[Snort-users] Updating Rules with PulledPork and no outside connection

JJ Cummings cummingsj at ...11827...
Wed Sep 19 10:30:19 EDT 2012


Im gonna have a look shortly

Sent from the iRoad

On Sep 19, 2012, at 6:50, "Michael Steele" <michaels at ...9077...> wrote:

> I’m no expert here at all, but is there a chance that there is NO code even built into PulledPork that deals with the  ‘opensource.gz’ file in ‘NoDownload’ routine?
>  
> Also is the NoDownload routine processing the rules twice?
>  
> Kindest regards,
> Michael...
>  
> From: Michael Steele [mailto:michaels at ...9077...] 
> Sent: Tuesday, September 18, 2012 6:30 PM
> To: 'JJC'
> Cc: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] Updating Rules with PulledPork and no outside connection
>  
> Here is another run using –vvnT
>  
> Looking at the log it seems to be processing the rules twice.
>  
> Kindest regards,
> Michael...
>  
> From: JJC [mailto:cummingsj at ...11827...] 
> Sent: Tuesday, September 18, 2012 1:47 PM
> To: Michael Steele
> Cc: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] Updating Rules with PulledPork and no outside connection
>  
> Interesting, can you do a run with -vv and send the results?
>  
> JJC
> 
> On Tue, Sep 18, 2012 at 6:19 AM, Michael Steele <michaels at ...9077...> wrote:
> Attached is a log of the run. Attached is my pulledpork.conf and I'm looking
> for something that is causing PulledPork to not process the opensource.gz
> file in offline mode.
> 
> It appears to be a problem with PulledPork only processing the
> snortrules-snapshot-2931.tar.gz  in offline mode as PulledPork processes
> both files (opensource.gz and snortrules-snapshot-2931.tar.gz ) if you are
> processing in online mode.
> 
> My run line includes switches: -nvT
> 
> Both files have been place in the: temp_path=
> 
> I'm assuming that PulledPork should process both files exactly as it does in
> offline mode as it does in online mode, minus the file downloading, and as
> long as the two files reside in the designated temp folder.
> 
> I'm not sure about checksums in offline mode as  PulledPork seems to process
> the snortrules-snapshot-2931.tar.gz every time its ran in offline mode,
> regardless of any checksum. I believe it does the same thing in in online
> mode. The checksum only prevents PullePork  from downloading the file/s
> again in online mode.
> 
> Kindest regards,
> Michael...
> 
> -----Original Message-----
> From: JJ Cummings [mailto:cummingsj at ...11827...]
> Sent: Monday, September 17, 2012 12:48 PM
> To: Michael Steele
> Cc: <snort-users at lists.sourceforge.net>
> Subject: Re: [Snort-users] Updating Rules with PulledPork and no outside
> connection
> 
> Place the tarballs in the defined temp path that you have in your
> pulledpork.conf.. You will want to tell pp not to download and not to
> validate checksums...
> 
> JJC
> 
> Sent from the iRoad
> 
> On Sep 17, 2012, at 7:02, "Michael Steele" <michaels at ...9077...> wrote:
> 
> > I've looked through the list archive and was unable to find any
> > specifics on how to do this.
> >
> > I need to run PulledPork on a closed network.
> >
> > The run line I have is:
> > 'perl d:\winids\pulledpork\pulledpork.pl -c
> > d:\winids\pulledpork\etc\pulledpork.conf -v -T -n'
> >
> > I'm pretty sure the -n tells PulledPork to process locally?
> >
> > There are two files that need to be used and I'm not sure what to do
> > with them?
> > 1) snortrules-snapshot-2931.tar.gz
> > 2) opensource.gz
> >
> >
> > Do these lines need to be hashed out?
> > rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|<
> > oinkco
> > de>
> > rule_url=https://www.snort.org/reg-rules/|opensource.gz|<oinkcode>
> >
> >
> > Just to verify; using the -T in the run line means I don't have to
> > hash out the so_rules section below?
> >
> > sorule_path=/usr/local/lib/snort_dynamicrules/
> > snort_path=/usr/local/bin/snort
> > config_path=/usr/local/etc/snort/snort.conf
> > sostub_path=/usr/local/etc/snort/rules/so_rules.rules
> > distro=FreeBSD-8.1
> >
> > Kindest regards,
> > Michael...
> >
> >
> >
> >
> >
> >
> > ----------------------------------------------------------------------
> > --------
> > Live Security Virtual Conference
> > Exclusive live event will cover all the ways today's security and
> > threat landscape has changed and how IT managers can respond.
> > Discussions will include endpoint security, mobile security and the
> > latest in malware threats.
> > http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> > Please visit http://blog.snort.org to stay current on all the latest Snort
> news!
> 
> ----------------------------------------------------------------------------
> --
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and threat
> landscape has changed and how IT managers can respond. Discussions will
> include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort
> news!
> 
>  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20120919/b45b73f9/attachment.html>


More information about the Snort-users mailing list