[Snort-users] Pulled Pork Question

Y M snort at ...15979...
Thu Jul 11 14:43:38 EDT 2013

Yes, thank you and I should read more. From pulledpork.conf file:

# If you are running any rules in your local.rules file, we need to
# know about them to properly build a sid-msg.map that will contain your
# local.rules metadata (msg) information.  You can specify other rules
# files that are local to your system here by adding a comma and more paths...
# remember that the FULL path must be specified for EACH value.
# local_rules=/path/to/these.rules,/path/to/those.rules

From: JJ Cummings<mailto:cummingsj at ...11827...>
Sent: ‎7/‎11/‎2013 9:33 PM
To: Y M<mailto:snort at ...15979...>
Cc: Starner, Mark<mailto:mark.starner at ...5850...>; snort-users at ...3054...forge.net<mailto:snort-users at lists.sourceforge.net>
Subject: Re: [Snort-users] Pulled Pork Question

Specify like you would local.rules for Ang other custom rules file...

Sent from the iRoad

On Jul 11, 2013, at 12:26, Y M <snort at ...15979...> wrote:

> Sorry if I didn't make it clear. You still need to have the rules tarball stored at your /tmp directory since pulledpork will extract and massage the rules into the snort.rules file.
> PulledPork processes the individual rules files from the rules snapshot and will take into account the local rules file as configured in pulledpork.conf file and populate the sid-msg.map file. If you have the emerging threats tarball in /tmp directory, and enable the ET URL in pulledpork.conf file, PulledPork will also process these and populate the sid-msg.map. By this, now you have the VRT, ET, and local rules all being populated in sid-msg.map file, but all rules are in the snort.rules file (you still can keep individual rules files separate if you want using the -k option).
> As for company.rules, I have no knowledge of PulledPork being able to include custom/dynamic rules file other than the ones specified above.
> From: Starner, Mark
> Sent: ‎7/‎11/‎2013 9:09 PM
> To: Y M; snort-users at lists.sourceforge.net
> Subject: RE: [Snort-users] Pulled Pork Question
> Almost – I have 4 rules files
> snort.rules
> emerging-threats.rules
> company.rules – private rules used on all sensors
> local.rules – rules just for this sensor
> This lets me manage which rules are in use without having to regenerate one big file.
> So I don’t need the consolidated snort.rules, but I could throw that away I guess…. I will try it.
> I made a pulledpork.conf file:
> rule_url=https://www.snort.org/sub-rules/|snortrules-snapshot-2946.tar.gz|8e6c29d606b91be14b8a29cc23157051deac3047
> #ignore=deleted.rules,experimental.rules,local.rules,sensitive-data
> temp_path=/tmp
> rule_path=/tmp/rules
> sid_msg=/tmp/sid-msg.map
> snort_path=/usr/bin/snort
> version=0.6.0
> (it seems to need rule_url even though I am not downloading anything)
> Then ran:
> pulledpork.pl -n -c ./pulledpork.conf
> And got: file /tmp//snortrules-snapshot-2946.tar.gz does not exist!
> So it is still looking for the Snapshot file…..
> I don’t see an option which allows me to specify a directory to read .rules files from…. What am I missing????
> Thanks
> Mark
> From: Y M [mailto:snort at ...15979...]
> Sent: Thursday, July 11, 2013 1:24 PM
> To: Starner, Mark; snort-users at lists.sourceforge.net
> Subject: RE: [Snort-users] Pulled Pork Question
> If you use -n with your PulledPork, it will not download the ruleset from Snort website, instead it will process a local ruleset (default directory is /tmp). This will generate generate the sid-msg.map as well as the snort.rules file, given the configurations setup in your pulledpork.conf file. Is this what you are after?
> Sent from my Windows Phone
> From: Starner, Mark
> Sent: ‎7/‎11/‎2013 7:57 PM
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] Pulled Pork Question
> Is there a combination of options to Pulled Pork (running 0.6.1 right now)
> to only generate the sid-msg.map file?
> Ie I give it a list of rules files, or a directory holding rules files and
> all it does is generate the sid-msg.map file?
> My sid-msg.map file is different on each sensor I have, because each sensor
> may have local rules only on that sensor. So while I use PP to do everything
> else, I generate the sid-msg.map file on the sensor itself once I push the
> new rules to it.
> I have been using the old create_sidmap.pl file from oinkmaster (but it
> looks like it will be difficult to modify to support sid-msg.map v2.
> So I would like to use PP to do this, and upgrade to the newer version that
> supports v2 of the sid-msg.map file.
> Thanks
> Mark
> ------------------------------------------------------------------------------
> See everything from the browser to the database with AppDynamics
> Get end-to-end visibility with application monitoring from AppDynamics
> Isolate bottlenecks and diagnose root cause in seconds.
> Start your free trial of AppDynamics Pro today!
> http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130711/0262b123/attachment.html>

More information about the Snort-users mailing list