[Snort-users] PulledPork 0.7.0 not parsing enablesid, disablesid, modifysid or threshold.conf files when there are no rule updates

Doug Burks doug.burks at ...11827...
Fri Aug 29 15:51:28 EDT 2014


Hi Jason,

Have you looked at the -P option?

http://blog.snort.org/2013/09/pulledpork-070-released-include.html

On Fri, Aug 29, 2014 at 3:43 PM, Weir, Jason <jason.weir at ...14916...> wrote:
> I’m testing PP 0.7.0 and seeing what looks like a bug but want to confirm
> it’s not a config issue on my end.
>
>
>
> As I tune the sensor I add entries in each of the config files
> (enablesid,disablesid,modifysid conf files) and then run pulledpork and
> restart snort
>
>
>
> /usr/local/bin/pulledpork.pl -c /usr/local/etc/snort/pulledpork.conf –vv
>
>
>
> If there are no rule updates to download (from either VRT or ET) I get this
> output
>
>
>
>
>
>     http://code.google.com/p/pulledpork/
>
>       _____ ____
>
>      `----,\    )
>
>       `--==\\  /    PulledPork v0.7.0 - Swine Flu!
>
>        `--==\\/
>
>      .-~~~~-.Y|\\_  Copyright (C) 2009-2013 JJ Cummings
>
>   @_/        /  66\_  cummingsj at ...11827...
>
>     |    \   \   _(")
>
>      \   /-| ||'--'  Rules give me wings!
>
>       \_\  \_\\
>
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
>
>
> Config File Variable Debug /usr/local/etc/snort/pulledpork.conf
>
>         snort_path = /usr/local/bin/snort
>
>         enablesid = /usr/local/etc/snort/enablesid.conf
>
>         modifysid = /usr/local/etc/snort/modifysid.conf
>
>         IPRVersion = /usr/local/etc/snort/rules/iplists
>
>         rule_path = /usr/local/etc/snort/rules/snort.rules
>
>         ignore = deleted.rules,experimental.rules,local.rules
>
>         state_order = disable,drop,enable
>
>         snort_control = /usr/local/bin/snort_control
>
>         rule_url = ARRAY(0x8e1aac8)
>
>         sid_msg_version = 2
>
>         sid_changelog = /var/log/sid_changes.log
>
>         sid_msg = /usr/local/etc/snort/sid-msg.map
>
>         config_path = /usr/local/etc/snort/snort.conf
>
>         temp_path = /tmp
>
>         distro = Debian-6-0
>
>         version = 0.7.0
>
>         sorule_path = /usr/local/lib/snort_dynamicrules/
>
>         disablesid = /usr/local/etc/snort/disablesid.conf
>
>         dropsid = /usr/local/etc/snort/dropsid.conf
>
>         local_rules = /usr/local/etc/snort/rules/local.rules
>
> MISC (CLI and Autovar) Variable Debug:
>
>         arch Def is: i386
>
>         Config Path is: /usr/local/etc/snort/pulledpork.conf
>
>         Distro Def is: Debian-6-0
>
>         Disabled policy specified
>
>         local.rules path is: /usr/local/etc/snort/rules/local.rules
>
>         Rules file is: /usr/local/etc/snort/rules/snort.rules
>
>         Path to disablesid file: /usr/local/etc/snort/disablesid.conf
>
>         Path to dropsid file: /usr/local/etc/snort/dropsid.conf
>
>         Path to enablesid file: /usr/local/etc/snort/enablesid.conf
>
>         Path to modifysid file: /usr/local/etc/snort/modifysid.conf
>
>         sid changes will be logged to: /var/log/sid_changes.log
>
>         sid-msg.map Output Path is: /usr/local/etc/snort/sid-msg.map
>
>         Snort Version is: 2.9.6.2
>
>         Snort Config File: /usr/local/etc/snort/snort.conf
>
>         Snort Path is: /usr/local/bin/snort
>
>         SO Output Path is: /usr/local/lib/snort_dynamicrules/
>
>         Will process SO rules
>
>         Extra Verbose Flag is Set
>
>         Verbose Flag is Set
>
>
>
> *********** Removed Download Logging where the checksums matched and there
> were no new rules to download *********************
>
>
>
> Cleanup....
>
>         removed 0 temporary snort files or directories from /tmp/tha_rules!
>
> Writing /var/log/sid_changes.log....
>
>         Done
>
>
>
> No Rule Changes
>
>
>
> No IP Blacklist Changes
>
>
>
> Done
>
> Please review /var/log/sid_changes.log for additional details
>
> Fly Piggy Fly!
>
>
>
> If I delete all the rules and re-run PP I get the following output
>
>
>
>
>
>     http://code.google.com/p/pulledpork/
>
>       _____ ____
>
>      `----,\    )
>
>       `--==\\  /    PulledPork v0.7.0 - Swine Flu!
>
>        `--==\\/
>
>      .-~~~~-.Y|\\_  Copyright (C) 2009-2013 JJ Cummings
>
>   @_/        /  66\_  cummingsj at ...11827...
>
>     |    \   \   _(")
>
>      \   /-| ||'--'  Rules give me wings!
>
>       \_\  \_\\
>
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
>
>
> Config File Variable Debug /usr/local/etc/snort/pulledpork.conf
>
>         snort_path = /usr/local/bin/snort
>
>         enablesid = /usr/local/etc/snort/enablesid.conf
>
>         modifysid = /usr/local/etc/snort/modifysid.conf
>
>         IPRVersion = /usr/local/etc/snort/rules/iplists
>
>         rule_path = /usr/local/etc/snort/rules/snort.rules
>
>         ignore = deleted.rules,experimental.rules,local.rules
>
>         state_order = disable,drop,enable
>
>         snort_control = /usr/local/bin/snort_control
>
>         rule_url = ARRAY(0xa41cac8)
>
>         sid_msg_version = 2
>
>         sid_changelog = /var/log/sid_changes.log
>
>         sid_msg = /usr/local/etc/snort/sid-msg.map
>
>         config_path = /usr/local/etc/snort/snort.conf
>
>         temp_path = /tmp
>
>         distro = Debian-6-0
>
>         version = 0.7.0
>
>         sorule_path = /usr/local/lib/snort_dynamicrules/
>
>         disablesid = /usr/local/etc/snort/disablesid.conf
>
>         dropsid = /usr/local/etc/snort/dropsid.conf
>
>         local_rules = /usr/local/etc/snort/rules/local.rules
>
> MISC (CLI and Autovar) Variable Debug:
>
>         arch Def is: i386
>
>         Config Path is: /usr/local/etc/snort/pulledpork.conf
>
>         Distro Def is: Debian-6-0
>
>         Disabled policy specified
>
>         local.rules path is: /usr/local/etc/snort/rules/local.rules
>
>         Rules file is: /usr/local/etc/snort/rules/snort.rules
>
>         Path to disablesid file: /usr/local/etc/snort/disablesid.conf
>
>         Path to dropsid file: /usr/local/etc/snort/dropsid.conf
>
>         Path to enablesid file: /usr/local/etc/snort/enablesid.conf
>
>         Path to modifysid file: /usr/local/etc/snort/modifysid.conf
>
>         sid changes will be logged to: /var/log/sid_changes.log
>
>         sid-msg.map Output Path is: /usr/local/etc/snort/sid-msg.map
>
>         Snort Version is: 2.9.6.2
>
>         Snort Config File: /usr/local/etc/snort/snort.conf
>
>         Snort Path is: /usr/local/bin/snort
>
>         SO Output Path is: /usr/local/lib/snort_dynamicrules/
>
>         Will process SO rules
>
>         Extra Verbose Flag is Set
>
>         Verbose Flag is Set
>
>
>
> *********** Removed Download Logging where the checksums didn’t match and
> the rules files were downloaded *********************
>
>
>
> Prepping rules from opensource.gz for work....
>
>                 **************removed extra logging *****************
>
> Prepping rules from snortrules-snapshot-2962.tar.gz for work....
>
>                 **************removed extra logging *****************
>
> Prepping rules from emerging.rules.tar.gz for work....
>
>                 **************removed extra logging *****************
>
> Prepping rules from community-rules.tar.gz for work....
>
>                 **************removed extra logging *****************
>
> Generating Stub Rules....
>
>        Generating shared object stubs via:/usr/local/bin/snort -c
> /usr/local/etc/snort/snort.conf
> --dump-dynamic-rules=/tmp/tha_rules/so_rules/
>
>         An error occurred: WARNING: ip4 normalizations disabled because not
> inline.
>
>
>
>         An error occurred: WARNING: tcp normalizations disabled because not
> inline.
>
>
>
>         An error occurred: WARNING: icmp4 normalizations disabled because
> not inline.
>
>
>
>         An error occurred: WARNING: ip6 normalizations disabled because not
> inline.
>
>
>
>         An error occurred: WARNING: icmp6 normalizations disabled because
> not inline.
>
>
>
>         Dumping dynamic rules...
>
>                 **************removed extra logging *****************
>
>           Finished dumping dynamic rules.
>
>         Done
>
>         Reading rules...
>
>         Reading rules...
>
> Cleanup....
>
>         removed 202 temporary snort files or directories from
> /tmp/tha_rules!
>
> Modifying Sids....
>
>         Done!
>
> Processing /usr/local/etc/snort/disablesid.conf....
>
>         Disabled 1:xxxxxxx
>
>         Disabled 1:xxxxxxx
>
>         Disabled 1:xxxxxxx
>
>         Disabled 1:xxxxxxx
>
>         Disabled 1:xxxxxxx
>
>         Disabled 1:xxxxxxx
>
>         Disabled 1:xxxxxxx
>
>         Disabled 1:xxxxxxx
>
>         Modified 8 rules
>
>         Done
>
> Processing /usr/local/etc/snort/dropsid.conf....
>
>         Modified 0 rules
>
>         Done
>
> Processing /usr/local/etc/snort/enablesid.conf....
>
>         Modified 0 rules
>
>         Done
>
> Setting Flowbit State....
>
>         Enabled 119 flowbits
>
>         Done
>
> Writing /usr/local/etc/snort/rules/snort.rules....
>
>         Done
>
> Generating sid-msg.map....
>
>         Done
>
> Writing v2 /usr/local/etc/snort/sid-msg.map....
>
>         Done
>
> Writing /var/log/sid_changes.log....
>
>         Done
>
> Rule Stats...
>
>         New:-------344
>
>         Deleted:---16
>
>         Enabled Rules:----21793
>
>        Dropped Rules:----0
>
>         Disabled Rules:---20007
>
>         Total Rules:------41800
>
> No IP Blacklist Changes
>
>
>
> Done
>
> Please review /var/log/sid_changes.log for additional details
>
> Fly Piggy Fly!
>
>
>
> Next if I go into disablesid.conf and add another entry and re-run pp I get
> the same output as the first run – the new entry in disablesid.conf doesn’t
> get parsed or disabled in the snort.rules file.
>
>
>
> Any ideas?
>
>
>
> Jason
>
>
>
>
>
>
>
>
> ------------------------------------------------------------------------------
> Slashdot TV.
> Video for Nerds.  Stuff that matters.
> http://tv.slashdot.org/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort
> news!



-- 
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com




More information about the Snort-users mailing list