[Snort-users] PulledPork not processing

Michael Steele michaels at ...9077...
Sun Feb 10 18:13:40 EST 2013


I don't think so. I'm thinking this gets bypassed using the -T switch, but
maybe not.

 

Not sure how long it takes to extract the opensource.gz in UNIX using PP?

 

In Windows it takes about 10 seconds to process the rules in PP, but 30+
minutes to extract the signatures. 

 

Best regards,

Michael...

 

From: Tony Robinson [mailto:deusexmachina667 at ...11827...] 
Sent: Sunday, February 10, 2013 4:27 PM
To: JJ Cummings
Cc: Michael Steele; snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] PulledPork not processing

 

meant to reply-all. think i might have just sent this to JJ by accident.

Hey... I saw this line in your output above:

  Distro Def is: FreeBSD-8.1

Wondering if that might having something to do with it? Is there an option
to define the distro for PP to  windows?

On Sun, Feb 10, 2013 at 11:51 AM, JJ Cummings <cummingsj at ...11827...
<mailto:cummingsj at ...11827...> > wrote:

Michael,

 

Are you talking about the rule docs "the opensource.tgz" file?  If so, these
are not the rules and only need to be extracted if you are using them for
reference.  This can sometimes take a while to extract... However, as Joel
said the actual rules operation should be quite fast.

 

JJC

Sent from the iRoad


On Feb 10, 2013, at 9:20, "Joel Esler" <jesler at ...1935...
<mailto:jesler at ...1935...> > wrote:

*self contained

-
Joel Esler
Mobile

 

On Sun, Feb 10, 2013 at 10:38 AM, Joel Esler <jesler at ...1935...
<mailto:jesler at ...1935...> > wrote:

Wow.  That's pretty slow.  On Unix it takes about 10 seconds give or take.
But no, Pulledpork is sell contained except for a few libraries and is meant
to be that way.

 

On Sun, Feb 10, 2013 at 9:57 AM, Michael Steele <michaels at ...9077...
<mailto:michaels at ...9077...> > wrote:

Problem solved. It appears that some of the Perl packages were corrupted.

 

However; Does anyone have a work around for the installation of the
Signatures. I don't know about UNIX, but  on Windows it takes at least 30
minutes for Perl to extract.

 

Is it possible for the pulledpork.pl <http://pulledpork.pl>  file to extract
with a native OS extraction tool?

 

Best regards,

Michael...

 

From: Michael Steele [mailto:michaels at ...9077...
<mailto:michaels at ...9077...> ] 
Sent: Saturday, February 09, 2013 1:49 PM
To: snort-users at lists.sourceforge.net
<mailto:snort-users at lists.sourceforge.net> 
Subject: [Snort-users] PulledPork not processing

 

This is the latest pull from the SVN.

 

It appears PulledPork is trying to process the rules twice. In the temp
folder I'm only getting a partial transfer of the rules and the MD5 file. 

 

 

C:\Users\Operator>perl d:\winids\pulledpork\pulledpork.pl
<http://pulledpork.pl>  -c d:\winids\pulledpork\etc\pulledpork.conf -vv -T

 

    http://code.google.com/p/pulledpork/

      _____ ____

     `----,\    )

      `--==\\  /    PulledPork v0.6.2dev the Cigar Pig <////~

       `--==\\/

     .-~~~~-.Y|\\_  Copyright (C) 2009-2012 JJ Cummings

  @_/        /  66\_  cummingsj at ...11827... <mailto:cummingsj at ...11827...> 

    |    \   \   _(")

     \   /-| ||'--'  Rules give me wings!

      \_\  \_\\

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

Config File Variable Debug d:\winids\pulledpork\etc\pulledpork.conf

        snort_path = /usr/local/bin/snort

        enablesid = d:\winids\pulledpork\etc\enablesid.conf

        modifysid = d:\winids\pulledpork\etc\modifysid.conf

        rule_path = d:\winids\snort\rules\snort.rules

        ignore = deleted.rules,experimental.rules,local.rules

        rule_url = ARRAY(0x28e1e24)

        snort_version = 2.9.4.0

        sid_msg_version = 1

        sid_changelog = d:\winids\snort\log\sid_changes.log

        sid_msg = d:\winids\snort\etc\sid-msg.map

        docs = d:\winids\Apache24\htdocs\base\signatures\

        ips_policy = security

        config_path = /usr/local/etc/snort/snort.conf

        temp_path = d:\winids\pulledpork\temp

        distro = FreeBSD-8.1

        version = 0.6.1

        sorule_path = /usr/local/lib/snort_dynamicrules/

        disablesid = d:\winids\pulledpork\etc\disablesid.conf

        dropsid = d:\winids\pulledpork\etc\dropsid.conf

        local_rules = d:\winids\snort\rules\local.rules

'uname' is not recognized as an internal or external command,

operable program or batch file.

MISC (CLI and Autovar) Variable Debug:

        Config Path is: d:\winids\pulledpork\etc\pulledpork.conf

        Distro Def is: FreeBSD-8.1

        Docs Reference Location is:
d:\winids\Apache24\htdocs\base\signatures\

        security policy specified

        local.rules path is: d:\winids\snort\rules\local.rules

        Rules file is: d:\winids\snort\rules\snort.rules

        Path to disablesid file: d:\winids\pulledpork\etc\disablesid.conf

        Path to dropsid file: d:\winids\pulledpork\etc\dropsid.conf

        Path to enablesid file: d:\winids\pulledpork\etc\enablesid.conf

        Path to modifysid file: d:\winids\pulledpork\etc\modifysid.conf

        sid changes will be logged to: d:\winids\snort\log\sid_changes.log

        sid-msg.map Output Path is: d:\winids\snort\etc\sid-msg.map

        Snort Version is: 2.9.4.0

        Snort Config File: /usr/local/etc/snort/snort.conf

        Snort Path is: /usr/local/bin/snort

        Text Rules only Flag is Set

        Extra Verbose Flag is Set

        Verbose Flag is Set

        Base URL is:
https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|991158d6f0847841
cffbe085a91b7c5775ba98cf
<https://www.snort.org/reg-rules/%7Csnortrules-snapshot.tar.gz%7C991158d6f08
47841cffbe085a91b7c5775ba98cf>
https://www.snort.org/reg-rules/|opensource.gz|991158d6f0847841cffbe085a91b7
c5
<https://www.snort.org/reg-rules/%7Copensource.gz%7C991158d6f0847841cffbe085
a91b7c5> 

775ba98cf

Checking latest MD5 for snortrules-snapshot-2940.tar.gz....

        Fetching md5sum for: snortrules-snapshot-2940.tar.gz.md5

** GET
https://www.snort.org/reg-rules/snortrules-snapshot-2940.tar.gz.md5/991158d6
f0847841cffbe085a91b7c5775ba98cf ==> 200 OK (3s)

        most recent rules file digest: ae46740e802f023be681d932ef71f407

Rules tarball download of snortrules-snapshot-2940.tar.gz....

        Fetching rules file: snortrules-snapshot-2940.tar.gz

** GET
https://www.snort.org/reg-rules/snortrules-snapshot-2940.tar.gz/991158d6f084
7841cffbe085a91b7c5775ba98cf ==> 302 Found (1s)

** GET
https://s3.amazonaws.com/snort-org/www/rules/20121218/snortrules-snapshot-29
40.tar.gz?AWSAccessKeyId=AKIAJJSHU7YNPLE5MKOQ
<https://s3.amazonaws.com/snort-org/www/rules/20121218/snortrules-snapshot-2
940.tar.gz?AWSAccessKeyId=AKIAJJSHU7YNPLE5MKOQ&Expires=1360435268&Signature=
KaoY%2B0NMB%2B%2FNnYFJTpunKaQhilw%3D>
&Expires=1360435268&Signature=KaoY%2B0NMB%2B%2FNnYFJTpunKaQhilw%3D ==>

200 OK (1s)

        storing file at:
d:\winids\pulledpork\temp/snortrules-snapshot-2940.tar.gz

 

        current local rules file  digest: eed12b6d1e99dd34dda723167ab18f8c

        The MD5 for snortrules-snapshot-2940.tar.gz did not match the latest
digest... so I am gonna fetch the latest rules file!

Rules tarball download of snortrules-snapshot-2940.tar.gz....

        Fetching rules file: snortrules-snapshot-2940.tar.gz

** GET
https://www.snort.org/reg-rules/snortrules-snapshot-2940.tar.gz/991158d6f084
7841cffbe085a91b7c5775ba98cf ==> 302 Found

** GET
https://s3.amazonaws.com/snort-org/www/rules/20121218/snortrules-snapshot-29
40.tar.gz?AWSAccessKeyId=AKIAJJSHU7YNPLE5MKOQ
<https://s3.amazonaws.com/snort-org/www/rules/20121218/snortrules-snapshot-2
940.tar.gz?AWSAccessKeyId=AKIAJJSHU7YNPLE5MKOQ&Expires=1360435269&Signature=
2H85W57%2F7fbXw%2FEehahpjniVR0Q%3D>
&Expires=1360435269&Signature=2H85W57%2F7fbXw%2FEehahpjniVR0Q%3D ==>   0

200 OK

        storing file at:
d:\winids\pulledpork\temp/snortrules-snapshot-2940.tar.gz

 

        current local rules file  digest: 6fb296525f90c700ff356264397e7977

        The MD5 for snortrules-snapshot-2940.tar.gz did not match the latest
digest... so I am gonna fetch the latest rules file!

Rules tarball download of snortrules-snapshot-2940.tar.gz....

        Fetching rules file: snortrules-snapshot-2940.tar.gz

** GET
https://www.snort.org/reg-rules/snortrules-snapshot-2940.tar.gz/991158d6f084
7841cffbe085a91b7c5775ba98cf ==> 403 Forbidden (1s)

        A 403 error occurred, please wait for the 15 minute timeout

        to expire before trying again or specify the -n runtime switch

        You may also wish to verfiy your oinkcode, tarball name, and other
configuration options

 

 

 

 

I can drop the rules, and open source file into the empty temp folder and
try to process offline but I'm getting:

 

C:\Users\Operator>perl d:\winids\pulledpork\pulledpork.pl
<http://pulledpork.pl>  -c d:\winids\pulledpork\etc\pulledpork.conf -n -vv
-T

 

    http://code.google.com/p/pulledpork/

      _____ ____

     `----,\    )

      `--==\\  /    PulledPork v0.6.2dev the Cigar Pig <////~

       `--==\\/

     .-~~~~-.Y|\\_  Copyright (C) 2009-2012 JJ Cummings

  @_/        /  66\_  cummingsj at ...11827... <mailto:cummingsj at ...11827...> 

    |    \   \   _(")

     \   /-| ||'--'  Rules give me wings!

      \_\  \_\\

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

Config File Variable Debug d:\winids\pulledpork\etc\pulledpork.conf

        snort_path = /usr/local/bin/snort

        enablesid = d:\winids\pulledpork\etc\enablesid.conf

        modifysid = d:\winids\pulledpork\etc\modifysid.conf

        rule_path = d:\winids\snort\rules\snort.rules

        ignore = deleted.rules,experimental.rules,local.rules

        rule_url = ARRAY(0x285929c)

        snort_version = 2.9.4.0

        sid_msg_version = 1

        sid_changelog = d:\winids\snort\log\sid_changes.log

        sid_msg = d:\winids\snort\etc\sid-msg.map

        docs = d:\winids\Apache24\htdocs\base\signatures\

        ips_policy = security

        config_path = /usr/local/etc/snort/snort.conf

        temp_path = d:\winids\pulledpork\temp

        distro = FreeBSD-8.1

        version = 0.6.1

        sorule_path = /usr/local/lib/snort_dynamicrules/

        disablesid = d:\winids\pulledpork\etc\disablesid.conf

        dropsid = d:\winids\pulledpork\etc\dropsid.conf

        local_rules = d:\winids\snort\rules\local.rules

'uname' is not recognized as an internal or external command,

operable program or batch file.

MISC (CLI and Autovar) Variable Debug:

        Config Path is: d:\winids\pulledpork\etc\pulledpork.conf

        Distro Def is: FreeBSD-8.1

        Docs Reference Location is:
d:\winids\Apache24\htdocs\base\signatures\

        security policy specified

        local.rules path is: d:\winids\snort\rules\local.rules

        No Download Flag is Set

        Rules file is: d:\winids\snort\rules\snort.rules

        Path to disablesid file: d:\winids\pulledpork\etc\disablesid.conf

        Path to dropsid file: d:\winids\pulledpork\etc\dropsid.conf

        Path to enablesid file: d:\winids\pulledpork\etc\enablesid.conf

        Path to modifysid file: d:\winids\pulledpork\etc\modifysid.conf

        sid changes will be logged to: d:\winids\snort\log\sid_changes.log

        sid-msg.map Output Path is: d:\winids\snort\etc\sid-msg.map

        Snort Version is: 2.9.4.0

        Snort Config File: /usr/local/etc/snort/snort.conf

        Snort Path is: /usr/local/bin/snort

        Text Rules only Flag is Set

        Extra Verbose Flag is Set

        Verbose Flag is Set

        Base URL is:
https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|991158d6f0847841
cffbe085a91b7c5775ba98cf
<https://www.snort.org/reg-rules/%7Csnortrules-snapshot.tar.gz%7C991158d6f08
47841cffbe085a91b7c5775ba98cf>
https://www.snort.org/reg-rules/|opensource.gz|991158d6f0847841cffbe085a91b7
c5
<https://www.snort.org/reg-rules/%7Copensource.gz%7C991158d6f0847841cffbe085
a91b7c5> 

775ba98cf

Prepping rules from snortrules-snapshot-2940.tar.gz for work....

        extracting contents of
d:\winids\pulledpork\temp/snortrules-snapshot-2940.tar.gz...

        Ignoring plaintext rules: deleted.rules

        Ignoring plaintext rules: experimental.rules

        Ignoring plaintext rules: local.rules

        Extracted: /tha_rules/VRT-server-other.rules

        Extracted: /tha_rules/VRT-pua-adware.rules

        Extracted: /tha_rules/VRT-misc.rules

        Extracted: /tha_rules/VRT-malware-backdoor.rules

        Extracted: /tha_rules/VRT-indicator-compromise.rules

        Extracted: /tha_rules/VRT-file-pdf.rules

        Extracted: /tha_rules/VRT-content-replace.rules

        Extracted: /tha_rules/VRT-file-identify.rules

        Extracted: /tha_rules/VRT-browser-webkit.rules

        Extracted: /tha_rules/VRT-specific-threats.rules

        Extracted: /tha_rules/VRT-file-office.rules

        Extracted: /tha_rules/VRT-rpc.rules

        Extracted: /tha_rules/VRT-dns.rules

        Extracted: /tha_rules/VRT-os-other.rules

        Extracted: /tha_rules/VRT-snmp.rules

        Extracted: /tha_rules/VRT-policy-other.rules

        Extracted: /tha_rules/VRT-web-coldfusion.rules

        Extracted: /tha_rules/VRT-protocol-voip.rules

        Extracted: /tha_rules/VRT-file-image.rules

        Extracted: /tha_rules/VRT-chat.rules

        Extracted: /tha_rules/VRT-voip.rules

        Extracted: /tha_rules/VRT-os-solaris.rules

        Extracted: /tha_rules/VRT-pop3.rules

        Extracted: /tha_rules/VRT-server-mssql.rules

        Extracted: /tha_rules/VRT-preprocessor.rules

        Extracted: /tha_rules/VRT-policy-social.rules

        Extracted: /tha_rules/VRT-protocol-ftp.rules

        Extracted: /tha_rules/VRT-server-webapp.rules

        Extracted: /tha_rules/VRT-server-oracle.rules

        Extracted: /tha_rules/VRT-scada.rules

        Extracted: /tha_rules/VRT-other-ids.rules

        Extracted: /tha_rules/VRT-server-apache.rules

        Extracted: /tha_rules/VRT-sql.rules

        Extracted: /tha_rules/VRT-icmp.rules

        Extracted: /tha_rules/VRT-file-multimedia.rules

        Extracted: /tha_rules/VRT-pua-p2p.rules

        Extracted: /tha_rules/VRT-info.rules

        Extracted: /tha_rules/VRT-pua-other.rules

        Extracted: /tha_rules/VRT-server-mail.rules

        Extracted: /tha_rules/VRT-netbios.rules

        Extracted: /tha_rules/VRT-smtp.rules

        Extracted: /tha_rules/VRT-protocol-icmp.rules

        Extracted: /tha_rules/VRT-sensitive-data.rules

        Extracted: /tha_rules/VRT-indicator-shellcode.rules

        Extracted: /tha_rules/VRT-web-iis.rules

        Extracted: /tha_rules/VRT-protocol-finger.rules

        Extracted: /tha_rules/VRT-botnet-cnc.rules

        Extracted: /tha_rules/VRT-pua-toolbars.rules

        Extracted: /tha_rules/VRT-mysql.rules

        Extracted: /tha_rules/VRT-virus.rules

        Extracted: /tha_rules/VRT-protocol-imap.rules

        Extracted: /tha_rules/VRT-malware-cnc.rules

        Extracted: /tha_rules/VRT-web-misc.rules

        Extracted: /tha_rules/VRT-tftp.rules

        Extracted: /tha_rules/VRT-blacklist.rules

        Extracted: /tha_rules/VRT-shellcode.rules

        Extracted: /tha_rules/VRT-spyware-put.rules

        Extracted: /tha_rules/VRT-exploit.rules

        Extracted: /tha_rules/VRT-protocol-services.rules

        Extracted: /tha_rules/VRT-browser-ie.rules

        Extracted: /tha_rules/VRT-os-windows.rules

        Extracted: /tha_rules/VRT-ddos.rules

        Extracted: /tha_rules/VRT-attack-responses.rules

        Extracted: /tha_rules/VRT-browser-firefox.rules

        Extracted: /tha_rules/VRT-browser-chrome.rules

        Extracted: /tha_rules/VRT-telnet.rules

        Extracted: /tha_rules/VRT-browser-other.rules

        Extracted: /tha_rules/VRT-icmp-info.rules

        Extracted: /tha_rules/VRT-os-linux.rules

        Extracted: /tha_rules/VRT-indicator-obfuscation.rules

        Extracted: /tha_rules/VRT-policy-spam.rules

        Extracted: /tha_rules/VRT-malware-tools.rules

        Extracted: /tha_rules/VRT-x11.rules

        Extracted: /tha_rules/VRT-p2p.rules

        Extracted: /tha_rules/VRT-scan.rules

        Extracted: /tha_rules/VRT-ftp.rules

        Extracted: /tha_rules/VRT-malware-other.rules

        Extracted: /tha_rules/VRT-web-php.rules

        Extracted: /tha_rules/VRT-web-activex.rules

        Extracted: /tha_rules/VRT-decoder.rules

        Extracted: /tha_rules/VRT-web-frontpage.rules

        Extracted: /tha_rules/VRT-rservices.rules

        Extracted: /tha_rules/VRT-file-executable.rules

        Extracted: /tha_rules/VRT-file-other.rules

        Extracted: /tha_rules/VRT-backdoor.rules

        Extracted: /tha_rules/VRT-multimedia.rules

        Extracted: /tha_rules/VRT-web-client.rules

        Extracted: /tha_rules/VRT-exploit-kit.rules

        Extracted: /tha_rules/VRT-protocol-pop.rules

        Extracted: /tha_rules/VRT-browser-plugins.rules

        Extracted: /tha_rules/VRT-policy.rules

        Extracted: /tha_rules/VRT-web-attacks.rules

        Extracted: /tha_rules/VRT-imap.rules

        Extracted: /tha_rules/VRT-file-flash.rules

        Extracted: /tha_rules/VRT-nntp.rules

        Extracted: /tha_rules/VRT-dos.rules

        Extracted: /tha_rules/VRT-finger.rules

        Extracted: /tha_rules/VRT-phishing-spam.rules

No such file in archive: 'doc/signatures/rules/VRT-License.txt' at
d:\winids\pulledpork\pulledpork.pl <http://pulledpork.pl>  line 293.

Could not find an entry for 'doc/signatures/rules/VRT-License.txt' at
d:\winids\pulledpork\pulledpork.pl <http://pulledpork.pl>  line 293.

        Extracted:
d:\winids\Apache24\htdocs\base\signatures\rules/VRT-License.txt

        Extracted: /tha_rules/VRT-server-mysql.rules

        Extracted: /tha_rules/VRT-oracle.rules

        Extracted: /tha_rules/VRT-server-iis.rules

        Extracted: /tha_rules/VRT-app-detect.rules

        Extracted: /tha_rules/VRT-policy-multimedia.rules

        Extracted: /tha_rules/VRT-pop2.rules

        Extracted: /tha_rules/VRT-bad-traffic.rules

        Extracted: /tha_rules/VRT-web-cgi.rules

Prepping rules from snortrules-snapshot-2940.tar.gz for work....

        extracting contents of
d:\winids\pulledpork\temp/snortrules-snapshot-2940.tar.gz...

        Ignoring plaintext rules: deleted.rules

        Ignoring plaintext rules: experimental.rules

        Ignoring plaintext rules: local.rules

        Extracted: /tha_rules/VRT-server-other.rules

        Extracted: /tha_rules/VRT-pua-adware.rules

        Extracted: /tha_rules/VRT-misc.rules

        Extracted: /tha_rules/VRT-malware-backdoor.rules

        Extracted: /tha_rules/VRT-indicator-compromise.rules

        Extracted: /tha_rules/VRT-file-pdf.rules

        Extracted: /tha_rules/VRT-content-replace.rules

        Extracted: /tha_rules/VRT-file-identify.rules

        Extracted: /tha_rules/VRT-browser-webkit.rules

        Extracted: /tha_rules/VRT-specific-threats.rules

        Extracted: /tha_rules/VRT-file-office.rules

        Extracted: /tha_rules/VRT-rpc.rules

        Extracted: /tha_rules/VRT-dns.rules

        Extracted: /tha_rules/VRT-os-other.rules

        Extracted: /tha_rules/VRT-snmp.rules

        Extracted: /tha_rules/VRT-policy-other.rules

        Extracted: /tha_rules/VRT-web-coldfusion.rules

        Extracted: /tha_rules/VRT-protocol-voip.rules

        Extracted: /tha_rules/VRT-file-image.rules

        Extracted: /tha_rules/VRT-chat.rules

        Extracted: /tha_rules/VRT-voip.rules

        Extracted: /tha_rules/VRT-os-solaris.rules

        Extracted: /tha_rules/VRT-server-mssql.rules

        Extracted: /tha_rules/VRT-pop3.rules

        Extracted: /tha_rules/VRT-preprocessor.rules

        Extracted: /tha_rules/VRT-policy-social.rules

        Extracted: /tha_rules/VRT-protocol-ftp.rules

        Extracted: /tha_rules/VRT-server-webapp.rules

        Extracted: /tha_rules/VRT-server-oracle.rules

        Extracted: /tha_rules/VRT-scada.rules

        Extracted: /tha_rules/VRT-other-ids.rules

        Extracted: /tha_rules/VRT-server-apache.rules

        Extracted: /tha_rules/VRT-sql.rules

        Extracted: /tha_rules/VRT-icmp.rules

        Extracted: /tha_rules/VRT-file-multimedia.rules

        Extracted: /tha_rules/VRT-pua-p2p.rules

        Extracted: /tha_rules/VRT-info.rules

        Extracted: /tha_rules/VRT-pua-other.rules

        Extracted: /tha_rules/VRT-server-mail.rules

        Extracted: /tha_rules/VRT-netbios.rules

        Extracted: /tha_rules/VRT-smtp.rules

        Extracted: /tha_rules/VRT-protocol-icmp.rules

        Extracted: /tha_rules/VRT-sensitive-data.rules

        Extracted: /tha_rules/VRT-indicator-shellcode.rules

        Extracted: /tha_rules/VRT-web-iis.rules

        Extracted: /tha_rules/VRT-protocol-finger.rules

        Extracted: /tha_rules/VRT-botnet-cnc.rules

        Extracted: /tha_rules/VRT-pua-toolbars.rules

        Extracted: /tha_rules/VRT-mysql.rules

        Extracted: /tha_rules/VRT-virus.rules

        Extracted: /tha_rules/VRT-protocol-imap.rules

        Extracted: /tha_rules/VRT-malware-cnc.rules

        Extracted: /tha_rules/VRT-web-misc.rules

        Extracted: /tha_rules/VRT-tftp.rules

        Extracted: /tha_rules/VRT-shellcode.rules

        Extracted: /tha_rules/VRT-blacklist.rules

        Extracted: /tha_rules/VRT-spyware-put.rules

        Extracted: /tha_rules/VRT-exploit.rules

        Extracted: /tha_rules/VRT-protocol-services.rules

        Extracted: /tha_rules/VRT-browser-ie.rules

        Extracted: /tha_rules/VRT-os-windows.rules

        Extracted: /tha_rules/VRT-ddos.rules

        Extracted: /tha_rules/VRT-attack-responses.rules

        Extracted: /tha_rules/VRT-browser-firefox.rules

        Extracted: /tha_rules/VRT-browser-chrome.rules

        Extracted: /tha_rules/VRT-telnet.rules

        Extracted: /tha_rules/VRT-browser-other.rules

        Extracted: /tha_rules/VRT-icmp-info.rules

        Extracted: /tha_rules/VRT-os-linux.rules

        Extracted: /tha_rules/VRT-indicator-obfuscation.rules

        Extracted: /tha_rules/VRT-policy-spam.rules

        Extracted: /tha_rules/VRT-malware-tools.rules

        Extracted: /tha_rules/VRT-x11.rules

        Extracted: /tha_rules/VRT-p2p.rules

        Extracted: /tha_rules/VRT-scan.rules

        Extracted: /tha_rules/VRT-ftp.rules

        Extracted: /tha_rules/VRT-malware-other.rules

        Extracted: /tha_rules/VRT-web-php.rules

        Extracted: /tha_rules/VRT-web-activex.rules

        Extracted: /tha_rules/VRT-decoder.rules

        Extracted: /tha_rules/VRT-web-frontpage.rules

        Extracted: /tha_rules/VRT-rservices.rules

        Extracted: /tha_rules/VRT-file-executable.rules

        Extracted: /tha_rules/VRT-file-other.rules

        Extracted: /tha_rules/VRT-backdoor.rules

        Extracted: /tha_rules/VRT-multimedia.rules

        Extracted: /tha_rules/VRT-web-client.rules

        Extracted: /tha_rules/VRT-exploit-kit.rules

        Extracted: /tha_rules/VRT-protocol-pop.rules

        Extracted: /tha_rules/VRT-browser-plugins.rules

        Extracted: /tha_rules/VRT-policy.rules

        Extracted: /tha_rules/VRT-web-attacks.rules

        Extracted: /tha_rules/VRT-imap.rules

        Extracted: /tha_rules/VRT-file-flash.rules

        Extracted: /tha_rules/VRT-nntp.rules

        Extracted: /tha_rules/VRT-dos.rules

        Extracted: /tha_rules/VRT-finger.rules

        Extracted: /tha_rules/VRT-phishing-spam.rules

No such file in archive: 'doc/signatures/rules/VRT-License.txt' at
d:\winids\pulledpork\pulledpork.pl <http://pulledpork.pl>  line 293.

Could not find an entry for 'doc/signatures/rules/VRT-License.txt' at
d:\winids\pulledpork\pulledpork.pl <http://pulledpork.pl>  line 293.

        Extracted:
d:\winids\Apache24\htdocs\base\signatures\rules/VRT-License.txt

        Extracted: /tha_rules/VRT-server-mysql.rules

        Extracted: /tha_rules/VRT-oracle.rules

        Extracted: /tha_rules/VRT-server-iis.rules

        Extracted: /tha_rules/VRT-app-detect.rules

        Extracted: /tha_rules/VRT-policy-multimedia.rules

        Extracted: /tha_rules/VRT-pop2.rules

        Extracted: /tha_rules/VRT-bad-traffic.rules

        Extracted: /tha_rules/VRT-web-cgi.rules

Cleanup....

        removed 108 temporary snort files or directories from
d:\winids\pulledpork\temp/tha_rules!

Fly Piggy Fly!

 

Best regards,

Michael...

 


----------------------------------------------------------------------------
--
Free Next-Gen Firewall Hardware Offer
Buy your Sophos next-gen firewall before the end March 2013
and get the hardware for free! Learn more.
http://p.sf.net/sfu/sophos-d2d-feb
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net <mailto:Snort-users at lists.sourceforge.net>

Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort
news!





 

-- 

Joel Esler

Senior Research Engineer, VRT

OpenSource Community Manager

Sourcefire

 

 

----------------------------------------------------------------------------
--
Free Next-Gen Firewall Hardware Offer
Buy your Sophos next-gen firewall before the end March 2013 
and get the hardware for free! Learn more.
http://p.sf.net/sfu/sophos-d2d-feb

_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net <mailto:Snort-users at lists.sourceforge.net>

Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort
news!


----------------------------------------------------------------------------
--
Free Next-Gen Firewall Hardware Offer
Buy your Sophos next-gen firewall before the end March 2013
and get the hardware for free! Learn more.
http://p.sf.net/sfu/sophos-d2d-feb
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net <mailto:Snort-users at lists.sourceforge.net>

Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort
news!




-- 
when does reality end? when does fantasy begin? 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130210/e1acc277/attachment.html>


More information about the Snort-users mailing list