[Snort-users] snort and snort-rules/ET alerts

Marcin Dulak marcin.dulak at ...11827...
Fri Dec 2 22:30:30 EST 2016


"snort-snapshot.tar.gz" alone should work, pulledpork will guess the
version based on the snort version installed:
https://github.com/shirkdog/pulledpork/blob/06177884f0c8ccb94c8fccdc0fa2a4206b4b6549/pulledpork.pl#L1977

Marcin

On Fri, Dec 2, 2016 at 10:41 PM, Joel Esler (jesler) <jesler at ...589...>
wrote:

> Correct.
>
> *--*
> *Joel Esler *| *Talos:* Manager | jesler at ...589...
>
>
>
>
>
>
> On Dec 2, 2016, at 3:44 PM, James Lay <jlay at ...13475...> wrote:
>
> I think your snort-snapshot file needs to have a version number, not
> just "snort-snapshot.tar.gz" if I'm not mistaken.
>
> James
>
> On 2016-12-02 13:35, Keith Pachulski wrote:
>
> Thanks guys.  Ill give this a shot and see what happens, will post an
> update later. Stuck in a meeting and laptop battery just died.
>
> On Fri, Dec 2, 2016 at 3:28 PM -0500, "Michael Shirk"
> <shirkdog.bsd at ...11827...> wrote:
>
> If it does not work, run the latest pulledpork with -vvv to see where
> things are at, and post it as an issue on the GitHub repo.
>
> The Snort policy is a special case, but without using -l, all SIG's
> should be processed and loaded up, as this is how it works for me.
>
> --
> Michael Shirk
> Daemon Security, Inc.
> http://www.daemon-security.com
>
> On Dec 2, 2016 3:22 PM, "Keith Pachulski"
> <keith.pachulski at ...17691...> wrote:
>
> For giggles sake I reran it as: /home/snort/pulledpork/pulledpork.pl
> [1] -c /home/snort/pulledpork/etc/pulledpork.conf -I security
>
> HUP’d snort..waiting to see what happens..so far just ET sigs and
> preprocessors again
>
> FROM: Joel Esler (jesler) [mailto:jesler at ...589...]
> SENT: Friday, December 02, 2016 3:06 PM
> TO: Y M
> CC: Keith Pachulski; snort-users at lists.sourceforge.net
> SUBJECT: Re: [Snort-users] snort and snort-rules/ET alerts
>
> Is that intentional?  I thought the default behavior without policy
> specification is “as is, shipped”.  If not, we should fix that
> (It’s been awhile since I’ve actually _used_ pulledpork)
>
> --
>
> JOEL ESLER | TALOS: Manager | jesler at ...589...
>
> On Dec 2, 2016, at 2:52 PM, Y M <snort at ...15979...> wrote:
>
> The PulledPork command does not specify any rules policy
> (connectivity, balanced, security) to allow PulledPork enable the
> rules.
>
> Try running PulledPork with -I <policy>.
>
> Keep in mind that this may mess up your ET rules enablement since
> ET rules do not contain rules policy metadata.
>
> YM
>
> On Fri, Dec 2, 2016 at 10:47 PM +0300, "Keith Pachulski"
> <keith.pachulski at ...17691...> wrote:
>
> Pulledpork Cronjob
>
> 0 0 * * * /home/snort/pulledpork/pulledpork.pl [1] -c
> /home/snort/pulledpork/etc/pulledpork.conf
>
> Pulledpork Config
>
>
> rule_url=https://www.snort.org/rules/|snortrules-snapshot.tar.gz|<>
>
> [2]
>
>
>
> rule_url=http://talosintelligence.com/feeds/ip-filter.blf|IPBLACKLIST|open
>
> [3]
>
> ignore=deleted.rules,experimental.rules
>
> temp_path=/tmp
>
> rule_path=/home/snort/rules/snort.rules
>
> local_rules=/home/snort/rules/local.rules
>
> sid_msg=/home/snort/rules/etc/sid-msg.map
>
> sid_msg_version=1
>
> sid_changelog=/home/snort/rules/pullpork-sid_changes.log
>
> sorule_path=/usr/local/lib/snort_dynamicrules/
>
> snort_path=/usr/local/bin/snort
>
> config_path=/home/snort/rules/snort.conf
>
> distro=Ubuntu-12-04
>
> black_list=/home/snort/rules/black_list.rules
>
> IPRVersion=/home/snort/rules/iplists
>
> This message (including any attachments) is intended only for the
> use of the individual or entity to which it is addressed and may
> contain information that is non-public, proprietary, privileged,
> confidential, and exempt from disclosure under applicable law or
> may constitute as attorney work product. If you are not the
> intended recipient, you are hereby notified that any use,
> dissemination, distribution, or copying of this communication is
> strictly prohibited. If you have received this communication in
> error, notify us immediately by telephone and (i) destroy this
> message if a facsimile or (ii) delete this message immediately if
> this is an electronic communication.
>
>
> This message (including any attachments) is intended only for the
> use of the individual or entity to which it is addressed and may
> contain information that is non-public, proprietary, privileged,
> confidential, and exempt from disclosure under applicable law or may
> constitute as attorney work product. If you are not the intended
> recipient, you are hereby notified that any use, dissemination,
> distribution, or copying of this communication is strictly
> prohibited. If you have received this communication in error, notify
> us immediately by telephone and (i) destroy this message if a
> facsimile or (ii) delete this message immediately if this is an
> electronic communication.
>
> ------------------------------------------------------------
> ------------------
>
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot [4]
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users [5]
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> [6]
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
> This message (including any attachments) is intended only for the use
> of the individual or entity to which it is addressed and may contain
> information that is non-public, proprietary, privileged, confidential,
> and exempt from disclosure under applicable law or may constitute as
> attorney work product. If you are not the intended recipient, you are
> hereby notified that any use, dissemination, distribution, or copying
> of this communication is strictly prohibited. If you have received
> this communication in error, notify us immediately by telephone and
> (i) destroy this message if a facsimile or (ii) delete this message
> immediately if this is an electronic communication.
>
> Links:
> ------
> [1] http://pulledpork.pl
> [2] https://www.snort.org/rules/%7Csnortrules-snapshot.tar.gz%7C%3c%3e
> [3]
> http://talosintelligence.com/feeds/ip-filter.blf%7CIPBLACKLIST%7Copen
> [4] http://sdm.link/slashdot
> [5] https://lists.sourceforge.net/lists/listinfo/snort-users
> [6] http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
>
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20161203/dcf3556f/attachment.html>


More information about the Snort-users mailing list