[Snort-users] Is there something about pulledpork 0.7.0 I'm not getting?

Tony Robinson deusexmachina667 at ...11827...
Sun Jan 26 02:55:29 EST 2014


And just like that, It works.

I knew it was something stupid on my part.

Thanks for the help!

On Sun, Jan 26, 2014 at 2:42 AM, Y M <snort at ...15979...> wrote:
> Hi Tony,
>
> Did you try adding the -P to the PulledPork command? I am guessing that
> since the second run of PulledPork does not download "new" rules, it does
> not process the existing download from the first run. The -P will ensure to
> force processing the existing tarball.
>
> Thanks.
> YM
>
> Date: Sun, 26 Jan 2014 02:31:19 -0500
> From: deusexmachina667 at ...11827...
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] Is there something about pulledpork 0.7.0 I'm not
> getting?
>
>
> So I'll admit, I'm a little bit late to the party. I hadn't realized
> that pulled pork was updated. nearly four months ago. Better late than
> never, I guess.
>
> In any case, as a part of a side project of mine that I've talked
> about on here before, I'm trying to integrate the newest version of
> pulled pork into my scripts and I'm running into a strange issue.
>
> I have a script that calls pulledpork twice. The first time it calls
> pulledpork with the -g or "grab only" option to just pull down the
> rule files, and that's it. My script then unpacks the tarball and
> copies everything out of "etc" from the snortrules-snapshot file
> downloaded to where snort is installed and expects to find it. My
> script then runs pulledpork again with the -S option, the -c option
> (to my pulledpork.conf file), the -T option (text rules only) and the
> -n option, telling it that all the files it should need to do its job
> should be on the box already; don't try to download any files from the
> net.
>
> The problem I'm running into, is that running pulledpork.pl the second
> time around appears to do absolutely nothing. running pulledpork in
> extra verbose mode seems to indicate that it unpacks the rules, then
> deletes them; doesn't create a snort.rules file, so_rules.rules file,
> sid-msg.map file, or configure rules for a certain rule policy set
> (e.g. "Security over Connectivity").
>
> Alternatively, if I run pulledpork without the -n option, everything
> just works the way I'm expecting it to -- snort.rules gets made,
> sid-msg.map gets created, and all is well with the universe.
>
> I've attached a copy of the pulledpork.conf I've used. It's stripped
> down, but it works.
>
> It almost feels like if you use the grab-only option, or if there is a
> snortrules-snapshot file in the working directory for pulledpork (/tmp
> in my case) that pulledpork does nothing.
>
> I've attached the output from the following command:
>
> perl pulledpork.pl -c /usr/src/pulledpork-*/etc/pulledpork.conf -S
> 2.9.5.6 -T -vv
>
> "Run pulledpork, use my config file I provided. Download rules for
> Snort 2.9.5.6, process text rules only, print all debug information."
>
> ..as the file "output1.txt" -- I figured attachments would probably be
> better than spewing output all over the mailing list, using the exact
> pulledpork config above. Everything works as expected. Tarballs are
> pulled down, rules are processed, all is well with the world.
>
> I also ran the following command:
>
> perl pulledpork.pl -c /usr/src/pulledpork-*/etc/pulledpork.conf -S
> 2.9.5.6 -g -vv
>
> "Run pulledpork, use my config file I provided. Download rules for
> Snort 2.9.5.6. Don't do any further processing. Print all debug info."
>
> ..as the file "output2.txt" -- This command seems to run as expected,
> but according to verbose mode, extracts all the rules, then removes
> the files It still results in the tarballs being downloaded in left in
> /tmp to work with.
>
> perl pulledpork.pl -c /usr/src/pulledpork-*/etc/pulledpork.conf -S
> 2.9.5.6 -T -n -vv
>
> "Run pulledpork, use the config file I provided. Don't download
> anything, but process rules for Snort 2.9.5.6, text rules only. Print
> all debug info."
>
> ..as the file "output3.txt" -- This command doesn't seem to work at
> all. It appears to extract the rule tarball twice then just bails out,
> without processing any of the rules. So pulledpork knows the tarball
> is in the working directory, extracts it, but does no rule processing
> with it.
>
>
>
> So... my work-around for now is to just download and process the rules
> up front, in one go, with the first command I ran. The rule tarball is
> still there for me to do my thing with after pulledpork processes the
> rules how I want it to.
>
> That's fine for me, but what about offline users who can't download
> the rule tarball from the internet, and have to sneakernet the tarball
> to the system they're running snort on (e.g. airgapped networks)?
> Would this be considered a bug, or working as intended?
>
> Thank you for your insight in advance.
>
> --
> when does reality end? when does fantasy begin?
>
>
> ------------------------------------------------------------------------------
> CenturyLink Cloud: The Leader in Enterprise Cloud Services. Learn Why More
> Businesses Are Choosing CenturyLink Cloud For Critical Workloads,
> Development Environments & Everything In Between. Get a Quote or Start a
> Free Trial Today.
> http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk
> _______________________________________________ Snort-users mailing list
> Snort-users at lists.sourceforge.net Go to this URL to change user options or
> unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please
> visit http://blog.snort.org to stay current on all the latest Snort news!



-- 
when does reality end? when does fantasy begin?




More information about the Snort-users mailing list