[Snort-users] Help with Pulledpork

Nicolas Greneche nicolas.greneche at ...16808...
Tue Apr 22 08:10:39 EDT 2014


Hi,

I'm a new comer to Snort and I try to configure Pulledpork.

I placed my rules in /usr/local/snortrules.

I created the directory owned by user snort (who runs snort and 
pulledpork). I subscribed to commercial VRT.

I created a test directory /usr/local/snortrules2 to test automatic 
update via pulledpork. This directory is also owned by snort.

Here is my pulledpork.conf :

rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|myoinkcode
rule_url=https://www.snort.org/reg-rules/|opensource.gz|myoinkcode
ignore=deleted.rules,experimental.rules,local.rules
temp_path=/tmp
rule_path=/usr/local/snortrules2/rules/snort.rules
out_path=/usr/local/snortrules2/rules/
local_rules=/usr/local/snortrules2rules/local.rules
sid_msg=/usr/local/snortrules2/sid-msg.map
sid_msg_version=2
sid_changelog=/var/log/snort/sid_changes.log
sorule_path=/usr/local/snort/lib/snort_dynamicrules/
snort_path=/usr/local/snort/bin/snort
config_path=/usr/local/snort/etc/snort.conf
distro=Debian-6-0
snort_control=/usr/local/snort/bin/snort_control
pid_path=/var/run/snort_eth1.pid,/var/run/barnyard2_eth1.pid
version=0.7.0

And when I run it (with debug) :

# su snort -c '/usr/local/pulledpork/pulledpork.pl -Hnvc 
/usr/local/pulledpork/etc/pulledpork.conf'

     http://code.google.com/p/pulledpork/
       _____ ____
      `----,\    )
       `--==\\  /    PulledPork v0.7.0 - Swine Flu!
        `--==\\/
      .-~~~~-.Y|\\_  Copyright (C) 2009-2013 JJ Cummings
   @_/        /  66\_  cummingsj at ...11827...
     |    \   \   _(")
      \   /-| ||'--'  Rules give me wings!
       \_\  \_\\
  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Config File Variable Debug /usr/local/pulledpork/etc/pulledpork.conf
	snort_path = /usr/local/snort/bin/snort
	pid_path = /var/run/snort_eth1.pid,/var/run/barnyard2_eth1.pid
	rule_path = /usr/local/snortrules2/rules/snort.rules
	ignore = deleted.rules,experimental.rules,local.rules
	snort_control = /usr/local/snort/bin/snort_control
	rule_url = ARRAY(0x1aa6fd8)
	sid_msg_version = 2
	sid_changelog = /var/log/snort/sid_changes.log
	sid_msg = /usr/local/snortrules2/sid-msg.map
	config_path = /usr/local/snort/etc/snort.conf
	temp_path = /tmp
	distro = Debian-6-0
	sorule_path = /usr/local/snort/lib/snort_dynamicrules/
	version = 0.7.0
	out_path = /usr/local/snortrules2/rules/
	local_rules = /usr/local/snortrules2rules/local.rules
MISC (CLI and Autovar) Variable Debug:
	arch Def is: x86-64
	Config Path is: /usr/local/pulledpork/etc/pulledpork.conf
	Distro Def is: Debian-6-0
	Disabled policy specified
	local.rules path is: /usr/local/snortrules2rules/local.rules
	No Download Flag is Set
	Rules file is: /usr/local/snortrules2/rules/snort.rules
	sid changes will be logged to: /var/log/snort/sid_changes.log
	sid-msg.map Output Path is: /usr/local/snortrules2/sid-msg.map
	SIGHUP Flag is Set
	Snort Version is: 2.9.6.0
	Snort Config File: /usr/local/snort/etc/snort.conf
	Snort Path is: /usr/local/snort/bin/snort
	SO Output Path is: /usr/local/snort/lib/snort_dynamicrules/
	Will process SO rules
	Verbose Flag is Set
	Base URL is: 
https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|myoinkcode 
https://www.snort.org/reg-rules/|opensource.gz|myoinkcode
Prepping rules from snortrules-snapshot-2960.tar.gz for work....
	extracting contents of /tmp/snortrules-snapshot-2960.tar.gz...
	Ignoring plaintext rules: deleted.rules
	Ignoring plaintext rules: experimental.rules
	Ignoring plaintext rules: local.rules
	Extracted: /tha_rules/VRT-server-other.rules
         [...]
Prepping rules from snortrules-snapshot-2960.tar.gz for work....
	extracting contents of /tmp/snortrules-snapshot-2960.tar.gz...
	Ignoring plaintext rules: deleted.rules
	Ignoring plaintext rules: experimental.rules
	Ignoring plaintext rules: local.rules
	Extracted: /tha_rules/VRT-server-other.rules
         [...]
Cleanup....
	removed 119 temporary snort files or directories from /tmp/tha_rules!
Fly Piggy Fly!

And my /usr/local/snortrules2/ remains empty.

Any ideas ?

Regards,

-- 
Nicolas Grenèche

URL : http://blog.etcshadow.fr
Tel : 01 49 40 40 35
Fax : 01 48 22 81 50




More information about the Snort-users mailing list