[Snort-users] Pulledpork doesn't disable some rules

C. L. Martinez carlopmart at ...11827...
Mon Apr 14 01:54:47 EDT 2014


On Fri, Apr 11, 2014 at 5:53 AM, C. L. Martinez <carlopmart at ...11827...> wrote:
> Hi all,
>
>  I have a strange problem with pulledpork 0.7.0. Under my
> disablesid.conf file, I have configured only two rules that needs be
> disabled:
>
> # Disable alert "ET MALWARE Simbar Spyware User-Agent Detected"
> 1:2009005
>
> # Disable alert "ET POLICY Vulnerable Java Version 1.6.x Detected"
> 1:2011582
>
> For rule 2009005, pulledpork works as expected, it is disabled when
> pulledpork, but for rule 2011582 it doesn't works. Always left
> enabled.
>
>  Running pulledprok from command line, it seems all works:
>
>  Use of uninitialized value $Snort_path in -B at
> /usr/local/bin/pulledpork.pl line 1630.
>
>     http://code.google.com/p/pulledpork/
>       _____ ____
>      `----,\    )
>       `--==\\  /    PulledPork v0.7.0 - Swine Flu!
>        `--==\\/
>      .-~~~~-.Y|\\_  Copyright (C) 2009-2013 JJ Cummings
>   @_/        /  66\_  cummingsj at ...11827...
>     |    \   \   _(")
>      \   /-| ||'--'  Rules give me wings!
>       \_\  \_\\
>  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
> Use of uninitialized value $Snort in pattern match (m//) at
> /usr/local/bin/pulledpork.pl line 1827.
> Use of uninitialized value $Snort in pattern match (m//) at
> /usr/local/bin/pulledpork.pl line 1831.
> Checking latest MD5 for emerging.rules.tar.gz....
> Rules tarball download of emerging.rules.tar.gz....
>         They Match
>         Done!
> Prepping rules from emerging.rules.tar.gz for work....
> Use of uninitialized value $ignore in split at
> /usr/local/bin/pulledpork.pl line 230.
>         Done!
> Reading rules...
> Reading rules...
> Processing /data/config/etc/idpsuricata02/pulledpork/disablesid.conf....
>         Modified 2 rules
>         Done
> Setting Flowbit State....
>         Enabled 39 flowbits
>         Done
> Writing rules to unique destination files....
>         Writing rules to /data/config/etc/idpsuricata02/rules/
>         Done
> Generating sid-msg.map....
>         Done
> Writing v1 /data/config/etc/idpsuricata02/sid-msg.map....
>         Done
> Fly Piggy Fly!
>
> As you can see pulledpork reads my disablesid.conf and tries to
> disable both rules, but this never happens for rule 2011582.
>
> Any idea??
>
> Thanks.

Please, any idea about this??




More information about the Snort-users mailing list