[Snort-users] Pulledpork not generating merged rules file on Windows

William Dou liam.dou at ...11827...
Wed Jul 24 12:29:45 EDT 2013


I can't see it being a permissions issue, since I have admin privileges and
the program's ran under admin. Not only that, I imagine permissions issue
would have prevented pulledpork to create "tha_rules" folder under the temp
folder and also extracting the rules there.

As I mentioned, my server seems to be having problem downloading the actual
files (but not the checksum), so I downloaded them manually, from the
address that the console is showing to be attempting to download (somewhere
on snort.org). Then I place them into the temp folder, where it's trying to
download to. I then check their checksum, and then run pulledpork with the
offline modifier of "-n". I can see as it happens that pulledpork creates a
"tha_rules" folder in the temp folder (and a bunch of rules in side it),
but it doesn't create a merged rules file in snort\rules folder.

Perhaps I've misunderstood how -n runtime is supposed to work?

ps. Please don't spend your time taking any action on this on my behalf
currently (aside from maybe pointing out if I've misunderstood -n runtime).
I wrote this reply yesterday but didn't get around to proofreading and
sending it out. I *may* have positive update coming later today.
pps. And thanks to Michael for all the work and help you've put into this.


On Mon, Jul 22, 2013 at 9:26 PM, Michael Steele <michaels at ...9077...>wrote:

> I finally got around to updating the online guided install for the latest
> PulledPork 0.7.0, and tested. The configuration he is using works fine
> here.
> The only difference is; I'm using drive 'D:' and he is using Drive 'C:'. It
> has something to do with is folder permissions, proxy, or ????
>
> Try changing the temp folder location to c:\windows\temp
>
> Are you absolutely SURE the rules tarball is actually been downloaded to
> the
> temp folder.
>
> If you are trying multiple PP runs for testing, make SURE you clean the
> temp
> folder before each run.
>
> Just for clairification; In-between rule updates will PP process the
> *.msg.map files, even if PP doesn't need to process any new rules tarballs?
>
> Best regards,
> Michael...
>
> WINSNORT.com Management…
> --
> ****************** Established ~ 2001 *******************
> *          Visit Us @ http://www.winsnort.com           *
> *      ~~ FREE WinIDS Snort installation guides ~~      *
> *               ~~ FREE support forums ~~               *
> * Snort: Open Source Network IDS - http://www.snort.org *
> *********************************************************
>
> -----Original Message-----
> From: waldo kitty [mailto:wkitty42 at ...14940...]
> Sent: Monday, July 22, 2013 3:56 PM
> To: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] Pulledpork not generating merged rules file on
> Windows
>
> On 7/22/2013 15:34, William Rehnquyst wrote:
> [trim]
> > Config File Variable Debug c:\winids\pulledpork\etc\pulledpork.conf
> > local_rules = c:\winids\snort\rules\local.rules dropsid =
> > c:\winids\pulledpork\etc\dropsid.conf
> > sid_msg_version = 1
> > enablesid = c:\winids\pulledpork\etc\enablesid.conf
> > ignore = deleted.rules,experimental.rules,local.rules
> > modifysid = c:\winids\pulledpork\etc\modifysid.conf
> > docs = c:\winids\inetpub\wwwroot\base\signatures\
> > config_path = c:\winids\snort\etc\snort.conf disablesid =
> > c:\winids\pulledpork\etc\disablesid.conf
> > sorule_path = /usr/local/lib/snort_dynamicrules/
> > sid_msg = c:\winids\snort\etc\sid-msg.map sid_changelog =
> > c:\winids\snort\log\sid_changes.log
> > snort_version = 2.9.4.6
> > version = 0.7.0
> > temp_path = c:\winids\pulledpork\temp
> > rule_url = ARRAY(0x2808a5c)
> > ips_policy = security
> > rule_path = c:\winids\snort\rules\winids.rules
> > distro = FreeBSD-8.1
>
> you are on windows but this says differently... perhaps it is the cause? PP
> may be looking for something from that OS that doesn't exist or is named
> differently in winwhatever ;)
>
> > snort_path = c:\winids\snort\bin\snort.exe MISC (CLI and Autovar)
> > Variable Debug:
> > Config Path is: c:\winids\pulledpork\etc\pulledpork.conf
> > Distro Def is: FreeBSD-8.1
>
> and here it shows again...
>
> > Docs Reference Location is: c:\winids\inetpub\wwwroot\base\signatures\
> > security policy specified
> > local.rules path is: c:\winids\snort\rules\local.rules No Download
> > Flag is Set Rules file is: c:\winids\snort\rules\winids.rules
> > Path to disablesid file: c:\winids\pulledpork\etc\disablesid.conf
> > Path to dropsid file: c:\winids\pulledpork\etc\dropsid.conf
> > Path to enablesid file: c:\winids\pulledpork\etc\enablesid.conf
> > Path to modifysid file: c:\winids\pulledpork\etc\modifysid.conf
> [chomp]
>
>
>
> --
> NOTE: No off-list assistance is given without prior approval.
>        Please keep mailing list traffic on the list unless
>        private contact is specifically requested and granted.
>
>
> ----------------------------------------------------------------------------
> --
> See everything from the browser to the database with AppDynamics
> Get end-to-end visibility with application monitoring from AppDynamics
> Isolate bottlenecks and diagnose root cause in seconds.
> Start your free trial of AppDynamics Pro today!
> http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort
> news!
>
>
>
>
> ------------------------------------------------------------------------------
> See everything from the browser to the database with AppDynamics
> Get end-to-end visibility with application monitoring from AppDynamics
> Isolate bottlenecks and diagnose root cause in seconds.
> Start your free trial of AppDynamics Pro today!
> http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130724/eaee8b2a/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: tha_rules extracted.png
Type: image/png
Size: 188987 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130724/eaee8b2a/attachment.png>


More information about the Snort-users mailing list