[Snort-users] typical errors when trying pulledpork

Joel Esler jesler at ...1935...
Sat Sep 8 07:56:58 EDT 2012


Are you outputting in binary (tcpdump) format, or are you outputting in unified2?

--
Joel Esler
Sent from my iPad 

On Sep 8, 2012, at 2:15 AM, PR <oly562 at ...11827...> wrote:

> snort wont start up... trying to view the logs - of course they are not
> viewable with less/more.
> example:
> less /var/log/snort/snort.log.1346948607 
> "/var/log/snort/snort.log.1346948607" may be a binary file.  See it
> anyway?
> 
> 
> here is the latest set of warnings:
> 
> # ./pulledpork.pl -c /usr/local/etc/pulledpork-0.6.1/etc/pulledpork.conf
> -I Security
> 
>    http://code.google.com/p/pulledpork/
>      _____ ____
>     `----,\    )
>      `--==\\  /    PulledPork v0.6.1 the Smoking Pig <////~
>       `--==\\/
>     .-~~~~-.Y|\\_  Copyright (C) 2009-2011 JJ Cummings
>  @_/        /  66\_  cummingsj at ...11827...
>    |    \   \   _(")
>     \   /-| ||'--'  Rules give me wings!
>      \_\  \_\\
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> 
> Checking latest MD5 for snortrules-snapshot-2920.tar.gz....
>    They Match
>    Done!
> Prepping rules from snortrules-snapshot-2920.tar.gz for work....
>    Done!
> Reading rules...
> Generating Stub Rules....
>    An error occurred: !! WARNING: The database output plugins are
> considered deprecated as
> 
>    An error occurred: WARNING: ip4 normalizations disabled because not
> inline.
> 
>    An error occurred: WARNING: tcp normalizations disabled because not
> inline.
> 
>    An error occurred: WARNING: icmp4 normalizations disabled because not
> inline.
> 
>    An error occurred: WARNING: ip6 normalizations disabled because not
> inline.
> 
>    An error occurred: WARNING: icmp6 normalizations disabled because not
> inline.
> 
>    Done
> Reading rules...
> Reading rules...
> Reading rules...
> Activating Security rulesets....
>    Done
> Setting Flowbit State....
>    Enabled 637 flowbits
>    Enabled 47 flowbits
>    Enabled 4 flowbits
>    Enabled 2 flowbits
>    Done
> Writing /etc/snort/rules/snort.rules....
>    Done
> Writing /usr/local/etc/snort/rules/so_rules.rules....
>    Done
> Generating sid-msg.map....
>    Done
> Writing /usr/local/etc/snort/sid-msg.map....
>    Done
> Writing /var/log/sid_changes.log....
>    Done
> Rule Stats....
>    New:-------0
>    Deleted:---0
>    Enabled Rules:----6129
>    Dropped Rules:----0
>    Disabled Rules:---6875
>    Total Rules:------13004
>    Done
> Please review /var/log/sid_changes.log for additional details
> Fly Piggy Fly/crash....!
> 
> 
> more to follow.. sighs...
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> On Fri, 2012-09-07 at 20:25 -0700, PR wrote:
>> ha ha you funny dr jones... said like shorty ;)
>> 
>> On Fri, 2012-09-07 at 22:16 -0400, Joel Esler wrote:
>>> I don't have a template for that question.  Others, yes. 
>>> 
>>> --
>>> Joel Esler
>>> Sent from my iPad 
>>> 
>>> On Sep 7, 2012, at 9:30 PM, PR <oly562 at ...11827...> wrote:
>>> 
>>>> yep thanks for the templated noobish user response. ;) 
>>>> 
>>>> On Fri, 2012-09-07 at 18:17 -0400, Joel Esler wrote:
>>>>> If you are not a subscriber, yes. You'll need to wait your 15 minutes. 
>>>>> 
>>>>> But no, 2.9.2 is no longer supported. Please see the bottom of http://www.snort.org/vrt/rules/eol_policyfor currently supported versions and when they will expire. 
>>>>> 
>>>>> --
>>>>> Joel Esler
>>>>> 
>>>>> On Sep 7, 2012, at 4:17 PM, PR <oly562 at ...11827...> wrote:
>>>>> 
>>>>>> i guess i should wait 15 mins? i dont think i can grab another since i
>>>>>> dont pay for rules... what do you think? should i just go for it?
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> On Fri, 2012-09-07 at 13:15 -0700, PR wrote:
>>>>>>> next error... i mv'd this file, guess i should put it back...
>>>>>>> 
>>>>>>> ./pulledpork.pl -c /usr/local/etc/pulledpork-0.6.1/etc/pulledpork.conf
>>>>>>> -I Security
>>>>>>> 
>>>>>>>  http://code.google.com/p/pulledpork/
>>>>>>>    _____ ____
>>>>>>>   `----,\    )
>>>>>>>    `--==\\  /    PulledPork v0.6.1 the Smoking Pig <////~
>>>>>>>     `--==\\/
>>>>>>>   .-~~~~-.Y|\\_  Copyright (C) 2009-2011 JJ Cummings
>>>>>>> @_/        /  66\_  cummingsj at ...11827...
>>>>>>>  |    \   \   _(")
>>>>>>>   \   /-| ||'--'  Rules give me wings!
>>>>>>>    \_\  \_\\
>>>>>>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>>>>>>> 
>>>>>>> Checking latest MD5 for snortrules-snapshot-2920.tar.gz....
>>>>>>> Rules tarball download of snortrules-snapshot-2920.tar.gz....
>>>>>>>  They Match
>>>>>>>  Done!
>>>>>>> Prepping rules from snortrules-snapshot-2920.tar.gz for work....
>>>>>>>  Done!
>>>>>>> Reading rules...
>>>>>>> Generating Stub Rules....
>>>>>>>  An error occurred: ERROR: Unable to open rules file
>>>>>>> "/usr/local/etc/snort/database.conf": No such file or directory.
>>>>>>> 
>>>>>>>  An error occurred: Fatal Error, Quitting..
>>>>>>> 
>>>>>>> 
>>>>>>> more to follow....
>>>>>>> 
>>>>>>> On Fri, 2012-09-07 at 12:30 -0700, PR wrote:
>>>>>>>> opps, i figured out my mistake lolol...
>>>>>>>> 
>>>>>>>> ok but now i run into the same prob as before. versioning!
>>>>>>>> 
>>>>>>>> 
>>>>>>>> here is what i get when i do the cmd properly at tail of stdout:
>>>>>>>> 
>>>>>>>> The specified Snort binary does not exist!
>>>>>>>> Please correct the value or specify the FULL rules tarball name in the
>>>>>>>> pulledpork.conf!
>>>>>>>> at ./pulledpork.pl line 1736.
>>>>>>>> 
>>>>>>>> i will goto pulledpork.pl line 1736 now. brb.......
>>>>>>>> 
>>>>>>>> 
>>>>>>>> 
>>>>>>>> ok, i thought, no i swear it says on snort.org page, pulledpork will
>>>>>>>> automajically decide which version to download/upgrade rules too.
>>>>>>>> 
>>>>>>>> 
>>>>>>>> -*> Snort! <*-
>>>>>>>> o"  )~   Version 2.9.2 IPv6 GRE (Build 78) 
>>>>>>>> ''''    By Martin Roesch & The Snort Team:
>>>>>>>> 
>>>>>>>> so...... let me guess 2.9.2 isnt "supported" here is what i think, i
>>>>>>>> think it's too hard for anyone to simply update rules unless you always
>>>>>>>> update your snort program to the same version, thats just ludacrious!
>>>>>>>> 
>>>>>>>> yes im running acidbase, yes it was loaded with apt-get install
>>>>>>>> snort-mysql snort acidbase, so what... 
>>>>>>>> 
>>>>>>>> i can move files and confs to point in right direction, not the issue,
>>>>>>>> its the updating of the snort program and ONLY allowing automation to
>>>>>>>> those who either 
>>>>>>>> 1. pay
>>>>>>>> 2. pay to have you guys install
>>>>>>>> 3. pay to stay current
>>>>>>>> 4. pay pay pay, rather than providing a script that keeps the snort
>>>>>>>> program updated no matter what version you have in reason like 2.9.x
>>>>>>>> 5. How about fixing that perl script on the server side to allows us to
>>>>>>>> download the files automajically as it claims
>>>>>>>> 
>>>>>>>> i used snort since the begging, it always was easy to update so forth, 
>>>>>>>> but now, it's getting silly. 
>>>>>>>> 
>>>>>>>> ok, there im done ranting, however, i still need FREE input, like
>>>>>>>> community input.
>>>>>>>> 
>>>>>>>> if not, as usual i will just figure it out, may take a while but i'll
>>>>>>>> get it, i have before, and can do again. im complaining becuz its not
>>>>>>>> simple anymore. or as simple as it can be to download some rules
>>>>>>>> automatically.
>>>>>>>> 
>>>>>>>> sighs.... you can comment if you like, but i know each of you have been
>>>>>>>> here before at some point in your snorting career... 
>>>>>>>> 
>>>>>>>> 
>>>>>>>> 
>>>>>>>> On Fri, 2012-09-07 at 12:13 -0700, PR wrote:
>>>>>>>>> hi all,
>>>>>>>>> 
>>>>>>>>> 
>>>>>>>>> 1. modified and created dirs for what pulledpork.conf requires as root
>>>>>>>>> user.
>>>>>>>>> 
>>>>>>>>> 
>>>>>>>>> 2. ran this cmd:
>>>>>>>>> 
>>>>>>>>> root at ...15806...:/usr/local/etc/pulledpork-0.6.1/etc# ./pulledpork.conf -c /usr/local/etc/pulledpork-0.6.1/etc/pulledpork.conf -I Security
>>>>>>>>> 
>>>>>>>>> 
>>>>>>>>> 3. got this error:
>>>>>>>>> 
>>>>>>>>> root at ...15806...:/usr/local/etc/pulledpork-0.6.1/etc# ./pulledpork.conf -c /usr/local/etc/pulledpork-0.6.1/etc/pulledpork.conf -I Security
>>>>>>>>> ./pulledpork.conf: line 21: 6d31c34a34b8e7d8a42751d16b50e3dda634XXXX:
>>>>>>>>> command not found
>>>>>>>>> ./pulledpork.conf: line 21: snortrules-snapshot.tar.gz: command not
>>>>>>>>> found
>>>>>>>>> 
>>>>>>>>> 
>>>>>>>>> 4. here is the conf in entirety:
>>>>>>>>> 
>>>>>>>>> # more pulledpork.conf 
>>>>>>>>> # Config file for pulledpork
>>>>>>>>> # Be sure to read through the entire configuration file
>>>>>>>>> # If you specify any of these items on the command line, it WILL take 
>>>>>>>>> # precedence over any value that you specify in this file!
>>>>>>>>> 
>>>>>>>>> #######
>>>>>>>>> #######  The below section defines what your oinkcode is (required
>>>>>>>>> for 
>>>>>>>>> #######  VRT rules), defines a temp path (must be writable) and also 
>>>>>>>>> #######  defines what version of rules that you are getting (for your 
>>>>>>>>> #######  snort version and subscription etc...)
>>>>>>>>> ####### 
>>>>>>>>> 
>>>>>>>>> # The rule_url value replaces the old base_url and rule_file
>>>>>>>>> configuration
>>>>>>>>> # options.  You can now specify one or as many rule_urls as you like,
>>>>>>>>> they 
>>>>>>>>> # must appear as http://what.site.com/|rulesfile.tar.gz|1234567.  You
>>>>>>>>> can specif
>>>>>>>>> y
>>>>>>>>> # each on an individual line, or you can specify them in a , separated
>>>>>>>>> list
>>>>>>>>> # i.e. rule_url=http://x.y.z/|a.tar.gz|123,http://z.y.z/|b.tar.gz|456
>>>>>>>>> # note that the url, rule file, and oinkcode itself are separated by a
>>>>>>>>> pipe |
>>>>>>>>> # i.e. url|tarball|123456789, 
>>>>>>>>> #rule_url=https://www.snort.org/reg-rules/|
>>>>>>>>> snortrules-snapshot.tar.gz|<oinkcode>
>>>>>>>>> 
>>>>>>>>> 
>>>>>>>>> 
>>>>>>>>> ##*** ( here is line 21 )***
>>>>>>>>> 
>>>>>>>>> rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|
>>>>>>>>> 6d31c34a34b
>>>>>>>>> 8e7d8a42751d16b50e3dda634XXXX
>>>>>>>>> 
>>>>>>>>> # get the rule docs!
>>>>>>>>> #rule_url=https://www.snort.org/reg-rules/|opensource.gz|
>>>>>>>>> 6d31c34a34b8e7d8a42751d
>>>>>>>>> 16b50e3dda634XXXX
>>>>>>>>> 
>>>>>>>>> 
>>>>>>>>> 
>>>>>>>>> #rule_url=https://rules.emergingthreats.net/|emerging.rules.tar.gz|
>>>>>>>>> open
>>>>>>>>> # THE FOLLOWING URL is for etpro downloads, note the tarball name
>>>>>>>>> change!
>>>>>>>>> # and the et oinkcode requirement!
>>>>>>>>> #rule_url=https://rules.emergingthreats.net/|etpro.rules.tar.gz|<et
>>>>>>>>> oinkcode>
>>>>>>>>> # NOTE above that the VRT snortrules-snapshot does not contain the
>>>>>>>>> version
>>>>>>>>> # portion of the tarball name, this is because PP now automatically
>>>>>>>>> populates
>>>>>>>>> # this value for you, if, however you put the version information in,
>>>>>>>>> PP will
>>>>>>>>> # NOT populate this value but will use your value!
>>>>>>>>> 
>>>>>>>>> # Specify rule categories to ignore from the tarball in a comma
>>>>>>>>> separated list
>>>>>>>>> # with no spaces.  There are four ways to do this:
>>>>>>>>> # 1) Specify the category name with no suffix at all to ignore the
>>>>>>>>> category
>>>>>>>>> #    regardless of what rule-type it is, ie: netbios
>>>>>>>>> # 2) Specify the category name with a '.rules' suffix to ignore only
>>>>>>>>> gid 1
>>>>>>>>> #    rulefiles located in the /rules directory of the tarball, ie:
>>>>>>>>> policy.rules
>>>>>>>>> # 3) Specify the category name with a '.preproc' suffix to ignore only
>>>>>>>>> #    preprocessor rules located in the /preproc_rules directory of the
>>>>>>>>> tarball,
>>>>>>>>> #    ie: sensitive-data.preproc
>>>>>>>>> # 4) Specify the category name with a '.so' suffix to ignore only
>>>>>>>>> shared-object
>>>>>>>>> #    rules located in the /so_rules directory of the tarball, ie:
>>>>>>>>> netbios.so
>>>>>>>>> # The example below ignores dos rules wherever they may appear,
>>>>>>>>> sensitive-
>>>>>>>>> # data preprocessor rules, p2p so-rules (while including gid 1 p2p
>>>>>>>>> rules),
>>>>>>>>> # and netbios gid-1 rules (while including netbios so-rules):
>>>>>>>>> # ignore = dos,sensitive-data.preproc,p2p.so,netbios.rules
>>>>>>>>> # These defaults are reasonable for the VRT ruleset with Snort
>>>>>>>>> 2.9.0.x.
>>>>>>>>> ignore=deleted.rules,experimental.rules,local.rules
>>>>>>>>> # IMPORTANT, if you are NOT yet using 2.8.6 then you MUST comment out
>>>>>>>>> the
>>>>>>>>> # previous ignore line and uncomment the following!
>>>>>>>>> #
>>>>>>>>> ignore=deleted,experimental,local,decoder,preprocessor,sensitive-data
>>>>>>>>> 
>>>>>>>>> # Define your Oinkcode - DEPRICATED, SEE RULE_URL
>>>>>>>>> # oinkcode=replacethiswithyouroinkcode
>>>>>>>>> 
>>>>>>>>> # What is our temp path, be sure this path has a bit of space for
>>>>>>>>> rule 
>>>>>>>>> # extraction and manipulation, no trailing slash
>>>>>>>>> temp_path=/tmp
>>>>>>>>> 
>>>>>>>>> #######
>>>>>>>>> #######  The below section is for rule processing.  This section is 
>>>>>>>>> #######  required if you are not specifying the configuration using
>>>>>>>>> #######  runtime switches.  Note that runtime switches do SUPERSEED 
>>>>>>>>> #######  any values that you have specified here!
>>>>>>>>> #######
>>>>>>>>> 
>>>>>>>>> # What path you want the .rules file containing all of the processed 
>>>>>>>>> # rules? (this value has changed as of 0.4.0, previously we copied 
>>>>>>>>> # all of the rules, now we are creating a single large rules file
>>>>>>>>> # but still keeping a separate file for your so_rules!
>>>>>>>>> rule_path=/usr/local/etc/snort/rules/snort.rules
>>>>>>>>> 
>>>>>>>>> # What path you want the .rules files to be written to, this is UNIQUE
>>>>>>>>> # from the rule_path and cannot be used in conjunction, this is to be
>>>>>>>>> used with 
>>>>>>>>> the
>>>>>>>>> # -k runtime flag, this can be set at runtime using the -K flag or
>>>>>>>>> specified
>>>>>>>>> # here.  If specified here, the -k option must also be passed at
>>>>>>>>> runtime, however
>>>>>>>>> # specifying -K <path> at runtime forces the -k option to also be set
>>>>>>>>> 
>>>>>>>>> 
>>>>>>>>> ###(created all the dirs and pointed to currently snort.conf )
>>>>>>>>> 
>>>>>>>>> # out_path=/usr/local/etc/snort/rules/
>>>>>>>>> 
>>>>>>>>> # If you are running any rules in your local.rules file, we need to
>>>>>>>>> # know about them to properly build a sid-msg.map that will contain
>>>>>>>>> your
>>>>>>>>> # local.rules metadata (msg) information.  You can specify other rules
>>>>>>>>> # files that are local to your system here by adding a comma and more
>>>>>>>>> paths...
>>>>>>>>> # remember that the FULL path must be specified for EACH value.
>>>>>>>>> # local_rules=/path/to/these.rules,/path/to/those.rules
>>>>>>>>> ###(yadda)
>>>>>>>>> 
>>>>>>>>> local_rules=/usr/local/etc/snort/rules/local.rules
>>>>>>>>> 
>>>>>>>>> # Where should I put the sid-msg.map file?
>>>>>>>>> sid_msg=/usr/local/etc/snort/sid-msg.map
>>>>>>>>> 
>>>>>>>>> # Where do you want me to put the sid changelog?  This is a changelog 
>>>>>>>>> # that pulledpork maintains of all new sids that are imported
>>>>>>>>> sid_changelog=/var/log/sid_changes.log
>>>>>>>>> # this value is optional
>>>>>>>>> 
>>>>>>>>> #######
>>>>>>>>> #######  The below section is for so_rule processing only.  If you
>>>>>>>>> don't
>>>>>>>>> #######  need to use them.. then comment this section out!
>>>>>>>>> #######  Alternately, if you are not using pulledpork to process 
>>>>>>>>> #######  so_rules, you can specify -T at runtime to bypass this
>>>>>>>>> altogether
>>>>>>>>> #######
>>>>>>>>> 
>>>>>>>>> # What path you want the .so files to actually go to *i.e. where is it
>>>>>>>>> # defined in your snort.conf, needs a trailing slash
>>>>>>>>> sorule_path=/usr/local/lib/snort_dynamicrules/
>>>>>>>>> 
>>>>>>>>> # Path to the snort binary, we need this to generate the stub files
>>>>>>>>> #snort_path=/usr/local/bin/snort
>>>>>>>>> 
>>>>>>>>> (modified current path)
>>>>>>>>> 
>>>>>>>>> snort_path=/usr/sbin/snort
>>>>>>>>> 
>>>>>>>>> # We need to know where your snort.conf file lives so that we can
>>>>>>>>> # generate the stub files
>>>>>>>>> 
>>>>>>>>> config_path=/usr/local/etc/snort/snort.conf
>>>>>>>>> 
>>>>>>>>> # This is the file that contains all of the shared object rules that
>>>>>>>>> pulledpork
>>>>>>>>> # has processed, note that this has changed as of 0.4.0 just like the
>>>>>>>>> rules_path
>>>>>>>>> !
>>>>>>>>> sostub_path=/usr/local/etc/snort/rules/so_rules.rules
>>>>>>>>> 
>>>>>>>>> # Define your distro, this is for the precompiled shared object libs!
>>>>>>>>> # Valid Distro Types=Debian-Lenny, Ubuntu-6.01.1, Ubuntu-8.04
>>>>>>>>> # CentOS-4.6, Centos-4-8, CentOS-5.0, Centos-5-4
>>>>>>>>> # FC-5, FC-9, FC-11, FC-12, RHEL-5.0
>>>>>>>>> # FreeBSD-6.3, FreeBSD-7-2, FreeBSD-7-3, FreeBSD-7.0, FreeBSD-8-0,
>>>>>>>>> FreeBSD-8-1
>>>>>>>>> # OpenSUSE-11-3
>>>>>>>>> distro=FreeBSD-8.0
>>>>>>>>> 
>>>>>>>>> #######  This next section is optional, but probably pretty useful to
>>>>>>>>> you.
>>>>>>>>> #######  Please read thoroughly!
>>>>>>>>> 
>>>>>>>>> # What do you want to backup and archive?  This is a comma separated
>>>>>>>>> list
>>>>>>>>> # of file or directory values.  If a directory is specified, PP will
>>>>>>>>> recurse
>>>>>>>>> # through said directory and all subdirectories to archive all files.
>>>>>>>>> # The following example backs up all snort config files, rules,
>>>>>>>>> pulledpork
>>>>>>>>> # config files, and snort shared object binary rules.
>>>>>>>>> #
>>>>>>>>> backup=/usr/local/etc/snort,/usr/local/etc/pulledpork,/usr/local/lib/snort_dyn
>>>>>>>>> amicrules/
>>>>>>>>> 
>>>>>>>>> # what path and filename should we use for the backup tarball?
>>>>>>>>> # note that an epoch time value and the .tgz extension is
>>>>>>>>> automatically added
>>>>>>>>> # to the backup_file name on completeion i.e. the written file is:
>>>>>>>>> # pp_backup.1295886020.tgz
>>>>>>>>> # backup_file=/tmp/pp_backup
>>>>>>>>> 
>>>>>>>>> # Where do you want the signature docs to be copied, if this is
>>>>>>>>> commented 
>>>>>>>>> # out then they will not be copied / extracted.  Note that extracting
>>>>>>>>> them 
>>>>>>>>> # will add considerable runtime to pulledpork.
>>>>>>>>> # docs=/path/to/base/www
>>>>>>>>> 
>>>>>>>>> # The following option, state_order, allows you to more finely control
>>>>>>>>> the order
>>>>>>>>> # that pulledpork performs the modify operations, specifically the
>>>>>>>>> enablesid
>>>>>>>>> # disablesid and dropsid functions.  An example use case here would be
>>>>>>>>> to
>>>>>>>>> # disable an entire category and later enable only a rule or two out
>>>>>>>>> of it.
>>>>>>>>> # the valid values are disable, drop, and enable.
>>>>>>>>> # state_order=disable,drop,enable
>>>>>>>>> 
>>>>>>>>> 
>>>>>>>>> # Define the path to the pid files of any running process that you
>>>>>>>>> want to
>>>>>>>>> # HUP after PP has completed its run.
>>>>>>>>> #
>>>>>>>>> pid_path=/var/run/snort.pid,/var/run/barnyard.pid,/var/run/barnyard2.pid
>>>>>>>>> # and so on...
>>>>>>>>> # pid_path=/var/run/snort_eth0.pid
>>>>>>>>> 
>>>>>>>>> # This defines the version of snort that you are using, for use ONLY
>>>>>>>>> if the 
>>>>>>>>> # proper snort binary is not on the system that you are fetching the
>>>>>>>>> rules with
>>>>>>>>> # Defining this value will set the Textonly flag, and thus will NOT
>>>>>>>>> allow
>>>>>>>>> # you to use shared object rules.  This value MUST contain all 4 minor
>>>>>>>>> version
>>>>>>>>> # numbers. ET rules are now also dependant on this, verify supported
>>>>>>>>> ET versions
>>>>>>>>> # prior to simply throwing rubbish in this variable kthx!
>>>>>>>>> # snort_version=2.9.0.0
>>>>>>>>> 
>>>>>>>>> # Here you can specify what rule modification files to run
>>>>>>>>> automatically.
>>>>>>>>> # simply uncomment and specify the apt path.
>>>>>>>>> # enablesid=/usr/local/etc/snort/enablesid.conf
>>>>>>>>> # dropsid=/usr/local/etc/snort/dropsid.conf
>>>>>>>>> # disablesid=/usr/local/etc/snort/disablesid.conf
>>>>>>>>> # modifysid=/usr/local/etc/snort/modifysid.conf
>>>>>>>>> 
>>>>>>>>> # What is the base ruleset that you want to use, please uncomment to
>>>>>>>>> use
>>>>>>>>> # and see the README.RULESETS for a description of the options.  
>>>>>>>>> # Note that setting this value will disable all ET rulesets if you
>>>>>>>>> are 
>>>>>>>>> # Running such rulesets
>>>>>>>>> # ips_policy=security
>>>>>>>>> 
>>>>>>>>> ####### Remember, a number of these values are optional.. if you
>>>>>>>>> don't 
>>>>>>>>> ####### need to process so_rules, simply comment out the so_rule
>>>>>>>>> section
>>>>>>>>> ####### you can also specify -T at runtime to process only GID 1
>>>>>>>>> rules.
>>>>>>>>> 
>>>>>>>>> version=0.6.0
>>>>>>>>> 
>>>>>>>>> 
>>>>>>>>> 5. your thoughts? your suggestions?
>>>>>>>>> 
>>>>>>>>> thanks, pete
>>>> 
> 




More information about the Snort-users mailing list