[Snort-users] Pulledpork not generating merged rules file on Windows

William Rehnquyst rehnquyst at ...11827...
Wed Jul 31 10:13:05 EDT 2013


Update to my previous entry (in separate email to make it a lot less
confusing):

So the day after last entry, I decided to try update again, this time
without the -n runtime, even though it had gotten 403 error every time (and
I always waited longer than 15 min). This time it successfully fetched rule
files, and processed everything, and actually created a merged rule file
(took around 30 minutes, which is normal).

So why didn't the -n runtime work and create merged rules, even when I
fetch the right files with the right md5 and placed it in the temp folder?
Does it not work or do I just not understand how -n works?


On Wed, Jul 31, 2013 at 10:10 AM, William Rehnquyst <rehnquyst at ...11827...>wrote:

> Sorry, I think I replied much earlier with the wrong email account, and
> hence it didn't actually make it to the mailing list? (at least it's not
> showing in http://seclists.org/snort/2013/q3/index.html )
>
> Anyway, I will repost:
>
> I can't see it being a permissions issue, since I have admin privileges
> and the program's ran under admin. Not only that, I imagine permissions
> issue would have prevented pulledpork to create "tha_rules" folder under
> the temp folder and also extracting the rules there.
>
> As I mentioned, my server seems to be having problem downloading the
> actual files (but not the checksum), so I downloaded them manually, from
> the address that the console is showing to be attempting to download
> (somewhere on snort.org). Then I place them into the temp folder, where
> it's trying to download to. I then check their checksum, and then run
> pulledpork with the offline modifier of "-n". I can see as it happens
> that pulledpork creates a "tha_rules" folder in the temp folder (and a
> bunch of rules in side it), but it doesn't create a merged rules file in
> snort\rules folder.
>
> Perhaps I've misunderstood how -n runtime is supposed to work?
>
>
> On Mon, Jul 22, 2013 at 9:26 PM, Michael Steele <michaels at ...9077...>wrote:
>
>> I finally got around to updating the online guided install for the latest
>> PulledPork 0.7.0, and tested. The configuration he is using works fine
>> here.
>> The only difference is; I'm using drive 'D:' and he is using Drive 'C:'.
>> It
>> has something to do with is folder permissions, proxy, or ????
>>
>> Try changing the temp folder location to c:\windows\temp
>>
>> Are you absolutely SURE the rules tarball is actually been downloaded to
>> the
>> temp folder.
>>
>> If you are trying multiple PP runs for testing, make SURE you clean the
>> temp
>> folder before each run.
>>
>> Just for clairification; In-between rule updates will PP process the
>> *.msg.map files, even if PP doesn't need to process any new rules
>> tarballs?
>>
>> Best regards,
>> Michael...
>>
>> WINSNORT.com Management…
>> --
>> ****************** Established ~ 2001 *******************
>> *          Visit Us @ http://www.winsnort.com           *
>> *      ~~ FREE WinIDS Snort installation guides ~~      *
>> *               ~~ FREE support forums ~~               *
>> * Snort: Open Source Network IDS - http://www.snort.org *
>> *********************************************************
>>
>> -----Original Message-----
>> From: waldo kitty [mailto:wkitty42 at ...14940...]
>> Sent: Monday, July 22, 2013 3:56 PM
>> To: snort-users at lists.sourceforge.net
>> Subject: Re: [Snort-users] Pulledpork not generating merged rules file on
>> Windows
>>
>> On 7/22/2013 15:34, William Rehnquyst wrote:
>> [trim]
>> > Config File Variable Debug c:\winids\pulledpork\etc\pulledpork.conf
>> > local_rules = c:\winids\snort\rules\local.rules dropsid =
>> > c:\winids\pulledpork\etc\dropsid.conf
>> > sid_msg_version = 1
>> > enablesid = c:\winids\pulledpork\etc\enablesid.conf
>> > ignore = deleted.rules,experimental.rules,local.rules
>> > modifysid = c:\winids\pulledpork\etc\modifysid.conf
>> > docs = c:\winids\inetpub\wwwroot\base\signatures\
>> > config_path = c:\winids\snort\etc\snort.conf disablesid =
>> > c:\winids\pulledpork\etc\disablesid.conf
>> > sorule_path = /usr/local/lib/snort_dynamicrules/
>> > sid_msg = c:\winids\snort\etc\sid-msg.map sid_changelog =
>> > c:\winids\snort\log\sid_changes.log
>> > snort_version = 2.9.4.6
>> > version = 0.7.0
>> > temp_path = c:\winids\pulledpork\temp
>> > rule_url = ARRAY(0x2808a5c)
>> > ips_policy = security
>> > rule_path = c:\winids\snort\rules\winids.rules
>> > distro = FreeBSD-8.1
>>
>> you are on windows but this says differently... perhaps it is the cause?
>> PP
>> may be looking for something from that OS that doesn't exist or is named
>> differently in winwhatever ;)
>>
>> > snort_path = c:\winids\snort\bin\snort.exe MISC (CLI and Autovar)
>> > Variable Debug:
>> > Config Path is: c:\winids\pulledpork\etc\pulledpork.conf
>> > Distro Def is: FreeBSD-8.1
>>
>> and here it shows again...
>>
>> > Docs Reference Location is: c:\winids\inetpub\wwwroot\base\signatures\
>> > security policy specified
>> > local.rules path is: c:\winids\snort\rules\local.rules No Download
>> > Flag is Set Rules file is: c:\winids\snort\rules\winids.rules
>> > Path to disablesid file: c:\winids\pulledpork\etc\disablesid.conf
>> > Path to dropsid file: c:\winids\pulledpork\etc\dropsid.conf
>> > Path to enablesid file: c:\winids\pulledpork\etc\enablesid.conf
>> > Path to modifysid file: c:\winids\pulledpork\etc\modifysid.conf
>> [chomp]
>>
>>
>>
>> --
>> NOTE: No off-list assistance is given without prior approval.
>>        Please keep mailing list traffic on the list unless
>>        private contact is specifically requested and granted.
>>
>>
>> ----------------------------------------------------------------------------
>> --
>> See everything from the browser to the database with AppDynamics
>> Get end-to-end visibility with application monitoring from AppDynamics
>> Isolate bottlenecks and diagnose root cause in seconds.
>> Start your free trial of AppDynamics Pro today!
>>
>> http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>
>> Please visit http://blog.snort.org to stay current on all the latest
>> Snort
>> news!
>>
>>
>>
>>
>> ------------------------------------------------------------------------------
>> See everything from the browser to the database with AppDynamics
>> Get end-to-end visibility with application monitoring from AppDynamics
>> Isolate bottlenecks and diagnose root cause in seconds.
>> Start your free trial of AppDynamics Pro today!
>>
>> http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>
>> Please visit http://blog.snort.org to stay current on all the latest
>> Snort news!
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130731/273ac708/attachment.html>


More information about the Snort-users mailing list