[Snort-users] Pulledpork not generating merged rules file on Windows

William Rehnquyst rehnquyst at ...11827...
Mon Jul 22 15:34:21 EDT 2013


Hi,

I'm trying to set up pulledpork on Windows. I have the 0.7 version of
pulledpork with one line in pulledpork.pl modified to make it work on
Windows. I seem to have the config set up correctly. Since my server seem
to have trouble retrieving the files I downloaded them from my browser and
then placed into pulledpork's temp folder for pulledpork to process later,
and then ran pulledpork with the offline -n modifier.

Everything seems to work fine, pulledpork extracts temporary rule files
just fine (I even confirmed that it's happening by looking in explorer),
but it just stops short of creating the merge rules file. It extracts and
then just deletes.

I've set this up successfully on linux before, but this time I'm limited to
Windows.

Below is my pulledpork output with -vv modifier, any ideas welcome:


    http://code.google.com/p/pulledpork/
      _____ ____
     `----,\    )
      `--==\\  /    PulledPork v0.7.0 - Swine Flu!
       `--==\\/
     .-~~~~-.Y|\\_  Copyright (C) 2009-2013 JJ Cummings
  @_/        /  66\_  cummingsj at ...11827...
    |    \   \   _(")
     \   /-| ||'--'  Rules give me wings!
      \_\  \_\\
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Config File Variable Debug c:\winids\pulledpork\etc\pulledpork.conf
local_rules = c:\winids\snort\rules\local.rules
dropsid = c:\winids\pulledpork\etc\dropsid.conf
sid_msg_version = 1
enablesid = c:\winids\pulledpork\etc\enablesid.conf
ignore = deleted.rules,experimental.rules,local.rules
modifysid = c:\winids\pulledpork\etc\modifysid.conf
docs = c:\winids\inetpub\wwwroot\base\signatures\
config_path = c:\winids\snort\etc\snort.conf
disablesid = c:\winids\pulledpork\etc\disablesid.conf
sorule_path = /usr/local/lib/snort_dynamicrules/
sid_msg = c:\winids\snort\etc\sid-msg.map
sid_changelog = c:\winids\snort\log\sid_changes.log
snort_version = 2.9.4.6
version = 0.7.0
temp_path = c:\winids\pulledpork\temp
rule_url = ARRAY(0x2808a5c)
ips_policy = security
rule_path = c:\winids\snort\rules\winids.rules
distro = FreeBSD-8.1
snort_path = c:\winids\snort\bin\snort.exe
MISC (CLI and Autovar) Variable Debug:
Config Path is: c:\winids\pulledpork\etc\pulledpork.conf
Distro Def is: FreeBSD-8.1
Docs Reference Location is: c:\winids\inetpub\wwwroot\base\signatures\
security policy specified
local.rules path is: c:\winids\snort\rules\local.rules
No Download Flag is Set
Rules file is: c:\winids\snort\rules\winids.rules
Path to disablesid file: c:\winids\pulledpork\etc\disablesid.conf
Path to dropsid file: c:\winids\pulledpork\etc\dropsid.conf
Path to enablesid file: c:\winids\pulledpork\etc\enablesid.conf
Path to modifysid file: c:\winids\pulledpork\etc\modifysid.conf
sid changes will be logged to: c:\winids\snort\log\sid_changes.log
sid-msg.map Output Path is: c:\winids\snort\etc\sid-msg.map
Snort Version is: 2.9.4.6
Snort Config File: c:\winids\snort\etc\snort.conf
Snort Path is: c:\winids\snort\bin\snort.exe
Text Rules only Flag is Set
Verbose Flag is Set
Base URL is:
https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|redacted
https://s3.amazonaws.com/snort-org/www/rules/community/|community-rules.tar.gz|Community
http://labs.snort.org/feeds/ip-filter.blf|IPBLACKLIST|open
https://www.snort.org/reg-rules/|opensource.gz|redacted
Prepping rules from snortrules-snapshot-2946.tar.gz for work....
extracting contents of
c:\winids\pulledpork\temp/snortrules-snapshot-2946.tar.gz...
Ignoring plaintext rules: deleted.rules
Ignoring plaintext rules: experimental.rules
Ignoring plaintext rules: local.rules
Extracted: /tha_rules/VRT-web-misc.rules
Extracted: /tha_rules/VRT-indicator-compromise.rules
#snipped extracted xyz message#
Extracted: /tha_rules/VRT-web-cgi.rules
Extracted: /tha_rules/VRT-policy-spam.rules
Prepping rules from community-rules.tar.gz for work....
extracting contents of c:\winids\pulledpork\temp/community-rules.tar.gz...
Ignoring plaintext rules: deleted.rules
Ignoring plaintext rules: experimental.rules
Ignoring plaintext rules: local.rules
Extracted: /tha_rules/Snort-Community-community.rules
Prepping rules from snortrules-snapshot-2946.tar.gz for work....
extracting contents of
c:\winids\pulledpork\temp/snortrules-snapshot-2946.tar.gz...
Ignoring plaintext rules: deleted.rules
Ignoring plaintext rules: experimental.rules
Ignoring plaintext rules: local.rules
Extracted: /tha_rules/VRT-finger.rules
Extracted: /tha_rules/VRT-bad-traffic.rules
#snipped extracted xyz message#
Extracted: /tha_rules/VRT-os-mobile.rules
Extracted: /tha_rules/VRT-specific-threats.rules
Cleanup....
removed 120 temporary snort files or directories from
c:\winids\pulledpork\temp/tha_rules!
Fly Piggy Fly!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130722/cb9758a3/attachment.html>


More information about the Snort-users mailing list