[Snort-users] snort and snort-rules/ET alerts

Michael Shirk shirkdog.bsd at ...11827...
Fri Dec 2 15:28:21 EST 2016


If it does not work, run the latest pulledpork with -vvv to see where
things are at, and post it as an issue on the GitHub repo.

The Snort policy is a special case, but without using -l, all SIG's should
be processed and loaded up, as this is how it works for me.


--
Michael Shirk
Daemon Security, Inc.
http://www.daemon-security.com

On Dec 2, 2016 3:22 PM, "Keith Pachulski" <
keith.pachulski at ...17691...> wrote:

> For giggles sake I reran it as: /home/snort/pulledpork/pulledpork.pl -c
> /home/snort/pulledpork/etc/pulledpork.conf -I security
>
>
>
> HUP’d snort..waiting to see what happens..so far just ET sigs and
> preprocessors again
>
>
>
> *From:* Joel Esler (jesler) [mailto:jesler at ...589...]
> *Sent:* Friday, December 02, 2016 3:06 PM
> *To:* Y M
> *Cc:* Keith Pachulski; snort-users at lists.sourceforge.net
> *Subject:* Re: [Snort-users] snort and snort-rules/ET alerts
>
>
>
> Is that intentional?  I thought the default behavior without policy
> specification is “as is, shipped”.  If not, we should fix that (It’s been
> awhile since I’ve actually *used* pulledpork)
>
>
>
> *--*
>
> *Joel Esler *| *Talos:* Manager | jesler at ...589...
>
>
>
>
>
>
>
>
>
>
>
> On Dec 2, 2016, at 2:52 PM, Y M <snort at ...15979...> wrote:
>
>
>
> The PulledPork command does not specify any rules policy (connectivity,
> balanced, security) to allow PulledPork enable the rules.
>
>
>
> Try running PulledPork with -I <policy>.
>
>
>
> Keep in mind that this may mess up your ET rules enablement since ET rules
> do not contain rules policy metadata.
>
>
>
> YM
>
>
>
>
>
>
>
>
> On Fri, Dec 2, 2016 at 10:47 PM +0300, "Keith Pachulski" <keith.pachulski@
> healthnetworklabs.com> wrote:
>
> Pulledpork Cronjob
>
> 0 0 * * * /home/snort/pulledpork/pulledpork.pl -c
> /home/snort/pulledpork/etc/pulledpork.conf
>
>
>
> Pulledpork Config
>
> rule_url=https://www.snort.org/rules/|snortrules-snapshot.tar.gz|<>
>
> rule_url=http://talosintelligence.com/feeds/ip-filter.blf|IPBLACKLIST|open
>
> ignore=deleted.rules,experimental.rules
>
> temp_path=/tmp
>
> rule_path=/home/snort/rules/snort.rules
>
> local_rules=/home/snort/rules/local.rules
>
> sid_msg=/home/snort/rules/etc/sid-msg.map
>
> sid_msg_version=1
>
> sid_changelog=/home/snort/rules/pullpork-sid_changes.log
>
> sorule_path=/usr/local/lib/snort_dynamicrules/
>
> snort_path=/usr/local/bin/snort
>
> config_path=/home/snort/rules/snort.conf
>
> distro=Ubuntu-12-04
>
> black_list=/home/snort/rules/black_list.rules
>
> IPRVersion=/home/snort/rules/iplists
>
>
>
> This message (including any attachments) is intended only for the use of
> the individual or entity to which it is addressed and may contain
> information that is non-public, proprietary, privileged, confidential, and
> exempt from disclosure under applicable law or may constitute as attorney
> work product. If you are not the intended recipient, you are hereby
> notified that any use, dissemination, distribution, or copying of this
> communication is strictly prohibited. If you have received this
> communication in error, notify us immediately by telephone and (i) destroy
> this message if a facsimile or (ii) delete this message immediately if this
> is an electronic communication.
>
>
> This message (including any attachments) is intended only for the use of
> the individual or entity to which it is addressed and may contain
> information that is non-public, proprietary, privileged, confidential, and
> exempt from disclosure under applicable law or may constitute as attorney
> work product. If you are not the intended recipient, you are hereby
> notified that any use, dissemination, distribution, or copying of this
> communication is strictly prohibited. If you have received this
> communication in error, notify us immediately by telephone and (i) destroy
> this message if a facsimile or (ii) delete this message immediately if this
> is an electronic communication.
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20161202/ff38401c/attachment.html>


More information about the Snort-users mailing list