[Snort-users] snort and snort-rules/ET alerts

James Lay jlay at ...13475...
Fri Dec 2 15:44:49 EST 2016


I think your snort-snapshot file needs to have a version number, not 
just "snort-snapshot.tar.gz" if I'm not mistaken.

James

On 2016-12-02 13:35, Keith Pachulski wrote:
> Thanks guys.  Ill give this a shot and see what happens, will post an
> update later. Stuck in a meeting and laptop battery just died.
> 
> On Fri, Dec 2, 2016 at 3:28 PM -0500, "Michael Shirk"
> <shirkdog.bsd at ...11827...> wrote:
> 
> If it does not work, run the latest pulledpork with -vvv to see where
> things are at, and post it as an issue on the GitHub repo.
> 
> The Snort policy is a special case, but without using -l, all SIG's
> should be processed and loaded up, as this is how it works for me.
> 
> --
> Michael Shirk
> Daemon Security, Inc.
> http://www.daemon-security.com
> 
> On Dec 2, 2016 3:22 PM, "Keith Pachulski"
> <keith.pachulski at ...17691...> wrote:
> 
>> For giggles sake I reran it as: /home/snort/pulledpork/pulledpork.pl
>> [1] -c /home/snort/pulledpork/etc/pulledpork.conf -I security
>> 
>> HUP’d snort..waiting to see what happens..so far just ET sigs and
>> preprocessors again
>> 
>> FROM: Joel Esler (jesler) [mailto:jesler at ...589...]
>> SENT: Friday, December 02, 2016 3:06 PM
>> TO: Y M
>> CC: Keith Pachulski; snort-users at lists.sourceforge.net
>> SUBJECT: Re: [Snort-users] snort and snort-rules/ET alerts
>> 
>> Is that intentional?  I thought the default behavior without policy
>> specification is “as is, shipped”.  If not, we should fix that
>> (It’s been awhile since I’ve actually _used_ pulledpork)
>> 
>> --
>> 
>> JOEL ESLER | TALOS: Manager | jesler at ...589...
>> 
>>> On Dec 2, 2016, at 2:52 PM, Y M <snort at ...15979...> wrote:
>>> 
>>> The PulledPork command does not specify any rules policy
>>> (connectivity, balanced, security) to allow PulledPork enable the
>>> rules.
>>> 
>>> Try running PulledPork with -I <policy>.
>>> 
>>> Keep in mind that this may mess up your ET rules enablement since
>>> ET rules do not contain rules policy metadata.
>>> 
>>> YM
>>> 
>>> On Fri, Dec 2, 2016 at 10:47 PM +0300, "Keith Pachulski"
>>> <keith.pachulski at ...17691...> wrote:
>>> 
>>> Pulledpork Cronjob
>>> 
>>> 0 0 * * * /home/snort/pulledpork/pulledpork.pl [1] -c
>>> /home/snort/pulledpork/etc/pulledpork.conf
>>> 
>>> Pulledpork Config
>>> 
>>> 
>> rule_url=https://www.snort.org/rules/|snortrules-snapshot.tar.gz|<>
>>> [2]
>>> 
>>> 
>> 
> rule_url=http://talosintelligence.com/feeds/ip-filter.blf|IPBLACKLIST|open
>>> [3]
>>> 
>>> ignore=deleted.rules,experimental.rules
>>> 
>>> temp_path=/tmp
>>> 
>>> rule_path=/home/snort/rules/snort.rules
>>> 
>>> local_rules=/home/snort/rules/local.rules
>>> 
>>> sid_msg=/home/snort/rules/etc/sid-msg.map
>>> 
>>> sid_msg_version=1
>>> 
>>> sid_changelog=/home/snort/rules/pullpork-sid_changes.log
>>> 
>>> sorule_path=/usr/local/lib/snort_dynamicrules/
>>> 
>>> snort_path=/usr/local/bin/snort
>>> 
>>> config_path=/home/snort/rules/snort.conf
>>> 
>>> distro=Ubuntu-12-04
>>> 
>>> black_list=/home/snort/rules/black_list.rules
>>> 
>>> IPRVersion=/home/snort/rules/iplists
>>> 
>>> This message (including any attachments) is intended only for the
>>> use of the individual or entity to which it is addressed and may
>>> contain information that is non-public, proprietary, privileged,
>>> confidential, and exempt from disclosure under applicable law or
>>> may constitute as attorney work product. If you are not the
>>> intended recipient, you are hereby notified that any use,
>>> dissemination, distribution, or copying of this communication is
>>> strictly prohibited. If you have received this communication in
>>> error, notify us immediately by telephone and (i) destroy this
>>> message if a facsimile or (ii) delete this message immediately if
>>> this is an electronic communication.
>> 
>> This message (including any attachments) is intended only for the
>> use of the individual or entity to which it is addressed and may
>> contain information that is non-public, proprietary, privileged,
>> confidential, and exempt from disclosure under applicable law or may
>> constitute as attorney work product. If you are not the intended
>> recipient, you are hereby notified that any use, dissemination,
>> distribution, or copying of this communication is strictly
>> prohibited. If you have received this communication in error, notify
>> us immediately by telephone and (i) destroy this message if a
>> facsimile or (ii) delete this message immediately if this is an
>> electronic communication.
>> 
> ------------------------------------------------------------------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, SlashDot.org! http://sdm.link/slashdot [4]
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users [5]
>> Snort-users list archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>> [6]
>> 
>> Please visit http://blog.snort.org to stay current on all the latest
>> Snort news!
>  This message (including any attachments) is intended only for the use
> of the individual or entity to which it is addressed and may contain
> information that is non-public, proprietary, privileged, confidential,
> and exempt from disclosure under applicable law or may constitute as
> attorney work product. If you are not the intended recipient, you are
> hereby notified that any use, dissemination, distribution, or copying
> of this communication is strictly prohibited. If you have received
> this communication in error, notify us immediately by telephone and
> (i) destroy this message if a facsimile or (ii) delete this message
> immediately if this is an electronic communication.
> 
> Links:
> ------
> [1] http://pulledpork.pl
> [2] https://www.snort.org/rules/%7Csnortrules-snapshot.tar.gz%7C%3c%3e
> [3] 
> http://talosintelligence.com/feeds/ip-filter.blf%7CIPBLACKLIST%7Copen
> [4] http://sdm.link/slashdot
> [5] https://lists.sourceforge.net/lists/listinfo/snort-users
> [6] http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> 
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest 
> Snort news!




More information about the Snort-users mailing list