[Snort-users] Is there something about pulledpork 0.7.0 I'm not getting?

simegnew yihunie syihunie at ...11827...
Sun Jan 26 11:17:09 EST 2014


Thanks guys for response but let me explain my question. I want to
accelerate snort using GPU  and compare with the original snort. and I
want to test using some text file which contains intrusions instead of
real network. so, how I can feed to the packt decder this files as in
put.

On 1/26/14, Tony Robinson <deusexmachina667 at ...11827...> wrote:
> And just like that, It works.
>
> I knew it was something stupid on my part.
>
> Thanks for the help!
>
> On Sun, Jan 26, 2014 at 2:42 AM, Y M <snort at ...15979...> wrote:
>> Hi Tony,
>>
>> Did you try adding the -P to the PulledPork command? I am guessing that
>> since the second run of PulledPork does not download "new" rules, it does
>> not process the existing download from the first run. The -P will ensure
>> to
>> force processing the existing tarball.
>>
>> Thanks.
>> YM
>>
>> Date: Sun, 26 Jan 2014 02:31:19 -0500
>> From: deusexmachina667 at ...11827...
>> To: snort-users at lists.sourceforge.net
>> Subject: [Snort-users] Is there something about pulledpork 0.7.0 I'm not
>> getting?
>>
>>
>> So I'll admit, I'm a little bit late to the party. I hadn't realized
>> that pulled pork was updated. nearly four months ago. Better late than
>> never, I guess.
>>
>> In any case, as a part of a side project of mine that I've talked
>> about on here before, I'm trying to integrate the newest version of
>> pulled pork into my scripts and I'm running into a strange issue.
>>
>> I have a script that calls pulledpork twice. The first time it calls
>> pulledpork with the -g or "grab only" option to just pull down the
>> rule files, and that's it. My script then unpacks the tarball and
>> copies everything out of "etc" from the snortrules-snapshot file
>> downloaded to where snort is installed and expects to find it. My
>> script then runs pulledpork again with the -S option, the -c option
>> (to my pulledpork.conf file), the -T option (text rules only) and the
>> -n option, telling it that all the files it should need to do its job
>> should be on the box already; don't try to download any files from the
>> net.
>>
>> The problem I'm running into, is that running pulledpork.pl the second
>> time around appears to do absolutely nothing. running pulledpork in
>> extra verbose mode seems to indicate that it unpacks the rules, then
>> deletes them; doesn't create a snort.rules file, so_rules.rules file,
>> sid-msg.map file, or configure rules for a certain rule policy set
>> (e.g. "Security over Connectivity").
>>
>> Alternatively, if I run pulledpork without the -n option, everything
>> just works the way I'm expecting it to -- snort.rules gets made,
>> sid-msg.map gets created, and all is well with the universe.
>>
>> I've attached a copy of the pulledpork.conf I've used. It's stripped
>> down, but it works.
>>
>> It almost feels like if you use the grab-only option, or if there is a
>> snortrules-snapshot file in the working directory for pulledpork (/tmp
>> in my case) that pulledpork does nothing.
>>
>> I've attached the output from the following command:
>>
>> perl pulledpork.pl -c /usr/src/pulledpork-*/etc/pulledpork.conf -S
>> 2.9.5.6 -T -vv
>>
>> "Run pulledpork, use my config file I provided. Download rules for
>> Snort 2.9.5.6, process text rules only, print all debug information."
>>
>> ..as the file "output1.txt" -- I figured attachments would probably be
>> better than spewing output all over the mailing list, using the exact
>> pulledpork config above. Everything works as expected. Tarballs are
>> pulled down, rules are processed, all is well with the world.
>>
>> I also ran the following command:
>>
>> perl pulledpork.pl -c /usr/src/pulledpork-*/etc/pulledpork.conf -S
>> 2.9.5.6 -g -vv
>>
>> "Run pulledpork, use my config file I provided. Download rules for
>> Snort 2.9.5.6. Don't do any further processing. Print all debug info."
>>
>> ..as the file "output2.txt" -- This command seems to run as expected,
>> but according to verbose mode, extracts all the rules, then removes
>> the files It still results in the tarballs being downloaded in left in
>> /tmp to work with.
>>
>> perl pulledpork.pl -c /usr/src/pulledpork-*/etc/pulledpork.conf -S
>> 2.9.5.6 -T -n -vv
>>
>> "Run pulledpork, use the config file I provided. Don't download
>> anything, but process rules for Snort 2.9.5.6, text rules only. Print
>> all debug info."
>>
>> ..as the file "output3.txt" -- This command doesn't seem to work at
>> all. It appears to extract the rule tarball twice then just bails out,
>> without processing any of the rules. So pulledpork knows the tarball
>> is in the working directory, extracts it, but does no rule processing
>> with it.
>>
>>
>>
>> So... my work-around for now is to just download and process the rules
>> up front, in one go, with the first command I ran. The rule tarball is
>> still there for me to do my thing with after pulledpork processes the
>> rules how I want it to.
>>
>> That's fine for me, but what about offline users who can't download
>> the rule tarball from the internet, and have to sneakernet the tarball
>> to the system they're running snort on (e.g. airgapped networks)?
>> Would this be considered a bug, or working as intended?
>>
>> Thank you for your insight in advance.
>>
>> --
>> when does reality end? when does fantasy begin?
>>
>>
>> ------------------------------------------------------------------------------
>> CenturyLink Cloud: The Leader in Enterprise Cloud Services. Learn Why
>> More
>> Businesses Are Choosing CenturyLink Cloud For Critical Workloads,
>> Development Environments & Everything In Between. Get a Quote or Start a
>> Free Trial Today.
>> http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk
>> _______________________________________________ Snort-users mailing list
>> Snort-users at lists.sourceforge.net Go to this URL to change user options
>> or
>> unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>> Please
>> visit http://blog.snort.org to stay current on all the latest Snort news!
>
>
>
> --
> when does reality end? when does fantasy begin?
>
> ------------------------------------------------------------------------------
> CenturyLink Cloud: The Leader in Enterprise Cloud Services.
> Learn Why More Businesses Are Choosing CenturyLink Cloud For
> Critical Workloads, Development Environments & Everything In Between.
> Get a Quote or Start a Free Trial Today.
> http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort
> news!
>




More information about the Snort-users mailing list