[Snort-users] Pulledpork doesn't disable some rules

Y M snort at ...15979...
Mon Apr 14 02:22:43 EDT 2014


This is probably because of the existence of a flowbit in the rule. You disable it, however, PulledPork checks/verifies flowbits, and will re-enable rules based on that. Can you run your PulledPork command with -v to output in verbose mode? If there is a flowbit conflict with your rule disablement, it will show up in PulledPork output.
 
YM
 
> Date: Mon, 14 Apr 2014 05:54:47 +0000
> From: carlopmart at ...11827...
> To: pulledpork-users at ...14071...; snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] Pulledpork doesn't disable some rules
> 
> On Fri, Apr 11, 2014 at 5:53 AM, C. L. Martinez <carlopmart at ...11827...> wrote:
> > Hi all,
> >
> >  I have a strange problem with pulledpork 0.7.0. Under my
> > disablesid.conf file, I have configured only two rules that needs be
> > disabled:
> >
> > # Disable alert "ET MALWARE Simbar Spyware User-Agent Detected"
> > 1:2009005
> >
> > # Disable alert "ET POLICY Vulnerable Java Version 1.6.x Detected"
> > 1:2011582
> >
> > For rule 2009005, pulledpork works as expected, it is disabled when
> > pulledpork, but for rule 2011582 it doesn't works. Always left
> > enabled.
> >
> >  Running pulledprok from command line, it seems all works:
> >
> >  Use of uninitialized value $Snort_path in -B at
> > /usr/local/bin/pulledpork.pl line 1630.
> >
> >     http://code.google.com/p/pulledpork/
> >       _____ ____
> >      `----,\    )
> >       `--==\\  /    PulledPork v0.7.0 - Swine Flu!
> >        `--==\\/
> >      .-~~~~-.Y|\\_  Copyright (C) 2009-2013 JJ Cummings
> >   @_/        /  66\_  cummingsj at ...11827...
> >     |    \   \   _(")
> >      \   /-| ||'--'  Rules give me wings!
> >       \_\  \_\\
> >  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> >
> > Use of uninitialized value $Snort in pattern match (m//) at
> > /usr/local/bin/pulledpork.pl line 1827.
> > Use of uninitialized value $Snort in pattern match (m//) at
> > /usr/local/bin/pulledpork.pl line 1831.
> > Checking latest MD5 for emerging.rules.tar.gz....
> > Rules tarball download of emerging.rules.tar.gz....
> >         They Match
> >         Done!
> > Prepping rules from emerging.rules.tar.gz for work....
> > Use of uninitialized value $ignore in split at
> > /usr/local/bin/pulledpork.pl line 230.
> >         Done!
> > Reading rules...
> > Reading rules...
> > Processing /data/config/etc/idpsuricata02/pulledpork/disablesid.conf....
> >         Modified 2 rules
> >         Done
> > Setting Flowbit State....
> >         Enabled 39 flowbits
> >         Done
> > Writing rules to unique destination files....
> >         Writing rules to /data/config/etc/idpsuricata02/rules/
> >         Done
> > Generating sid-msg.map....
> >         Done
> > Writing v1 /data/config/etc/idpsuricata02/sid-msg.map....
> >         Done
> > Fly Piggy Fly!
> >
> > As you can see pulledpork reads my disablesid.conf and tries to
> > disable both rules, but this never happens for rule 2011582.
> >
> > Any idea??
> >
> > Thanks.
> 
> Please, any idea about this??
> 
> ------------------------------------------------------------------------------
> Learn Graph Databases - Download FREE O'Reilly Book
> "Graph Databases" is the definitive new guide to graph databases and their
> applications. Written by three acclaimed leaders in the field,
> this first edition is now available. Download your free book today!
> http://p.sf.net/sfu/NeoTech
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140414/80e2e4a4/attachment.html>


More information about the Snort-users mailing list