[Snort-users] Problem Updating Rules with PulledPork

Michael Steele michaels at ...9077...
Tue Sep 24 22:08:29 EDT 2013


Yes, don’t edit the actual rules file/s, as they won’t survive a rules update with PulledPork. Use the conf files located in the pulledpork\etc folder to manipulate the rules. They will survive a rule update.

 

Join the pulledpork user group.

 

Best regards,

Michael...

 

WINSNORT.com Management…

--

****************** Established ~ 2001 *******************

*          Visit Us @  <http://www.winsnort.com/> http://www.winsnort.com           *

*      ~~ FREE WinIDS Snort installation guides ~~      *

*               ~~ FREE support forums ~~               *

* Snort: Open Source Network IDS -  <http://www.snort.org/> http://www.snort.org *

*********************************************************

 

From: Benjamin Lincoln [mailto:BLincoln at ...15832...] 
Sent: Tuesday, September 24, 2013 7:42 PM
To: 'Michael Steele'
Subject: RE: [Snort-users] Problem Updating Rules with PulledPork

 

I got everything working now with your help Thanks. I just had one more question, I am trying to disabled some of the rules that I don’t need in the servers-other set. When I use pulled pork to update, it re-enables all the rules. Is there a way to set pulled pork to leave the rules disabled when updating?

 

Ben Lincoln

 

From: Michael Steele [ <mailto:michaels at ...9077...> mailto:michaels at ...11826......] 
Sent: Thursday, September 19, 2013 9:03 AM
To: 'JJ Cummings'; Benjamin Lincoln
Cc:  <mailto:snort-users at lists.sourceforge.net> snort-users at ...3471...ge.net
Subject: RE: [Snort-users] Problem Updating Rules with PulledPork

 

I use Strawberry Perl in all my Windows Intrusion Detection System (WinIDS) guided installs, and it appears Strawberry Perl adds and removes Perl distribution packages with every new release. The root cause of the OP’s problem is most likely a missing Perl distribution package, or an incompatible Perl distribution package.

 

There is NO list of required Perl distribution packages with minimum version numbers available for PulledPork. There are around 300 default Perl distribution packages installed for each release of Strawberry Perl. Perl distribution packages gets removed, and Perl distribution packages gets updated with each release of Strawberry Perl. As you can see this will cause a problem if there is no list of required Perl distribution packages with minimum versions numbers posted for PulledPork.

 

For all my Windows Intrusion Detection System (WinIDS) guided installs, Strawberry Perl version 5.14.2.1 (32 and 64bit) is installed fresh. The only other additional Perl distribution package required to make PulledPork work is the Perl syslog distribution package. If I use any newer version of Strawberry Perl on a fresh installation, PulledPork will fail. This is because Strawberry Perl default Perl distribution packages for that version has changed.

 

The solution for out of the box compatibility for Windows users is to use Strawberry Perl 5.14.2.1 along with installing the syslog distribution package. I don’t install PulledPork into a the initial Windows Intrusion Detection System (WinIDS) guided install. However, there is a Windows Intrusion Detection System (WinIDS) guided install for adding PulledPork into an existing Windows Intrusion Detection System (WinIDS), which  has all the links to the required files.

 

This is untested: It might be possible to use Strawberry Perl 5.14.2.1 for the initial install, and then update to the latest version. It would be a good idea to verify PulledPork is fully working under Strawberry Perl 5.14.2.1 before updating.

 

Hops this helps…

 

Best regards,

Michael...

 

WINSNORT.com Management…

--

****************** Established ~ 2001 *******************

*          Visit Us @  <http://www.winsnort.com/> http://www.winsnort.com           *

*      ~~ FREE WinIDS Snort installation guides ~~      *

*               ~~ FREE support forums ~~               *

* Snort: Open Source Network IDS -  <http://www.snort.org/> http://www.snort.org *

*********************************************************

 

From: Michael Steele [mailto:michaels at ...9077...] 
Sent: Wednesday, September 18, 2013 4:52 PM
To: 'JJ Cummings'; 'Benjamin Lincoln'
Cc: 'snort-users at lists.sourceforge.net'
Subject: RE: [Snort-users] Problem Updating Rules with PulledPork

 

You understand if you are not paying for rule updates that you can only download or try the download once every 15 minutes. Even if the rule update fails, you must wait 15 minutes.

 

Clear the assigned PulledPork temp folder and give it another try. You can also assign the PulledPork temp to the c:\windows\temp folder. Could be a permission problem? 

 

Best regards,

Michael...

 

WINSNORT.com Management…

--

****************** Established ~ 2001 *******************

*          Visit Us @  <http://www.winsnort.com/> http://www.winsnort.com           *

*      ~~ FREE WinIDS Snort installation guides ~~      *

*               ~~ FREE support forums ~~               *

* Snort: Open Source Network IDS -  <http://www.snort.org/> http://www.snort.org *

*********************************************************

 

From: JJ Cummings [mailto:cummingsj at ...11827...] 
Sent: Wednesday, September 18, 2013 1:14 PM
To: Benjamin Lincoln
Cc: snort-users at lists.sourceforge.net <mailto:snort-users at ...5870....net> 
Subject: Re: [Snort-users] Problem Updating Rules with PulledPork

 

Something is causing the download to not complete correctly....

Sent from the iRoad


On Sep 18, 2013, at 10:46, Benjamin Lincoln <BLincoln at ...15832... <mailto:BLincoln at ...15832...> > wrote:

Hello,

 

I am currently running Snort 2.9.5.5 and Pulled Pork 0.7.0 on Windows 2008R2. When using pulled pork to update the rules, it will just keep trying to download new rules over and over again. I see the rule file getting created in the tmp directory, and it will grow to 18 kb, but then shrink back down to 8 kb after pulled pork tries to grab the file again. Basically, it will just keep saying the MD5 doesn’t match and try to keep re downloading the file. Any Ideas on this?

 

 

------------------------------------------------------------------------------
LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99!
1,500+ hours of tutorials including VisualStudio 2012, Windows 8, SharePoint
2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack includes
Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/20/13. 
 <http://pubads.g.doubleclick.net/gampad/clk?id=58041151&iu=/4140/ostg.clktrk> http://pubads.g.doubleclick.net/gampad/clk?id=58041151&iu=/4140/ostg.clktrk

_______________________________________________
Snort-users mailing list
 <mailto:Snort-users at lists.sourceforge.net> Snort-users at ...973...et
Go to this URL to change user options or unsubscribe:
 <https://lists.sourceforge.net/lists/listinfo/snort-users> https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
 <http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit  <http://blog.snort.org> http://blog.snort.org to stay current on all the latest Snort news!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130924/73df2a80/attachment.html>


More information about the Snort-users mailing list