[Snort-users] snort and snort-rules/ET alerts

Keith Pachulski keith.pachulski at ...17691...
Fri Dec 2 15:35:38 EST 2016


Thanks guys.  Ill give this a shot and see what happens, will post an update later. Stuck in a meeting and laptop battery just died.



On Fri, Dec 2, 2016 at 3:28 PM -0500, "Michael Shirk" <shirkdog.bsd at ...13610...7...<mailto:shirkdog.bsd at ...11827...>> wrote:

If it does not work, run the latest pulledpork with -vvv to see where things are at, and post it as an issue on the GitHub repo.

The Snort policy is a special case, but without using -l, all SIG's should be processed and loaded up, as this is how it works for me.


--
Michael Shirk
Daemon Security, Inc.
http://www.daemon-security.com

On Dec 2, 2016 3:22 PM, "Keith Pachulski" <keith.pachulski at ...17691...<mailto:keith.pachulski at ...17691...>> wrote:
For giggles sake I reran it as: /home/snort/pulledpork/pulledpork.pl<http://pulledpork.pl> -c /home/snort/pulledpork/etc/pulledpork.conf -I security

HUP’d snort..waiting to see what happens..so far just ET sigs and preprocessors again

From: Joel Esler (jesler) [mailto:jesler at ...589...<mailto:jesler at ...589...>]
Sent: Friday, December 02, 2016 3:06 PM
To: Y M
Cc: Keith Pachulski; snort-users at lists.sourceforge.net<mailto:snort-users at ...2902...ists.sourceforge.net>
Subject: Re: [Snort-users] snort and snort-rules/ET alerts

Is that intentional?  I thought the default behavior without policy specification is “as is, shipped”.  If not, we should fix that (It’s been awhile since I’ve actually used pulledpork)

--
Joel Esler | Talos: Manager | jesler at ...589...<mailto:jesler at ...589...>





On Dec 2, 2016, at 2:52 PM, Y M <snort at ...15979...<mailto:snort at ...15979...>> wrote:

The PulledPork command does not specify any rules policy (connectivity, balanced, security) to allow PulledPork enable the rules.

Try running PulledPork with -I <policy>.

Keep in mind that this may mess up your ET rules enablement since ET rules do not contain rules policy metadata.

YM





On Fri, Dec 2, 2016 at 10:47 PM +0300, "Keith Pachulski" <keith.pachulski at ...843.....17691...<mailto:keith.pachulski at ...17691...>> wrote:
Pulledpork Cronjob
0 0 * * * /home/snort/pulledpork/pulledpork.pl<http://pulledpork.pl> -c /home/snort/pulledpork/etc/pulledpork.conf

Pulledpork Config
rule_url=https://www.snort.org/rules/|snortrules-snapshot.tar.gz|<><https://www.snort.org/rules/%7Csnortrules-snapshot.tar.gz%7C%3c%3e>
rule_url=http://talosintelligence.com/feeds/ip-filter.blf|IPBLACKLIST|open<http://talosintelligence.com/feeds/ip-filter.blf%7CIPBLACKLIST%7Copen>
ignore=deleted.rules,experimental.rules
temp_path=/tmp
rule_path=/home/snort/rules/snort.rules
local_rules=/home/snort/rules/local.rules
sid_msg=/home/snort/rules/etc/sid-msg.map
sid_msg_version=1
sid_changelog=/home/snort/rules/pullpork-sid_changes.log
sorule_path=/usr/local/lib/snort_dynamicrules/
snort_path=/usr/local/bin/snort
config_path=/home/snort/rules/snort.conf
distro=Ubuntu-12-04
black_list=/home/snort/rules/black_list.rules
IPRVersion=/home/snort/rules/iplists

This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication.

This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication.

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net<mailto:Snort-users at lists.sourceforge.net>
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

This message (including any attachments) is intended only for
the use of the individual or entity to which it is addressed and
may contain information that is non-public, proprietary,
privileged, confidential, and exempt from disclosure under
applicable law or may constitute as attorney work product.
If you are not the intended recipient, you are hereby notified
that any use, dissemination, distribution, or copying of this
communication is strictly prohibited. If you have received this
communication in error, notify us immediately by telephone and
(i) destroy this message if a facsimile or (ii) delete this message
immediately if this is an electronic communication.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20161202/749cb39b/attachment.html>


More information about the Snort-users mailing list