[Snort-users] Is there something about pulledpork 0.7.0 I'm not getting?

Tony Robinson deusexmachina667 at ...11827...
Sun Jan 26 02:31:19 EST 2014


So I'll admit, I'm a little bit late to the party. I hadn't realized
that pulled pork was updated. nearly four months ago. Better late than
never, I guess.

In any case, as a part of a side project of mine that I've talked
about on here before, I'm trying to integrate the newest version of
pulled pork into my scripts and I'm running into a strange issue.

I have a script that calls pulledpork twice. The first time it calls
pulledpork with the -g or "grab only" option to just pull down the
rule files, and that's it. My script then unpacks the tarball and
copies everything out of "etc" from the snortrules-snapshot file
downloaded to where snort is installed and expects to find it. My
script then runs pulledpork again with the -S option, the -c option
(to my pulledpork.conf file), the -T option (text rules only) and the
-n option, telling it that all the files it should need to do its job
should be on the box already; don't try to download any files from the
net.

The problem I'm running into, is that running pulledpork.pl the second
time around appears to do absolutely nothing. running pulledpork in
extra verbose mode seems to indicate that it unpacks the rules, then
deletes them; doesn't create a snort.rules file, so_rules.rules file,
sid-msg.map file, or configure rules for a certain rule policy set
(e.g. "Security over Connectivity").

Alternatively, if I run pulledpork without the -n option, everything
just works the way I'm expecting it to -- snort.rules gets made,
sid-msg.map gets created, and all is well with the universe.

I've attached a copy of the pulledpork.conf I've used. It's stripped
down, but it works.

It almost feels like if you use the grab-only option, or if there is a
snortrules-snapshot file in the working directory for pulledpork (/tmp
in my case) that pulledpork does nothing.

I've attached the output from the following command:

perl pulledpork.pl -c /usr/src/pulledpork-*/etc/pulledpork.conf -S
2.9.5.6 -T -vv

"Run pulledpork, use my config file I provided. Download rules for
Snort 2.9.5.6, process text rules only, print all debug information."

..as the file "output1.txt" -- I figured attachments would probably be
better than spewing output all over the mailing list, using the exact
pulledpork config above. Everything works as expected. Tarballs are
pulled down, rules are processed, all is well with the world.

I also ran the following command:

perl pulledpork.pl -c /usr/src/pulledpork-*/etc/pulledpork.conf -S
2.9.5.6 -g -vv

"Run pulledpork, use my config file I provided. Download rules for
Snort 2.9.5.6. Don't do any further processing. Print all debug info."

..as the file "output2.txt" -- This command seems to run as expected,
but according to verbose mode, extracts all the rules, then removes
the files It still results in the tarballs being downloaded in left in
/tmp to work with.

perl pulledpork.pl -c /usr/src/pulledpork-*/etc/pulledpork.conf -S
2.9.5.6 -T -n -vv

"Run pulledpork, use the config file I provided. Don't download
anything, but process rules for Snort 2.9.5.6, text rules only. Print
all debug info."

..as the file "output3.txt" -- This command doesn't seem to work at
all. It appears to extract the rule tarball twice then just bails out,
without processing any of the rules. So pulledpork knows the tarball
is in the working directory, extracts it, but does no rule processing
with it.



So... my work-around for now is to just download and process the rules
up front, in one go, with the first command I ran. The rule tarball is
still there for me to do my thing with after pulledpork processes the
rules how I want it to.

That's fine for me, but what about offline users who can't download
the rule tarball from the internet, and have to sneakernet the tarball
to the system they're running snort on (e.g. airgapped networks)?
Would this be considered a bug, or working as intended?

Thank you for your insight in advance.

-- 
when does reality end? when does fantasy begin?
-------------- next part --------------
Config File Variable Debug /usr/src/pulledpork-0.7.0/etc/pulledpork.conf
        sostub_path = /usr/local/snort/so_rules/so_rules.rules
        snort_path = /usr/local/snort/bin/snort
        distro = Ubuntu-12-04
        temp_path = /tmp
        version = 0.7.0
        sorule_path = /usr/local/snort/lib/snort_dynamicrules/
        rule_path = /usr/local/snort/rules/snort.rules
        ignore = deleted.rules,experimental.rules,local.rules
        rule_url = ARRAY(0xa5e9cb0)
        sid_msg_version = 2
        sid_changelog = /var/log/sid_changes.log
        sid_msg = /usr/local/snort/etc/sid-msg.map
        local_rules = /usr/local/snort/rules/local.rules
        ips_policy = security
        config_path = /usr/local/snort/etc/snort.conf
MISC (CLI and Autovar) Variable Debug:
        arch Def is: i386
        Config Path is: /usr/src/pulledpork-0.7.0/etc/pulledpork.conf
        Distro Def is: Ubuntu-12-04
        security policy specified
        local.rules path is: /usr/local/snort/rules/local.rules
        Rules file is: /usr/local/snort/rules/snort.rules
        sid changes will be logged to: /var/log/sid_changes.log
        sid-msg.map Output Path is: /usr/local/snort/etc/sid-msg.map
        Snort Version is: 2.9.5.6
        Snort Config File: /usr/local/snort/etc/snort.conf
        Snort Path is: /usr/local/snort/bin/snort
        Text Rules only Flag is Set
        Extra Verbose Flag is Set
        Verbose Flag is Set
        Base URL is: https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|[nope] https://www.snort.org/reg-rules/|opensource.gz|[nope]
Checking latest MD5 for snortrules-snapshot-2956.tar.gz....
        Fetching md5sum for: snortrules-snapshot-2956.tar.gz.md5
** GET https://www.snort.org/reg-rules/snortrules-snapshot-2956.tar.gz.md5/[nope] ==> 200 OK
        most recent rules file digest: df2f3db172ed2b43dcd1ce47ddf37e25
Rules tarball download of snortrules-snapshot-2956.tar.gz....
        Fetching rules file: snortrules-snapshot-2956.tar.gz
** GET https://www.snort.org/reg-rules/snortrules-snapshot-2956.tar.gz/[nope] ==> 302 Found (1s)
** GET https://s3.amazonaws.com/snort-org/www/rules/20131224/snortrules-snapshot-2956.tar.gz ==> 200 OK (90s)
        storing file at: /tmp/snortrules-snapshot-2956.tar.gz

        current local rules file  digest: df2f3db172ed2b43dcd1ce47ddf37e25
        The MD5 for snortrules-snapshot-2956.tar.gz matched df2f3db172ed2b43dcd1ce47ddf37e25

Checking latest MD5 for opensource.gz....
        Fetching md5sum for: opensource.gz.md5
** GET https://www.snort.org/reg-rules/opensource.gz.md5/[nope] ==> 200 OK
        most recent rules file digest: c3dd6375ce9664a0caae96154294bb6c
Rules tarball download of opensource.gz....
        Fetching rules file: opensource.gz
** GET https://www.snort.org/reg-rules/opensource.gz/[nope] ==> 302 Found (1s)
** GET https://s3.amazonaws.com/snort-org/www/snort-docs/20131209/opensource.gz ==> 200 OK (15s)
        storing file at: /tmp/opensource.gz

        current local rules file  digest: c3dd6375ce9664a0caae96154294bb6c
        The MD5 for opensource.gz matched c3dd6375ce9664a0caae96154294bb6c

Prepping rules from snortrules-snapshot-2956.tar.gz for work....
        extracting contents of /tmp/snortrules-snapshot-2956.tar.gz...
        Ignoring plaintext rules: deleted.rules
        Ignoring plaintext rules: experimental.rules
        Ignoring plaintext rules: local.rules
        Extracted: /tha_rules/VRT-server-other.rules
        Extracted: /tha_rules/VRT-pua-adware.rules
        Extracted: /tha_rules/VRT-misc.rules
        Extracted: /tha_rules/VRT-malware-backdoor.rules
        Extracted: /tha_rules/VRT-indicator-compromise.rules
        Extracted: /tha_rules/VRT-file-pdf.rules
        Extracted: /tha_rules/VRT-content-replace.rules
        Extracted: /tha_rules/VRT-file-identify.rules
        Extracted: /tha_rules/VRT-browser-webkit.rules
        Extracted: /tha_rules/VRT-protocol-telnet.rules
        Extracted: /tha_rules/VRT-specific-threats.rules
        Extracted: /tha_rules/VRT-file-office.rules
        Extracted: /tha_rules/VRT-protocol-tftp.rules
        Extracted: /tha_rules/VRT-file-java.rules
        Extracted: /tha_rules/VRT-rpc.rules
        Extracted: /tha_rules/VRT-dns.rules
        Extracted: /tha_rules/VRT-protocol-dns.rules
        Extracted: /tha_rules/VRT-os-other.rules
        Extracted: /tha_rules/VRT-snmp.rules
        Extracted: /tha_rules/VRT-protocol-scada.rules
        Extracted: /tha_rules/VRT-policy-other.rules
        Extracted: /tha_rules/VRT-web-coldfusion.rules
        Extracted: /tha_rules/VRT-protocol-voip.rules
        Extracted: /tha_rules/VRT-file-image.rules
        Extracted: /tha_rules/VRT-chat.rules
        Extracted: /tha_rules/VRT-voip.rules
        Extracted: /tha_rules/VRT-os-solaris.rules
        Extracted: /tha_rules/VRT-pop3.rules
        Extracted: /tha_rules/VRT-server-mssql.rules
        Extracted: /tha_rules/VRT-os-mobile.rules
        Extracted: /tha_rules/VRT-preprocessor.rules
        Extracted: /tha_rules/VRT-policy-social.rules
        Extracted: /tha_rules/VRT-protocol-ftp.rules
        Extracted: /tha_rules/VRT-server-webapp.rules
        Extracted: /tha_rules/VRT-protocol-rpc.rules
        Extracted: /tha_rules/VRT-server-oracle.rules
        Extracted: /tha_rules/VRT-server-samba.rules
        Extracted: /tha_rules/VRT-scada.rules
        Extracted: /tha_rules/VRT-other-ids.rules
        Extracted: /tha_rules/VRT-server-apache.rules
        Extracted: /tha_rules/VRT-sql.rules
        Extracted: /tha_rules/VRT-protocol-nntp.rules
        Extracted: /tha_rules/VRT-icmp.rules
        Extracted: /tha_rules/VRT-indicator-scan.rules
        Extracted: /tha_rules/VRT-file-multimedia.rules
        Extracted: /tha_rules/VRT-pua-p2p.rules
        Extracted: /tha_rules/VRT-info.rules
        Extracted: /tha_rules/VRT-pua-other.rules
        Extracted: /tha_rules/VRT-protocol-snmp.rules
        Extracted: /tha_rules/VRT-server-mail.rules
        Extracted: /tha_rules/VRT-netbios.rules
        Extracted: /tha_rules/VRT-smtp.rules
        Extracted: /tha_rules/VRT-protocol-icmp.rules
        Extracted: /tha_rules/VRT-sensitive-data.rules
        Extracted: /tha_rules/VRT-indicator-shellcode.rules
        Extracted: /tha_rules/VRT-web-iis.rules
        Extracted: /tha_rules/VRT-protocol-finger.rules
        Extracted: /tha_rules/VRT-botnet-cnc.rules
        Extracted: /tha_rules/VRT-pua-toolbars.rules
        Extracted: /tha_rules/VRT-mysql.rules
        Extracted: /tha_rules/VRT-virus.rules
        Extracted: /tha_rules/VRT-protocol-imap.rules
        Extracted: /tha_rules/VRT-malware-cnc.rules
        Extracted: /tha_rules/VRT-web-misc.rules
        Extracted: /tha_rules/VRT-tftp.rules
        Extracted: /tha_rules/VRT-blacklist.rules
        Extracted: /tha_rules/VRT-shellcode.rules
        Extracted: /tha_rules/VRT-spyware-put.rules
        Extracted: /tha_rules/VRT-exploit.rules
        Extracted: /tha_rules/VRT-protocol-services.rules
        Extracted: /tha_rules/VRT-browser-ie.rules
        Extracted: /tha_rules/VRT-os-windows.rules
        Extracted: /tha_rules/VRT-ddos.rules
        Extracted: /tha_rules/VRT-attack-responses.rules
        Extracted: /tha_rules/VRT-browser-firefox.rules
        Extracted: /tha_rules/VRT-browser-chrome.rules
        Extracted: /tha_rules/VRT-telnet.rules
        Extracted: /tha_rules/VRT-browser-other.rules
        Extracted: /tha_rules/VRT-icmp-info.rules
        Extracted: /tha_rules/VRT-os-linux.rules
        Extracted: /tha_rules/VRT-indicator-obfuscation.rules
        Extracted: /tha_rules/VRT-policy-spam.rules
        Extracted: /tha_rules/VRT-malware-tools.rules
        Extracted: /tha_rules/VRT-x11.rules
        Extracted: /tha_rules/VRT-p2p.rules
        Extracted: /tha_rules/VRT-scan.rules
        Extracted: /tha_rules/VRT-ftp.rules
        Extracted: /tha_rules/VRT-malware-other.rules
        Extracted: /tha_rules/VRT-web-php.rules
        Extracted: /tha_rules/VRT-web-activex.rules
        Extracted: /tha_rules/VRT-decoder.rules
        Extracted: /tha_rules/VRT-web-frontpage.rules
        Extracted: /tha_rules/VRT-rservices.rules
        Extracted: /tha_rules/VRT-file-executable.rules
        Extracted: /tha_rules/VRT-file-other.rules
        Extracted: /tha_rules/VRT-backdoor.rules
        Extracted: /tha_rules/VRT-multimedia.rules
        Extracted: /tha_rules/VRT-web-client.rules
        Extracted: /tha_rules/VRT-exploit-kit.rules
        Extracted: /tha_rules/VRT-protocol-pop.rules
        Extracted: /tha_rules/VRT-browser-plugins.rules
        Extracted: /tha_rules/VRT-policy.rules
        Extracted: /tha_rules/VRT-web-attacks.rules
        Extracted: /tha_rules/VRT-imap.rules
        Extracted: /tha_rules/VRT-file-flash.rules
        Extracted: /tha_rules/VRT-nntp.rules
        Extracted: /tha_rules/VRT-dos.rules
        Extracted: /tha_rules/VRT-finger.rules
        Extracted: /tha_rules/VRT-phishing-spam.rules
        Extracted: /tha_rules/VRT-server-mysql.rules
        Extracted: /tha_rules/VRT-oracle.rules
        Extracted: /tha_rules/VRT-server-iis.rules
        Extracted: /tha_rules/VRT-app-detect.rules
        Extracted: /tha_rules/VRT-policy-multimedia.rules
        Extracted: /tha_rules/VRT-pop2.rules
        Extracted: /tha_rules/VRT-bad-traffic.rules
        Extracted: /tha_rules/VRT-web-cgi.rules
Prepping rules from opensource.gz for work....
        extracting contents of /tmp/opensource.gz...
        Ignoring plaintext rules: deleted.rules
        Ignoring plaintext rules: experimental.rules
        Ignoring plaintext rules: local.rules
        Reading rules...
Cleanup....
        removed 119 temporary snort files or directories from /tmp/tha_rules!
Activating security rulesets....
        Done
Setting Flowbit State....
        Enabled 713 flowbits
        Enabled 25 flowbits
        Enabled 4 flowbits
        Enabled 2 flowbits
        Done
Writing /usr/local/snort/rules/snort.rules....
        Done
Generating sid-msg.map....
        Done
Writing v2 /usr/local/snort/etc/sid-msg.map....
        Done
Writing /var/log/sid_changes.log....
        Done
Rule Stats...
        New:-------19708
        Deleted:---0
        Enabled Rules:----6161
        Dropped Rules:----0
        Disabled Rules:---13546
        Total Rules:------19707
No IP Blacklist Changes

Done
Please review /var/log/sid_changes.log for additional details
Fly Piggy Fly!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pp.conf
Type: application/octet-stream
Size: 652 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140126/4613fda9/attachment.obj>
-------------- next part --------------
Config File Variable Debug /usr/src/pulledpork-0.7.0/etc/pulledpork.conf
        sostub_path = /usr/local/snort/so_rules/so_rules.rules
        snort_path = /usr/local/snort/bin/snort
        distro = Ubuntu-12-04
        temp_path = /tmp
        version = 0.7.0
        sorule_path = /usr/local/snort/lib/snort_dynamicrules/
        rule_path = /usr/local/snort/rules/snort.rules
        ignore = deleted.rules,experimental.rules,local.rules
        rule_url = ARRAY(0x99accb0)
        sid_msg_version = 2
        sid_changelog = /var/log/sid_changes.log
        sid_msg = /usr/local/snort/etc/sid-msg.map
        local_rules = /usr/local/snort/rules/local.rules
        ips_policy = security
        config_path = /usr/local/snort/etc/snort.conf
MISC (CLI and Autovar) Variable Debug:
        arch Def is: i386
        Config Path is: /usr/src/pulledpork-0.7.0/etc/pulledpork.conf
        Distro Def is: Ubuntu-12-04
        grabonly Flag is Set, only gonna download!      security policy specified
        local.rules path is: /usr/local/snort/rules/local.rules
        Rules file is: /usr/local/snort/rules/snort.rules
        sid changes will be logged to: /var/log/sid_changes.log
        sid-msg.map Output Path is: /usr/local/snort/etc/sid-msg.map
        Snort Version is: 2.9.5.6
        Snort Config File: /usr/local/snort/etc/snort.conf
        Snort Path is: /usr/local/snort/bin/snort
        SO Output Path is: /usr/local/snort/lib/snort_dynamicrules/
        Will process SO rules
        Extra Verbose Flag is Set
        Verbose Flag is Set
        Base URL is: https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|[nope] https://www.snort.org/reg-rules/|opensource.gz|[nope]
Checking latest MD5 for snortrules-snapshot-2956.tar.gz....
        Fetching md5sum for: snortrules-snapshot-2956.tar.gz.md5
** GET https://www.snort.org/reg-rules/snortrules-snapshot-2956.tar.gz.md5/[nope] ==> 200 OK (1s)
        most recent rules file digest: df2f3db172ed2b43dcd1ce47ddf37e25
Rules tarball download of snortrules-snapshot-2956.tar.gz....
        Fetching rules file: snortrules-snapshot-2956.tar.gz
** GET https://www.snort.org/reg-rules/snortrules-snapshot-2956.tar.gz/[nope] ==> 302 Found (1s)
** GET https://s3.amazonaws.com/snort-org/www/rules/20131224/snortrules-snapshot-2956.tar.gz?AWSAccessKeyId=AKIAJ65S5YX6KA26VRJQ&Expires=1390718831&Signature=dShnRZqy%2FNORViwL2uEXfdUC%2FyI%3D ==> 200 OK (24s)
        storing file at: /tmp/snortrules-snapshot-2956.tar.gz

        current local rules file  digest: df2f3db172ed2b43dcd1ce47ddf37e25
        The MD5 for snortrules-snapshot-2956.tar.gz matched df2f3db172ed2b43dcd1ce47ddf37e25

Checking latest MD5 for opensource.gz....
        Fetching md5sum for: opensource.gz.md5
** GET https://www.snort.org/reg-rules/opensource.gz.md5/[nope] ==> 200 OK (1s)
        most recent rules file digest: c3dd6375ce9664a0caae96154294bb6c
Rules tarball download of opensource.gz....
        Fetching rules file: opensource.gz
** GET https://www.snort.org/reg-rules/opensource.gz/[nope] ==> 302 Found
** GET https://s3.amazonaws.com/snort-org/www/snort-docs/20131209/opensource.gz?AWSAccessKeyId=AKIAJ65S5YX6KA26VRJQ&Expires=1390718856&Signature=3VoAdTcjaSgBGxQR4GIP%2F56zhzU%3D ==> 200 OK (9s)
        storing file at: /tmp/opensource.gz

        current local rules file  digest: c3dd6375ce9664a0caae96154294bb6c
        The MD5 for opensource.gz matched c3dd6375ce9664a0caae96154294bb6c

Prepping rules from snortrules-snapshot-2956.tar.gz for work....
        extracting contents of /tmp/snortrules-snapshot-2956.tar.gz...
        Ignoring plaintext rules: deleted.rules
        Ignoring plaintext rules: experimental.rules
        Ignoring plaintext rules: local.rules
        Extracted: /tha_rules/VRT-server-other.rules
        Extracted: /tha_rules/VRT-pua-adware.rules
        Extracted: /tha_rules/VRT-misc.rules
        Extracted: /tha_rules/VRT-malware-backdoor.rules
        Extracted: /tha_rules/VRT-indicator-compromise.rules
        Extracted: /tha_rules/VRT-file-pdf.rules
        Extracted: /tha_rules/VRT-content-replace.rules
        Extracted: /tha_rules/VRT-file-identify.rules
        Extracted: /tha_rules/VRT-browser-webkit.rules
        Extracted: /tha_rules/VRT-protocol-telnet.rules
        Extracted: /tha_rules/VRT-specific-threats.rules
        Extracted: /tha_rules/VRT-file-office.rules
        Extracted: /tha_rules/VRT-protocol-tftp.rules
        Extracted: /tha_rules/VRT-file-java.rules
        Extracted: /tha_rules/VRT-rpc.rules
        Extracted: /tha_rules/VRT-dns.rules
        Extracted: /tha_rules/VRT-protocol-dns.rules
        Extracted: /tha_rules/VRT-os-other.rules
        Extracted: /tha_rules/VRT-snmp.rules
        Extracted: /tha_rules/VRT-protocol-scada.rules
        Extracted: /tha_rules/VRT-policy-other.rules
        Extracted: /tha_rules/VRT-web-coldfusion.rules
        Extracted: /tha_rules/VRT-protocol-voip.rules
        Extracted: /tha_rules/VRT-file-image.rules
        Extracted: /usr/local/snort/lib/snort_dynamicrules/netbios.so
        Extracted: /tha_rules/VRT-chat.rules
        Extracted: /usr/local/snort/lib/snort_dynamicrules/snmp.so
        Extracted: /usr/local/snort/lib/snort_dynamicrules/web-activex.so
        Extracted: /tha_rules/VRT-voip.rules
        Extracted: /usr/local/snort/lib/snort_dynamicrules/imap.so
        Extracted: /tha_rules/VRT-os-solaris.rules
        Extracted: /tha_rules/VRT-pop3.rules
        Extracted: /tha_rules/VRT-server-mssql.rules
        Extracted: /tha_rules/VRT-os-mobile.rules
        Extracted: /tha_rules/VRT-preprocessor.rules
        Extracted: /tha_rules/VRT-policy-social.rules
        Extracted: /tha_rules/VRT-protocol-ftp.rules
        Extracted: /tha_rules/VRT-server-webapp.rules
        Extracted: /tha_rules/VRT-protocol-rpc.rules
        Extracted: /tha_rules/VRT-server-oracle.rules
        Extracted: /tha_rules/VRT-server-samba.rules
        Extracted: /tha_rules/VRT-scada.rules
        Extracted: /usr/local/snort/lib/snort_dynamicrules/bad-traffic.so
        Extracted: /usr/local/snort/lib/snort_dynamicrules/nntp.so
        Extracted: /tha_rules/VRT-other-ids.rules
        Extracted: /tha_rules/VRT-server-apache.rules
        Extracted: /tha_rules/VRT-sql.rules
        Extracted: /tha_rules/VRT-protocol-nntp.rules
        Extracted: /tha_rules/VRT-icmp.rules
        Extracted: /usr/local/snort/lib/snort_dynamicrules/dos.so
        Extracted: /tha_rules/VRT-indicator-scan.rules
        Extracted: /tha_rules/VRT-file-multimedia.rules
        Extracted: /tha_rules/VRT-pua-p2p.rules
        Extracted: /tha_rules/VRT-info.rules
        Extracted: /tha_rules/VRT-pua-other.rules
        Extracted: /tha_rules/VRT-protocol-snmp.rules
        Extracted: /usr/local/snort/lib/snort_dynamicrules/web-client.so
        Extracted: /tha_rules/VRT-server-mail.rules
        Extracted: /tha_rules/VRT-netbios.rules
        Extracted: /tha_rules/VRT-smtp.rules
        Extracted: /tha_rules/VRT-protocol-icmp.rules
        Extracted: /tha_rules/VRT-sensitive-data.rules
        Extracted: /tha_rules/VRT-indicator-shellcode.rules
        Extracted: /tha_rules/VRT-web-iis.rules
        Extracted: /tha_rules/VRT-protocol-finger.rules
        Extracted: /usr/local/snort/lib/snort_dynamicrules/specific-threats.so
        Extracted: /tha_rules/VRT-botnet-cnc.rules
        Extracted: /tha_rules/VRT-pua-toolbars.rules
        Extracted: /tha_rules/VRT-mysql.rules
        Extracted: /tha_rules/VRT-virus.rules
        Extracted: /tha_rules/VRT-protocol-imap.rules
        Extracted: /tha_rules/VRT-malware-cnc.rules
        Extracted: /tha_rules/VRT-web-misc.rules
        Extracted: /tha_rules/VRT-tftp.rules
        Extracted: /tha_rules/VRT-blacklist.rules
        Extracted: /tha_rules/VRT-shellcode.rules
        Extracted: /tha_rules/VRT-spyware-put.rules
        Extracted: /tha_rules/VRT-exploit.rules
        Extracted: /usr/local/snort/lib/snort_dynamicrules/web-misc.so
        Extracted: /tha_rules/VRT-protocol-services.rules
        Extracted: /tha_rules/VRT-browser-ie.rules
        Extracted: /tha_rules/VRT-os-windows.rules
        Extracted: /tha_rules/VRT-ddos.rules
        Extracted: /usr/local/snort/lib/snort_dynamicrules/multimedia.so
        Extracted: /usr/local/snort/lib/snort_dynamicrules/web-iis.so
        Extracted: /tha_rules/VRT-attack-responses.rules
        Extracted: /usr/local/snort/lib/snort_dynamicrules/chat.so
        Extracted: /tha_rules/VRT-browser-firefox.rules
        Extracted: /tha_rules/VRT-browser-chrome.rules
        Extracted: /tha_rules/VRT-telnet.rules
        Extracted: /tha_rules/VRT-browser-other.rules
        Extracted: /tha_rules/VRT-icmp-info.rules
        Extracted: /tha_rules/VRT-os-linux.rules
        Extracted: /tha_rules/VRT-indicator-obfuscation.rules
        Extracted: /usr/local/snort/lib/snort_dynamicrules/icmp.so
        Extracted: /tha_rules/VRT-policy-spam.rules
        Extracted: /tha_rules/VRT-malware-tools.rules
        Extracted: /tha_rules/VRT-x11.rules
        Extracted: /tha_rules/VRT-p2p.rules
        Extracted: /tha_rules/VRT-scan.rules
        Extracted: /tha_rules/VRT-ftp.rules
        Extracted: /tha_rules/VRT-malware-other.rules
        Extracted: /tha_rules/VRT-web-php.rules
        Extracted: /tha_rules/VRT-web-activex.rules
        Extracted: /tha_rules/VRT-decoder.rules
        Extracted: /tha_rules/VRT-web-frontpage.rules
        Extracted: /tha_rules/VRT-rservices.rules
        Extracted: /tha_rules/VRT-file-executable.rules
        Extracted: /tha_rules/VRT-file-other.rules
        Extracted: /tha_rules/VRT-backdoor.rules
        Extracted: /usr/local/snort/lib/snort_dynamicrules/exploit.so
        Extracted: /tha_rules/VRT-multimedia.rules
        Extracted: /tha_rules/VRT-web-client.rules
        Extracted: /tha_rules/VRT-exploit-kit.rules
        Extracted: /tha_rules/VRT-protocol-pop.rules
        Extracted: /tha_rules/VRT-browser-plugins.rules
        Extracted: /tha_rules/VRT-policy.rules
        Extracted: /tha_rules/VRT-web-attacks.rules
        Extracted: /tha_rules/VRT-imap.rules
        Extracted: /tha_rules/VRT-file-flash.rules
        Extracted: /tha_rules/VRT-nntp.rules
        Extracted: /tha_rules/VRT-dos.rules
        Extracted: /usr/local/snort/lib/snort_dynamicrules/p2p.so
        Extracted: /tha_rules/VRT-finger.rules
        Extracted: /tha_rules/VRT-phishing-spam.rules
        Extracted: /usr/local/snort/lib/snort_dynamicrules/smtp.so
        Extracted: /tha_rules/VRT-server-mysql.rules
        Extracted: /usr/local/snort/lib/snort_dynamicrules/misc.so
        Extracted: /tha_rules/VRT-oracle.rules
        Extracted: /tha_rules/VRT-server-iis.rules
        Extracted: /tha_rules/VRT-app-detect.rules
        Extracted: /tha_rules/VRT-policy-multimedia.rules
        Extracted: /tha_rules/VRT-pop2.rules
        Extracted: /tha_rules/VRT-bad-traffic.rules
        Extracted: /tha_rules/VRT-web-cgi.rules
Prepping rules from opensource.gz for work....
        extracting contents of /tmp/opensource.gz...
        Ignoring plaintext rules: deleted.rules
        Ignoring plaintext rules: experimental.rules
        Ignoring plaintext rules: local.rules
Cleanup....
        removed 119 temporary snort files or directories from /tmp/tha_rules!
Fly Piggy Fly!
-------------- next part --------------
Config File Variable Debug /usr/src/pulledpork-0.7.0/etc/pulledpork.conf
        sostub_path = /usr/local/snort/so_rules/so_rules.rules
        snort_path = /usr/local/snort/bin/snort
        distro = Ubuntu-12-04
        temp_path = /tmp
        version = 0.7.0
        sorule_path = /usr/local/snort/lib/snort_dynamicrules/
        rule_path = /usr/local/snort/rules/snort.rules
        ignore = deleted.rules,experimental.rules,local.rules
        rule_url = ARRAY(0xa4dfcfc)
        sid_msg_version = 2
        sid_changelog = /var/log/sid_changes.log
        sid_msg = /usr/local/snort/etc/sid-msg.map
        local_rules = /usr/local/snort/rules/local.rules
        ips_policy = security
        config_path = /usr/local/snort/etc/snort.conf
MISC (CLI and Autovar) Variable Debug:
        arch Def is: i386
        Config Path is: /usr/src/pulledpork-0.7.0/etc/pulledpork.conf
        Distro Def is: Ubuntu-12-04
        security policy specified
        local.rules path is: /usr/local/snort/rules/local.rules
        No Download Flag is Set
        Rules file is: /usr/local/snort/rules/snort.rules
        sid changes will be logged to: /var/log/sid_changes.log
        sid-msg.map Output Path is: /usr/local/snort/etc/sid-msg.map
        Snort Version is: 2.9.5.6
        Snort Config File: /usr/local/snort/etc/snort.conf
        Snort Path is: /usr/local/snort/bin/snort
        Text Rules only Flag is Set
        Extra Verbose Flag is Set
        Verbose Flag is Set
        Base URL is: https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|[nope] https://www.snort.org/reg-rules/|opensource.gz|[nope]
Prepping rules from snortrules-snapshot-2956.tar.gz for work....
        extracting contents of /tmp/snortrules-snapshot-2956.tar.gz...
        Ignoring plaintext rules: deleted.rules
        Ignoring plaintext rules: experimental.rules
        Ignoring plaintext rules: local.rules
        Extracted: /tha_rules/VRT-server-other.rules
        Extracted: /tha_rules/VRT-pua-adware.rules
        Extracted: /tha_rules/VRT-misc.rules
        Extracted: /tha_rules/VRT-malware-backdoor.rules
        Extracted: /tha_rules/VRT-indicator-compromise.rules
        Extracted: /tha_rules/VRT-file-pdf.rules
        Extracted: /tha_rules/VRT-content-replace.rules
        Extracted: /tha_rules/VRT-file-identify.rules
        Extracted: /tha_rules/VRT-browser-webkit.rules
        Extracted: /tha_rules/VRT-protocol-telnet.rules
        Extracted: /tha_rules/VRT-specific-threats.rules
        Extracted: /tha_rules/VRT-file-office.rules
        Extracted: /tha_rules/VRT-protocol-tftp.rules
        Extracted: /tha_rules/VRT-file-java.rules
        Extracted: /tha_rules/VRT-rpc.rules
        Extracted: /tha_rules/VRT-dns.rules
        Extracted: /tha_rules/VRT-protocol-dns.rules
        Extracted: /tha_rules/VRT-os-other.rules
        Extracted: /tha_rules/VRT-snmp.rules
        Extracted: /tha_rules/VRT-protocol-scada.rules
        Extracted: /tha_rules/VRT-policy-other.rules
        Extracted: /tha_rules/VRT-web-coldfusion.rules
        Extracted: /tha_rules/VRT-protocol-voip.rules
        Extracted: /tha_rules/VRT-file-image.rules
        Extracted: /tha_rules/VRT-chat.rules
        Extracted: /tha_rules/VRT-voip.rules
        Extracted: /tha_rules/VRT-os-solaris.rules
        Extracted: /tha_rules/VRT-pop3.rules
        Extracted: /tha_rules/VRT-server-mssql.rules
        Extracted: /tha_rules/VRT-os-mobile.rules
        Extracted: /tha_rules/VRT-preprocessor.rules
        Extracted: /tha_rules/VRT-policy-social.rules
        Extracted: /tha_rules/VRT-protocol-ftp.rules
        Extracted: /tha_rules/VRT-server-webapp.rules
        Extracted: /tha_rules/VRT-protocol-rpc.rules
        Extracted: /tha_rules/VRT-server-oracle.rules
        Extracted: /tha_rules/VRT-server-samba.rules
        Extracted: /tha_rules/VRT-scada.rules
        Extracted: /tha_rules/VRT-other-ids.rules
        Extracted: /tha_rules/VRT-server-apache.rules
        Extracted: /tha_rules/VRT-sql.rules
        Extracted: /tha_rules/VRT-protocol-nntp.rules
        Extracted: /tha_rules/VRT-icmp.rules
        Extracted: /tha_rules/VRT-indicator-scan.rules
        Extracted: /tha_rules/VRT-file-multimedia.rules
        Extracted: /tha_rules/VRT-pua-p2p.rules
        Extracted: /tha_rules/VRT-info.rules
        Extracted: /tha_rules/VRT-pua-other.rules
        Extracted: /tha_rules/VRT-protocol-snmp.rules
        Extracted: /tha_rules/VRT-server-mail.rules
        Extracted: /tha_rules/VRT-netbios.rules
        Extracted: /tha_rules/VRT-smtp.rules
        Extracted: /tha_rules/VRT-protocol-icmp.rules
        Extracted: /tha_rules/VRT-sensitive-data.rules
        Extracted: /tha_rules/VRT-indicator-shellcode.rules
        Extracted: /tha_rules/VRT-web-iis.rules
        Extracted: /tha_rules/VRT-protocol-finger.rules
        Extracted: /tha_rules/VRT-botnet-cnc.rules
        Extracted: /tha_rules/VRT-pua-toolbars.rules
        Extracted: /tha_rules/VRT-mysql.rules
        Extracted: /tha_rules/VRT-virus.rules
        Extracted: /tha_rules/VRT-protocol-imap.rules
        Extracted: /tha_rules/VRT-malware-cnc.rules
        Extracted: /tha_rules/VRT-web-misc.rules
        Extracted: /tha_rules/VRT-tftp.rules
        Extracted: /tha_rules/VRT-blacklist.rules
        Extracted: /tha_rules/VRT-shellcode.rules
        Extracted: /tha_rules/VRT-spyware-put.rules
        Extracted: /tha_rules/VRT-exploit.rules
        Extracted: /tha_rules/VRT-protocol-services.rules
        Extracted: /tha_rules/VRT-browser-ie.rules
        Extracted: /tha_rules/VRT-os-windows.rules
        Extracted: /tha_rules/VRT-ddos.rules
        Extracted: /tha_rules/VRT-attack-responses.rules
        Extracted: /tha_rules/VRT-browser-firefox.rules
        Extracted: /tha_rules/VRT-browser-chrome.rules
        Extracted: /tha_rules/VRT-telnet.rules
        Extracted: /tha_rules/VRT-browser-other.rules
        Extracted: /tha_rules/VRT-icmp-info.rules
        Extracted: /tha_rules/VRT-os-linux.rules
        Extracted: /tha_rules/VRT-indicator-obfuscation.rules
        Extracted: /tha_rules/VRT-policy-spam.rules
        Extracted: /tha_rules/VRT-malware-tools.rules
        Extracted: /tha_rules/VRT-x11.rules
        Extracted: /tha_rules/VRT-p2p.rules
        Extracted: /tha_rules/VRT-scan.rules
        Extracted: /tha_rules/VRT-ftp.rules
        Extracted: /tha_rules/VRT-malware-other.rules
        Extracted: /tha_rules/VRT-web-php.rules
        Extracted: /tha_rules/VRT-web-activex.rules
        Extracted: /tha_rules/VRT-decoder.rules
        Extracted: /tha_rules/VRT-web-frontpage.rules
        Extracted: /tha_rules/VRT-rservices.rules
        Extracted: /tha_rules/VRT-file-executable.rules
        Extracted: /tha_rules/VRT-file-other.rules
        Extracted: /tha_rules/VRT-backdoor.rules
        Extracted: /tha_rules/VRT-multimedia.rules
        Extracted: /tha_rules/VRT-web-client.rules
        Extracted: /tha_rules/VRT-exploit-kit.rules
        Extracted: /tha_rules/VRT-protocol-pop.rules
        Extracted: /tha_rules/VRT-browser-plugins.rules
        Extracted: /tha_rules/VRT-policy.rules
        Extracted: /tha_rules/VRT-web-attacks.rules
        Extracted: /tha_rules/VRT-imap.rules
        Extracted: /tha_rules/VRT-file-flash.rules
        Extracted: /tha_rules/VRT-nntp.rules
        Extracted: /tha_rules/VRT-dos.rules
        Extracted: /tha_rules/VRT-finger.rules
        Extracted: /tha_rules/VRT-phishing-spam.rules
        Extracted: /tha_rules/VRT-server-mysql.rules
        Extracted: /tha_rules/VRT-oracle.rules
        Extracted: /tha_rules/VRT-server-iis.rules
        Extracted: /tha_rules/VRT-app-detect.rules
        Extracted: /tha_rules/VRT-policy-multimedia.rules
        Extracted: /tha_rules/VRT-pop2.rules
        Extracted: /tha_rules/VRT-bad-traffic.rules
        Extracted: /tha_rules/VRT-web-cgi.rules
Prepping rules from snortrules-snapshot-2956.tar.gz for work....
        extracting contents of /tmp/snortrules-snapshot-2956.tar.gz...
        Ignoring plaintext rules: deleted.rules
        Ignoring plaintext rules: experimental.rules
        Ignoring plaintext rules: local.rules
        Extracted: /tha_rules/VRT-server-other.rules
        Extracted: /tha_rules/VRT-pua-adware.rules
        Extracted: /tha_rules/VRT-misc.rules
        Extracted: /tha_rules/VRT-malware-backdoor.rules
        Extracted: /tha_rules/VRT-indicator-compromise.rules
        Extracted: /tha_rules/VRT-file-pdf.rules
        Extracted: /tha_rules/VRT-content-replace.rules
        Extracted: /tha_rules/VRT-file-identify.rules
        Extracted: /tha_rules/VRT-browser-webkit.rules
        Extracted: /tha_rules/VRT-protocol-telnet.rules
        Extracted: /tha_rules/VRT-specific-threats.rules
        Extracted: /tha_rules/VRT-file-office.rules
        Extracted: /tha_rules/VRT-protocol-tftp.rules
        Extracted: /tha_rules/VRT-file-java.rules
        Extracted: /tha_rules/VRT-rpc.rules
        Extracted: /tha_rules/VRT-dns.rules
        Extracted: /tha_rules/VRT-protocol-dns.rules
        Extracted: /tha_rules/VRT-os-other.rules
        Extracted: /tha_rules/VRT-snmp.rules
        Extracted: /tha_rules/VRT-protocol-scada.rules
        Extracted: /tha_rules/VRT-policy-other.rules
        Extracted: /tha_rules/VRT-web-coldfusion.rules
        Extracted: /tha_rules/VRT-protocol-voip.rules
        Extracted: /tha_rules/VRT-file-image.rules
        Extracted: /tha_rules/VRT-chat.rules
        Extracted: /tha_rules/VRT-voip.rules
        Extracted: /tha_rules/VRT-os-solaris.rules
        Extracted: /tha_rules/VRT-server-mssql.rules
        Extracted: /tha_rules/VRT-pop3.rules
        Extracted: /tha_rules/VRT-os-mobile.rules
        Extracted: /tha_rules/VRT-preprocessor.rules
        Extracted: /tha_rules/VRT-policy-social.rules
        Extracted: /tha_rules/VRT-protocol-ftp.rules
        Extracted: /tha_rules/VRT-server-webapp.rules
        Extracted: /tha_rules/VRT-protocol-rpc.rules
        Extracted: /tha_rules/VRT-server-oracle.rules
        Extracted: /tha_rules/VRT-server-samba.rules
        Extracted: /tha_rules/VRT-scada.rules
        Extracted: /tha_rules/VRT-other-ids.rules
        Extracted: /tha_rules/VRT-server-apache.rules
        Extracted: /tha_rules/VRT-sql.rules
        Extracted: /tha_rules/VRT-protocol-nntp.rules
        Extracted: /tha_rules/VRT-icmp.rules
        Extracted: /tha_rules/VRT-indicator-scan.rules
        Extracted: /tha_rules/VRT-file-multimedia.rules
        Extracted: /tha_rules/VRT-pua-p2p.rules
        Extracted: /tha_rules/VRT-info.rules
        Extracted: /tha_rules/VRT-pua-other.rules
        Extracted: /tha_rules/VRT-protocol-snmp.rules
        Extracted: /tha_rules/VRT-server-mail.rules
        Extracted: /tha_rules/VRT-netbios.rules
        Extracted: /tha_rules/VRT-smtp.rules
        Extracted: /tha_rules/VRT-protocol-icmp.rules
        Extracted: /tha_rules/VRT-sensitive-data.rules
        Extracted: /tha_rules/VRT-indicator-shellcode.rules
        Extracted: /tha_rules/VRT-web-iis.rules
        Extracted: /tha_rules/VRT-protocol-finger.rules
        Extracted: /tha_rules/VRT-botnet-cnc.rules
        Extracted: /tha_rules/VRT-pua-toolbars.rules
        Extracted: /tha_rules/VRT-mysql.rules
        Extracted: /tha_rules/VRT-virus.rules
        Extracted: /tha_rules/VRT-protocol-imap.rules
        Extracted: /tha_rules/VRT-malware-cnc.rules
        Extracted: /tha_rules/VRT-web-misc.rules
        Extracted: /tha_rules/VRT-tftp.rules
        Extracted: /tha_rules/VRT-shellcode.rules
        Extracted: /tha_rules/VRT-blacklist.rules
        Extracted: /tha_rules/VRT-spyware-put.rules
        Extracted: /tha_rules/VRT-exploit.rules
        Extracted: /tha_rules/VRT-protocol-services.rules
        Extracted: /tha_rules/VRT-browser-ie.rules
        Extracted: /tha_rules/VRT-os-windows.rules
        Extracted: /tha_rules/VRT-ddos.rules
        Extracted: /tha_rules/VRT-attack-responses.rules
        Extracted: /tha_rules/VRT-browser-firefox.rules
        Extracted: /tha_rules/VRT-browser-chrome.rules
        Extracted: /tha_rules/VRT-telnet.rules
        Extracted: /tha_rules/VRT-browser-other.rules
        Extracted: /tha_rules/VRT-icmp-info.rules
        Extracted: /tha_rules/VRT-os-linux.rules
        Extracted: /tha_rules/VRT-indicator-obfuscation.rules
        Extracted: /tha_rules/VRT-policy-spam.rules
        Extracted: /tha_rules/VRT-malware-tools.rules
        Extracted: /tha_rules/VRT-x11.rules
        Extracted: /tha_rules/VRT-p2p.rules
        Extracted: /tha_rules/VRT-scan.rules
        Extracted: /tha_rules/VRT-ftp.rules
        Extracted: /tha_rules/VRT-malware-other.rules
        Extracted: /tha_rules/VRT-web-php.rules
        Extracted: /tha_rules/VRT-web-activex.rules
        Extracted: /tha_rules/VRT-decoder.rules
        Extracted: /tha_rules/VRT-web-frontpage.rules
        Extracted: /tha_rules/VRT-rservices.rules
        Extracted: /tha_rules/VRT-file-executable.rules
        Extracted: /tha_rules/VRT-file-other.rules
        Extracted: /tha_rules/VRT-backdoor.rules
        Extracted: /tha_rules/VRT-multimedia.rules
        Extracted: /tha_rules/VRT-web-client.rules
        Extracted: /tha_rules/VRT-exploit-kit.rules
        Extracted: /tha_rules/VRT-protocol-pop.rules
        Extracted: /tha_rules/VRT-browser-plugins.rules
        Extracted: /tha_rules/VRT-policy.rules
        Extracted: /tha_rules/VRT-web-attacks.rules
        Extracted: /tha_rules/VRT-imap.rules
        Extracted: /tha_rules/VRT-file-flash.rules
        Extracted: /tha_rules/VRT-nntp.rules
        Extracted: /tha_rules/VRT-dos.rules
        Extracted: /tha_rules/VRT-finger.rules
        Extracted: /tha_rules/VRT-phishing-spam.rules
        Extracted: /tha_rules/VRT-server-mysql.rules
        Extracted: /tha_rules/VRT-oracle.rules
        Extracted: /tha_rules/VRT-server-iis.rules
        Extracted: /tha_rules/VRT-app-detect.rules
        Extracted: /tha_rules/VRT-policy-multimedia.rules
        Extracted: /tha_rules/VRT-pop2.rules
        Extracted: /tha_rules/VRT-bad-traffic.rules
        Extracted: /tha_rules/VRT-web-cgi.rules
Cleanup....
        removed 119 temporary snort files or directories from /tmp/tha_rules!
Fly Piggy Fly!


More information about the Snort-users mailing list