[Snort-users] Updating Rules with PulledPork and no outside connection

JJC cummingsj at ...11827...
Tue Sep 18 13:47:24 EDT 2012


Interesting, can you do a run with -vv and send the results?

JJC

On Tue, Sep 18, 2012 at 6:19 AM, Michael Steele <michaels at ...9077...>wrote:

> Attached is a log of the run. Attached is my pulledpork.conf and I'm
> looking
> for something that is causing PulledPork to not process the opensource.gz
> file in offline mode.
>
> It appears to be a problem with PulledPork only processing the
> snortrules-snapshot-2931.tar.gz  in offline mode as PulledPork processes
> both files (opensource.gz and snortrules-snapshot-2931.tar.gz ) if you are
> processing in online mode.
>
> My run line includes switches: -nvT
>
> Both files have been place in the: temp_path=
>
> I'm assuming that PulledPork should process both files exactly as it does
> in
> offline mode as it does in online mode, minus the file downloading, and as
> long as the two files reside in the designated temp folder.
>
> I'm not sure about checksums in offline mode as  PulledPork seems to
> process
> the snortrules-snapshot-2931.tar.gz every time its ran in offline mode,
> regardless of any checksum. I believe it does the same thing in in online
> mode. The checksum only prevents PullePork  from downloading the file/s
> again in online mode.
>
> Kindest regards,
> Michael...
>
> -----Original Message-----
> From: JJ Cummings [mailto:cummingsj at ...11827...]
> Sent: Monday, September 17, 2012 12:48 PM
> To: Michael Steele
> Cc: <snort-users at lists.sourceforge.net>
> Subject: Re: [Snort-users] Updating Rules with PulledPork and no outside
> connection
>
> Place the tarballs in the defined temp path that you have in your
> pulledpork.conf.. You will want to tell pp not to download and not to
> validate checksums...
>
> JJC
>
> Sent from the iRoad
>
> On Sep 17, 2012, at 7:02, "Michael Steele" <michaels at ...9077...> wrote:
>
> > I've looked through the list archive and was unable to find any
> > specifics on how to do this.
> >
> > I need to run PulledPork on a closed network.
> >
> > The run line I have is:
> > 'perl d:\winids\pulledpork\pulledpork.pl -c
> > d:\winids\pulledpork\etc\pulledpork.conf -v -T -n'
> >
> > I'm pretty sure the -n tells PulledPork to process locally?
> >
> > There are two files that need to be used and I'm not sure what to do
> > with them?
> > 1) snortrules-snapshot-2931.tar.gz
> > 2) opensource.gz
> >
> >
> > Do these lines need to be hashed out?
> > rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|<
> > oinkco
> > de>
> > rule_url=https://www.snort.org/reg-rules/|opensource.gz|<oinkcode>
> >
> >
> > Just to verify; using the -T in the run line means I don't have to
> > hash out the so_rules section below?
> >
> > sorule_path=/usr/local/lib/snort_dynamicrules/
> > snort_path=/usr/local/bin/snort
> > config_path=/usr/local/etc/snort/snort.conf
> > sostub_path=/usr/local/etc/snort/rules/so_rules.rules
> > distro=FreeBSD-8.1
> >
> > Kindest regards,
> > Michael...
> >
> >
> >
> >
> >
> >
> > ----------------------------------------------------------------------
> > --------
> > Live Security Virtual Conference
> > Exclusive live event will cover all the ways today's security and
> > threat landscape has changed and how IT managers can respond.
> > Discussions will include endpoint security, mobile security and the
> > latest in malware threats.
> > http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> > Please visit http://blog.snort.org to stay current on all the latest
> Snort
> news!
>
>
> ----------------------------------------------------------------------------
> --
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and threat
> landscape has changed and how IT managers can respond. Discussions will
> include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort
> news!
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20120918/75927177/attachment.html>


More information about the Snort-users mailing list