[Snort-users] How to activate all rules using PulledPork?

SnortFan SnortFan at ...131...
Thu Feb 20 19:28:40 EST 2014


If your talking about all those commented out rules that pulled pork leaves in the snort.rules file, try adding the snort rules categories in the enablesid file.  

If you need a list of the categories, their names are in the snort.rules file or I can find it in one of my emails to the forum.

Cheers,
Ed

Sent from a mobile device. 

> On Feb 20, 2014, at 2:14 PM, "Michael Steele" <michaels at ...9077...> wrote:
> 
> I've been trying to get PulledPork to enable all rules, and so far all help has stalled in the PulledPork Google Groups.
>  
> I'm told by JJ that it is possible, and he has instructed me to add add <PCRE wildcard "."> (everything between the <>) to the enablesid.conf, and all the alerts would be activated.
>  
> I’m having no problems processing rules any one of the three IP_Policy settings
>  
> Hopefully someone has a solution to this?
>  
> Here is my pulledpork.conf:
>  
> # Config file for pulledpork
> rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|<REDACTED>
> rule_url=https://s3.amazonaws.com/snort-org/www/rules/community/|community-rules.tar.gz|Community
> rule_url=http://labs.snort.org/feeds/ip-filter.blf|IPBLACKLIST|open
> rule_url=https://www.snort.org/reg-rules/|opensource.gz|<REDACTED>
> temp_path=d:\winids\pulledpork\temp
> rule_path=d:\winids\snort\rules\winids.rules
> local_rules=d:\winids\snort\rules\local.rules
> sid_msg=d:\winids\snort\etc\sid-msg.map
> sid_msg_version=1
> sid_changelog=d:\winids\snort\log\sid_changes.log
> sorule_path=/usr/local/lib/snort_dynamicrules/
> snort_path=/usr/local/bin/snort
> config_path=/usr/local/etc/snort/snort.conf
> distro=FreeBSD-8.1
> docs=d:\winids\Apache24\htdocs\base\signatures\
> snort_version=2.9.5.6
> enablesid=d:\winids\pulledpork\etc\enablesid.conf
> dropsid=d:\winids\pulledpork\etc\dropsid.conf
> disablesid=d:\winids\pulledpork\etc\disablesid.conf
> modifysid=d:\winids\pulledpork\etc\modifysid.conf
> ips_policy=security
> version=0.7.0
>  
>  
> Here is my enablesid.conf:
>  
> # example enablesid.conf v3.1
> PCRE wildcard "."
>  
> Here is my run line:
>  
> pulledpork.pl -c d:\winids\pulledpork\etc\pulledpork.conf -vT
>  
> TIA...
> Michael...
> ------------------------------------------------------------------------------
> Managing the Performance of Cloud-Based Applications
> Take advantage of what the Cloud has to offer - Avoid Common Pitfalls.
> Read the Whitepaper.
> http://pubads.g.doubleclick.net/gampad/clk?id=121054471&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140220/9db0f4df/attachment.html>


More information about the Snort-users mailing list