latest rule tarball
> >> in /tmp, this should work right?  It seemed to function properly with
> >> 2930.  However, now that I've downloaded the 2931 ruleset, I get the
> >> following error when I run pulledpork.  Why is it still looking for
> >> the 2930 file?  I'm not a PERL guy, but line 1798 just refers to a
> >> variable $rule_file.  Where is this actually defined?  And why doesn't
> it
> > reflect the current rule tarball file I have?
> >>
> >>
> >>
> >> Any help would be appreciated.
> >>
> >>
> >>
> >>                 -Tony Reusser
> >>
> >>
> >>
> >>
> >>
> >> [root at ...15880... pp]# ./pulledpork.pl -c ./etc/pulledpork.conf -E -n
> >>
> >>
> >>
> >>     http://code.google.com/p/pulledpork/
> >>
> >>       _____ ____
> >>
> >>      `----,\    )
> >>
> >>       `--==\\  /    PulledPork v0.6.1 the Smoking Pig <////~
> >>
> >>        `--==\\/
> >>
> >>      .-~~~~-.Y|\\_  Copyright (C) 2009-2011 JJ Cummings
> >>
> >>   @_/        /  66\_  cummingsj at ...11827...
> >>
> >>     |    \   \   _(")
> >>
> >>      \   /-| ||'--'  Rules give me wings!
> >>
> >>       \_\  \_\\
> >>
> >> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> >>
> >>
> >>
> >> file /tmp//snortrules-snapshot-2930.tar.gz does not exist!
> >>
> >> at ./pulledpork.pl line 1798
> >>
> >>
> >>
> >>
> >>
> >> file listing of /tmp:
> >>
> >> [root at ...15880... pp]# ls -al /tmp
> >>
> >> total 23280
> >>
> >> drwxrwxrwt. 13 root     root         4096 Oct 12 11:39 .
> >>
> >> dr-xr-xr-x. 26 root     root         4096 Oct 12 11:04 ..
> >>
> >> -rw-r--r--.  1 root     root      1272869 Oct 12 09:32
> > emerging.rules.tar.gz
> >>
> >> -rw-r--r--.  1 root     root            0 Oct 12 10:53
> etpro.rules.tar.gz
> >>
> >> srwxrwxr-x.  1 notroot  notroot         0 Jul 31 11:46
> >> gnome-system-monitor.treusser.2837431554
> >>
> >> drwxrwxrwt.  2 root     root         4096 Oct 12 11:05 .ICE-unix
> >>
> >> drwx------.  2 gdm      gdm          4096 Oct 12 11:06 orbit-gdm
> >>
> >> -rw-rw-r--.  1 notroot  notroot  22487562 Oct 12 11:19
> >> snortrules-snapshot-2931.tar.gz
> >>
> >> -r--r--r--.  1 root     root           11 Oct 12 11:05 .X0-lock
> >>
> >> drwxrwxrwt.  2 root     root         4096 Oct 12 11:05 .X11-unix
> >>
> >> -r--r--r--.  1 notroot  notroot        11 Oct 12 11:05 .X1-lock
> >>
> >> -rw-------.  1 root     root         1671 Oct  3 15:24
> >> yum_save_tx-2012-10-03-15-24H0Dg_g.yumtx
> >>
> >> -rw-------.  1 root     root         3856 Oct  8 08:56
> >> yum_save_tx-2012-10-08-08-56ONmnWM.yumtx
> >>
> >> -rw-------.  1 root     root         1204 Oct 11 11:20
> >> yum_save_tx-2012-10-11-11-20aPV3jH.yumtx
> >>
> >>
> >> ----------------------------------------------------------------------
> >> -------- Don't let slow site performance ruin your business. Deploy
> >> New Relic APM Deploy New Relic app performance management and know
> >> exactly what is happening inside your Ruby, Python, PHP, Java, and
> >> .NET app Try New Relic at no cost today and get our sweet Data Nerd
> >> shirt too!
> >> http://p.sf.net/sfu/newrelic-dev2dev
> >> _______________________________________________
> >> Snort-users mailing list
> >> Snort-users at lists.sourceforge.net
> >> Go to this URL to change user options or unsubscribe:
> >> https://lists.sourceforge.net/lists/listinfo/snort-users
> >> Snort-users list archive:
> >> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >>
> >> Please visit http://blog.snort.org to stay current on all the latest
> >> Snort news!
> >
>
>
> ------------------------------------------------------------------------------
> Don't let slow site performance ruin your business. Deploy New Relic APM
> Deploy New Relic app performance management and know exactly
> what is happening inside your Ruby, Python, PHP, Java, and .NET app
> Try New Relic at no cost today and get our sweet Data Nerd shirt too!
> http://p.sf.net/sfu/newrelic-dev2dev
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20121012/faa51df6/attachment.html>


More information about the Snort-users mailing list