[Snort-users] snort and snort-rules/ET alerts

Marcin Dulak marcin.dulak at ...11827...
Fri Dec 2 22:31:56 EST 2016


snortrules-snapshot.tar.gz

On Sat, Dec 3, 2016 at 4:30 AM, Marcin Dulak <marcin.dulak at ...11827...> wrote:

> "snort-snapshot.tar.gz" alone should work, pulledpork will guess the
> version based on the snort version installed:
> https://github.com/shirkdog/pulledpork/blob/06177884f0c8ccb94c8fccdc0fa2a4
> 206b4b6549/pulledpork.pl#L1977
>
> Marcin
>
> On Fri, Dec 2, 2016 at 10:41 PM, Joel Esler (jesler) <jesler at ...589...>
> wrote:
>
>> Correct.
>>
>> *--*
>> *Joel Esler *| *Talos:* Manager | jesler at ...589...
>>
>>
>>
>>
>>
>>
>> On Dec 2, 2016, at 3:44 PM, James Lay <jlay at ...13475...> wrote:
>>
>> I think your snort-snapshot file needs to have a version number, not
>> just "snort-snapshot.tar.gz" if I'm not mistaken.
>>
>> James
>>
>> On 2016-12-02 13:35, Keith Pachulski wrote:
>>
>> Thanks guys.  Ill give this a shot and see what happens, will post an
>> update later. Stuck in a meeting and laptop battery just died.
>>
>> On Fri, Dec 2, 2016 at 3:28 PM -0500, "Michael Shirk"
>> <shirkdog.bsd at ...11827...> wrote:
>>
>> If it does not work, run the latest pulledpork with -vvv to see where
>> things are at, and post it as an issue on the GitHub repo.
>>
>> The Snort policy is a special case, but without using -l, all SIG's
>> should be processed and loaded up, as this is how it works for me.
>>
>> --
>> Michael Shirk
>> Daemon Security, Inc.
>> http://www.daemon-security.com
>>
>> On Dec 2, 2016 3:22 PM, "Keith Pachulski"
>> <keith.pachulski at ...17691...> wrote:
>>
>> For giggles sake I reran it as: /home/snort/pulledpork/pulledpork.pl
>> [1] -c /home/snort/pulledpork/etc/pulledpork.conf -I security
>>
>> HUP’d snort..waiting to see what happens..so far just ET sigs and
>> preprocessors again
>>
>> FROM: Joel Esler (jesler) [mailto:jesler at ...589...]
>> SENT: Friday, December 02, 2016 3:06 PM
>> TO: Y M
>> CC: Keith Pachulski; snort-users at lists.sourceforge.net
>> SUBJECT: Re: [Snort-users] snort and snort-rules/ET alerts
>>
>> Is that intentional?  I thought the default behavior without policy
>> specification is “as is, shipped”.  If not, we should fix that
>> (It’s been awhile since I’ve actually _used_ pulledpork)
>>
>> --
>>
>> JOEL ESLER | TALOS: Manager | jesler at ...589...
>>
>> On Dec 2, 2016, at 2:52 PM, Y M <snort at ...15979...> wrote:
>>
>> The PulledPork command does not specify any rules policy
>> (connectivity, balanced, security) to allow PulledPork enable the
>> rules.
>>
>> Try running PulledPork with -I <policy>.
>>
>> Keep in mind that this may mess up your ET rules enablement since
>> ET rules do not contain rules policy metadata.
>>
>> YM
>>
>> On Fri, Dec 2, 2016 at 10:47 PM +0300, "Keith Pachulski"
>> <keith.pachulski at ...17691...> wrote:
>>
>> Pulledpork Cronjob
>>
>> 0 0 * * * /home/snort/pulledpork/pulledpork.pl [1] -c
>> /home/snort/pulledpork/etc/pulledpork.conf
>>
>> Pulledpork Config
>>
>>
>> rule_url=https://www.snort.org/rules/|snortrules-snapshot.tar.gz|<>
>>
>> [2]
>>
>>
>>
>> rule_url=http://talosintelligence.com/feeds/ip-filter.blf|
>> IPBLACKLIST|open
>>
>> [3]
>>
>> ignore=deleted.rules,experimental.rules
>>
>> temp_path=/tmp
>>
>> rule_path=/home/snort/rules/snort.rules
>>
>> local_rules=/home/snort/rules/local.rules
>>
>> sid_msg=/home/snort/rules/etc/sid-msg.map
>>
>> sid_msg_version=1
>>
>> sid_changelog=/home/snort/rules/pullpork-sid_changes.log
>>
>> sorule_path=/usr/local/lib/snort_dynamicrules/
>>
>> snort_path=/usr/local/bin/snort
>>
>> config_path=/home/snort/rules/snort.conf
>>
>> distro=Ubuntu-12-04
>>
>> black_list=/home/snort/rules/black_list.rules
>>
>> IPRVersion=/home/snort/rules/iplists
>>
>> This message (including any attachments) is intended only for the
>> use of the individual or entity to which it is addressed and may
>> contain information that is non-public, proprietary, privileged,
>> confidential, and exempt from disclosure under applicable law or
>> may constitute as attorney work product. If you are not the
>> intended recipient, you are hereby notified that any use,
>> dissemination, distribution, or copying of this communication is
>> strictly prohibited. If you have received this communication in
>> error, notify us immediately by telephone and (i) destroy this
>> message if a facsimile or (ii) delete this message immediately if
>> this is an electronic communication.
>>
>>
>> This message (including any attachments) is intended only for the
>> use of the individual or entity to which it is addressed and may
>> contain information that is non-public, proprietary, privileged,
>> confidential, and exempt from disclosure under applicable law or may
>> constitute as attorney work product. If you are not the intended
>> recipient, you are hereby notified that any use, dissemination,
>> distribution, or copying of this communication is strictly
>> prohibited. If you have received this communication in error, notify
>> us immediately by telephone and (i) destroy this message if a
>> facsimile or (ii) delete this message immediately if this is an
>> electronic communication.
>>
>> ------------------------------------------------------------
>> ------------------
>>
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, SlashDot.org! http://sdm.link/slashdot [4]
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users [5]
>> Snort-users list archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>> [6]
>>
>> Please visit http://blog.snort.org to stay current on all the latest
>> Snort news!
>>
>> This message (including any attachments) is intended only for the use
>> of the individual or entity to which it is addressed and may contain
>> information that is non-public, proprietary, privileged, confidential,
>> and exempt from disclosure under applicable law or may constitute as
>> attorney work product. If you are not the intended recipient, you are
>> hereby notified that any use, dissemination, distribution, or copying
>> of this communication is strictly prohibited. If you have received
>> this communication in error, notify us immediately by telephone and
>> (i) destroy this message if a facsimile or (ii) delete this message
>> immediately if this is an electronic communication.
>>
>> Links:
>> ------
>> [1] http://pulledpork.pl
>> [2] https://www.snort.org/rules/%7Csnortrules-snapshot.tar.gz%7C%3c%3e
>> [3]
>> http://talosintelligence.com/feeds/ip-filter.blf%7CIPBLACKLIST%7Copen
>> [4] http://sdm.link/slashdot
>> [5] https://lists.sourceforge.net/lists/listinfo/snort-users
>> [6] http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>
>> ------------------------------------------------------------
>> ------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>
>> Please visit http://blog.snort.org to stay current on all the latest
>> Snort news!
>>
>>
>> ------------------------------------------------------------
>> ------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>
>> Please visit http://blog.snort.org to stay current on all the latest
>> Snort news!
>>
>>
>>
>> ------------------------------------------------------------
>> ------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>
>> Please visit http://blog.snort.org to stay current on all the latest
>> Snort news!
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20161203/96569a88/attachment.html>


More information about the Snort-users mailing list