[Snort-users] Pulled Pork Question

Starner, Mark mark.starner at ...5850...
Thu Jul 11 14:09:05 EDT 2013


Almost – I have 4 rules files

snort.rules 

emerging-threats.rules

company.rules – private rules used on all sensors

local.rules – rules just for this sensor

 

This lets me manage which rules are in use without having to regenerate one big file.

 

So I don’t need the consolidated snort.rules, but I could throw that away I guess…. I will try it.

 

I made a pulledpork.conf file:

rule_url=https://www.snort.org/sub-rules/|snortrules-snapshot-2946.tar.gz|8e6c29d606b91be14b8a29cc23157051deac3047

#ignore=deleted.rules,experimental.rules,local.rules,sensitive-data

temp_path=/tmp

rule_path=/tmp/rules

sid_msg=/tmp/sid-msg.map

snort_path=/usr/bin/snort

version=0.6.0

 

(it seems to need rule_url even though I am not downloading anything)

 

Then ran: 

pulledpork.pl -n -c ./pulledpork.conf

 

And got: file /tmp//snortrules-snapshot-2946.tar.gz does not exist!

 

So it is still looking for the Snapshot file….. 

 

I don’t see an option which allows me to specify a directory to read .rules files from…. What am I missing????

 

Thanks

Mark

 

 

 

From: Y M [mailto:snort at ...15979...] 
Sent: Thursday, July 11, 2013 1:24 PM
To: Starner, Mark; snort-users at lists.sourceforge.net
Subject: RE: [Snort-users] Pulled Pork Question

 

If you use -n with your PulledPork, it will not download the ruleset from Snort website, instead it will process a local ruleset (default directory is /tmp). This will generate generate the sid-msg.map as well as the snort.rules file, given the configurations setup in your pulledpork.conf file. Is this what you are after?

Sent from my Windows Phone

  _____  

From: Starner, Mark <mailto:mark.starner at ...5850...> 
Sent: ‎7/‎11/‎2013 7:57 PM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] Pulled Pork Question

Is there a combination of options to Pulled Pork (running 0.6.1 right now)
to only generate the sid-msg.map file?
Ie I give it a list of rules files, or a directory holding rules files and
all it does is generate the sid-msg.map file?

My sid-msg.map file is different on each sensor I have, because each sensor
may have local rules only on that sensor. So while I use PP to do everything
else, I generate the sid-msg.map file on the sensor itself once I push the
new rules to it.

I have been using the old create_sidmap.pl file from oinkmaster (but it
looks like it will be difficult to modify to support sid-msg.map v2.

So I would like to use PP to do this, and upgrade to the newer version that
supports v2 of the sid-msg.map file.

Thanks
Mark




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130711/5f09e123/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 9333 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130711/5f09e123/attachment.bin>


More information about the Snort-users mailing list