[Snort-users] PulledPork 0.7.0 not parsing enablesid, disablesid, modifysid or threshold.conf files when there are no rule updates

Y M snort at ...15979...
Fri Aug 29 16:39:50 EDT 2014


I see. I have always used -nP when processing rules locally. I just assumed that -n tells Pulledpork not to reach the internet to download files, and then -P to do the actual processing of rules. That's how I read (assumed) it :).
YM

From: jason.weir at ...14916...
To: snort-users at lists.sourceforge.net
Date: Fri, 29 Aug 2014 20:12:42 +0000
Subject: Re: [Snort-users] PulledPork 0.7.0 not parsing enablesid, disablesid, modifysid or threshold.conf files when there are no rule updates









Thanks I’ve read the readme.
 
I didn’t equate –P to parse disablesid.conf because –n indicated it would (but doesn’t).
 
Am I reading things wrong?
 
Thanks!
 
-J
 


From: Y M [mailto:snort at ...15979...]


Sent: Friday, August 29, 2014 4:07 PM

To: Weir, Jason

Cc: snort-users

Subject: RE: [Snort-users] PulledPork 0.7.0 not parsing enablesid, disablesid, modifysid or threshold.conf files when there are no rule updates


 


From:
jason.weir at ...14916...

To: snort-users at lists.sourceforge.net

Date: Fri, 29 Aug 2014 20:02:22 +0000

Subject: Re: [Snort-users] PulledPork 0.7.0 not parsing enablesid, disablesid, modifysid or threshold.conf files when there are no rule updates

OK that worked, so what’s the –n switch for then?
 
-n Do everything other than download of new files (disablesid, etc). More info here: https://code.google.com/p/pulledpork/source/browse/trunk/README
 
 
 


From: Y M [mailto:snort at ...15979...]


Sent: Friday, August 29, 2014 3:55 PM

To: Weir, Jason

Cc: snort-users

Subject: RE: [Snort-users] PulledPork 0.7.0 not parsing enablesid, disablesid, modifysid or threshold.conf files when there are no rule updates


 

Try running PulledPork with -P.

 


YM




From: 
jason.weir at ...14916...

To: snort-users at lists.sourceforge.net

Date: Fri, 29 Aug 2014 19:43:59 +0000

Subject: [Snort-users] PulledPork 0.7.0 not parsing enablesid, disablesid, modifysid or threshold.conf files when there are no rule updates

I’m testing PP 0.7.0 and seeing what looks like a bug but want to confirm it’s not a config issue on my end.
 
As I tune the sensor I add entries in each of the config files (enablesid,disablesid,modifysid conf files) and then run pulledpork and restart snort
 
/usr/local/bin/pulledpork.pl -c /usr/local/etc/snort/pulledpork.conf –vv
 
If there are no rule updates to download (from either VRT or ET) I get this output
 
 
    
http://code.google.com/p/pulledpork/
      _____ ____
     `----,\    )
      `--==\\  /    PulledPork v0.7.0 - Swine Flu!
       `--==\\/
     .-~~~~-.Y|\\_  Copyright (C) 2009-2013 JJ Cummings
  @_/        /  66\_ 
cummingsj at ...11827...
    |    \   \   _(")
     \   /-| ||'--'  Rules give me wings!
      \_\  \_\\
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
Config File Variable Debug /usr/local/etc/snort/pulledpork.conf
        snort_path = /usr/local/bin/snort
        enablesid = /usr/local/etc/snort/enablesid.conf
        modifysid = /usr/local/etc/snort/modifysid.conf
        IPRVersion = /usr/local/etc/snort/rules/iplists
        rule_path = /usr/local/etc/snort/rules/snort.rules
        ignore = deleted.rules,experimental.rules,local.rules
        state_order = disable,drop,enable
        snort_control = /usr/local/bin/snort_control
        rule_url = ARRAY(0x8e1aac8)
        sid_msg_version = 2
        sid_changelog = /var/log/sid_changes.log
        sid_msg = /usr/local/etc/snort/sid-msg.map
        config_path = /usr/local/etc/snort/snort.conf
        temp_path = /tmp
        distro = Debian-6-0
        version = 0.7.0
        sorule_path = /usr/local/lib/snort_dynamicrules/
        disablesid = /usr/local/etc/snort/disablesid.conf
        dropsid = /usr/local/etc/snort/dropsid.conf
        local_rules = /usr/local/etc/snort/rules/local.rules
MISC (CLI and Autovar) Variable Debug:
        arch Def is: i386
        Config Path is: /usr/local/etc/snort/pulledpork.conf
        Distro Def is: Debian-6-0
        Disabled policy specified
        local.rules path is: /usr/local/etc/snort/rules/local.rules
        Rules file is: /usr/local/etc/snort/rules/snort.rules
        Path to disablesid file: /usr/local/etc/snort/disablesid.conf
        Path to dropsid file: /usr/local/etc/snort/dropsid.conf
        Path to enablesid file: /usr/local/etc/snort/enablesid.conf
        Path to modifysid file: /usr/local/etc/snort/modifysid.conf
        sid changes will be logged to: /var/log/sid_changes.log
        sid-msg.map Output Path is: /usr/local/etc/snort/sid-msg.map
        Snort Version is: 2.9.6.2
        Snort Config File: /usr/local/etc/snort/snort.conf
        Snort Path is: /usr/local/bin/snort
        SO Output Path is: /usr/local/lib/snort_dynamicrules/
        Will process SO rules
        Extra Verbose Flag is Set
        Verbose Flag is Set
 
*********** Removed Download Logging where the checksums matched and there were no new rules to download *********************
 
Cleanup....
        removed 0 temporary snort files or directories from /tmp/tha_rules!
Writing /var/log/sid_changes.log....
        Done
 
No Rule Changes
 
No IP Blacklist Changes
 
Done
Please review /var/log/sid_changes.log for additional details
Fly Piggy Fly!
 
If I delete all the rules and re-run PP I get the following output
 
 
    
http://code.google.com/p/pulledpork/
      _____ ____
     `----,\    )
      `--==\\  /    PulledPork v0.7.0 - Swine Flu!
       `--==\\/
     .-~~~~-.Y|\\_  Copyright (C) 2009-2013 JJ Cummings
  @_/        /  66\_ 
cummingsj at ...11827...
    |    \   \   _(")
     \   /-| ||'--'  Rules give me wings!
      \_\  \_\\
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
Config File Variable Debug /usr/local/etc/snort/pulledpork.conf
        snort_path = /usr/local/bin/snort
        enablesid = /usr/local/etc/snort/enablesid.conf
        modifysid = /usr/local/etc/snort/modifysid.conf
        IPRVersion = /usr/local/etc/snort/rules/iplists
        rule_path = /usr/local/etc/snort/rules/snort.rules
        ignore = deleted.rules,experimental.rules,local.rules
        state_order = disable,drop,enable
        snort_control = /usr/local/bin/snort_control
        rule_url = ARRAY(0xa41cac8)
        sid_msg_version = 2
        sid_changelog = /var/log/sid_changes.log
        sid_msg = /usr/local/etc/snort/sid-msg.map
        config_path = /usr/local/etc/snort/snort.conf
        temp_path = /tmp
        distro = Debian-6-0
        version = 0.7.0
        sorule_path = /usr/local/lib/snort_dynamicrules/
        disablesid = /usr/local/etc/snort/disablesid.conf
        dropsid = /usr/local/etc/snort/dropsid.conf
        local_rules = /usr/local/etc/snort/rules/local.rules
MISC (CLI and Autovar) Variable Debug:
        arch Def is: i386
        Config Path is: /usr/local/etc/snort/pulledpork.conf
        Distro Def is: Debian-6-0
        Disabled policy specified
        local.rules path is: /usr/local/etc/snort/rules/local.rules
        Rules file is: /usr/local/etc/snort/rules/snort.rules
        Path to disablesid file: /usr/local/etc/snort/disablesid.conf
        Path to dropsid file: /usr/local/etc/snort/dropsid.conf
        Path to enablesid file: /usr/local/etc/snort/enablesid.conf
        Path to modifysid file: /usr/local/etc/snort/modifysid.conf
        sid changes will be logged to: /var/log/sid_changes.log
        sid-msg.map Output Path is: /usr/local/etc/snort/sid-msg.map
        Snort Version is: 2.9.6.2
        Snort Config File: /usr/local/etc/snort/snort.conf
        Snort Path is: /usr/local/bin/snort
        SO Output Path is: /usr/local/lib/snort_dynamicrules/
        Will process SO rules
        Extra Verbose Flag is Set
        Verbose Flag is Set
 
*********** Removed Download Logging where the checksums didn’t match and the rules files were downloaded *********************
 
Prepping rules from opensource.gz for work....
                **************removed extra logging *****************
Prepping rules from snortrules-snapshot-2962.tar.gz for work....
                **************removed extra logging *****************
Prepping rules from emerging.rules.tar.gz for work....
                **************removed extra logging *****************
Prepping rules from community-rules.tar.gz for work....
                **************removed extra logging *****************
Generating Stub Rules....
       Generating shared object stubs via:/usr/local/bin/snort -c /usr/local/etc/snort/snort.conf --dump-dynamic-rules=/tmp/tha_rules/so_rules/
        An error occurred: WARNING: ip4 normalizations disabled because not inline.
 
        An error occurred: WARNING: tcp normalizations disabled because not inline.
 
        An error occurred: WARNING: icmp4 normalizations disabled because not inline.
 
        An error occurred: WARNING: ip6 normalizations disabled because not inline.
 
        An error occurred: WARNING: icmp6 normalizations disabled because not inline.
 
        Dumping dynamic rules...
                **************removed extra logging *****************
          Finished dumping dynamic rules.
        Done
        Reading rules...
        Reading rules...
Cleanup....
        removed 202 temporary snort files or directories from /tmp/tha_rules!
Modifying Sids....
        Done!
Processing /usr/local/etc/snort/disablesid.conf....
        Disabled 1:xxxxxxx
        Disabled 1:xxxxxxx
        Disabled 1:xxxxxxx
        Disabled 1:xxxxxxx
        Disabled 1:xxxxxxx
        Disabled 1:xxxxxxx
        Disabled 1:xxxxxxx
        Disabled 1:xxxxxxx
        Modified 8 rules
        Done
Processing /usr/local/etc/snort/dropsid.conf....
        Modified 0 rules
        Done
Processing /usr/local/etc/snort/enablesid.conf....
        Modified 0 rules
        Done
Setting Flowbit State....
        Enabled 119 flowbits
        Done
Writing /usr/local/etc/snort/rules/snort.rules....
        Done
Generating sid-msg.map....
        Done
Writing v2 /usr/local/etc/snort/sid-msg.map....
        Done
Writing /var/log/sid_changes.log....
        Done
Rule Stats...
        New:-------344
        Deleted:---16
        Enabled Rules:----21793
       Dropped Rules:----0
        Disabled Rules:---20007
        Total Rules:------41800
No IP Blacklist Changes
 
Done
Please review /var/log/sid_changes.log for additional details
Fly Piggy Fly!
 
Next if I go into disablesid.conf and add another entry and re-run pp I get the same output as the first run – the new entry in disablesid.conf doesn’t get parsed or disabled in the snort.rules
 file.
 
Any ideas?
 
Jason
 
 
 



------------------------------------------------------------------------------ Slashdot TV. Video for Nerds. Stuff that matters.
http://tv.slashdot.org/

_______________________________________________ Snort-users mailing list 
Snort-users at lists.sourceforge.net Go to this URL to change user options or unsubscribe:

https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive:

http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit
http://blog.snort.org to stay current on all the latest Snort news!






------------------------------------------------------------------------------ Slashdot TV. Video for Nerds. Stuff that matters.
http://tv.slashdot.org/

_______________________________________________ Snort-users mailing list 
Snort-users at lists.sourceforge.net Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit
http://blog.snort.org to stay current on all the latest Snort news!






------------------------------------------------------------------------------
Slashdot TV.  
Video for Nerds.  Stuff that matters.
http://tv.slashdot.org/
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news! 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140829/2a3e609b/attachment.html>


More information about the Snort-users mailing list