<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<style>
<!--
@font-face
        {font-family:Calibri}
p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0in;
        margin-bottom:.0001pt;
        font-size:11.0pt;
        font-family:"Calibri","sans-serif"}
a:link, span.MsoHyperlink
        {color:blue;
        text-decoration:underline}
a:visited, span.MsoHyperlinkFollowed
        {color:purple;
        text-decoration:underline}
span.EmailStyle17
        {font-family:"Calibri","sans-serif";
        color:windowtext}
.MsoChpDefault
        {font-family:"Calibri","sans-serif"}
@page WordSection1
        {margin:1.0in 1.0in 1.0in 1.0in}
div.WordSection1
        {}
-->
</style>
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal">Guys,</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">I’m having a little trouble wrapping my head around the snort and pulled pork interaction.  In the snort.conf file, the following rules are defined (by default):</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">include $RULE_PATH/attack-responses.rules</p>
<p class="MsoNormal">include $RULE_PATH/backdoor.rules</p>
<p class="MsoNormal">include $RULE_PATH/bad-traffic.rules</p>
<p class="MsoNormal">include $RULE_PATH/blacklist.rules</p>
<p class="MsoNormal">include $RULE_PATH/botnet-cnc.rules</p>
<p class="MsoNormal">include $RULE_PATH/chat.rules</p>
<p class="MsoNormal">include $RULE_PATH/content-replace.rules</p>
<p class="MsoNormal">include $RULE_PATH/ddos.rules</p>
<p class="MsoNormal">include $RULE_PATH/dns.rules</p>
<p class="MsoNormal">include $RULE_PATH/dos.rules</p>
<p class="MsoNormal">include $RULE_PATH/exploit.rules</p>
<p class="MsoNormal">include $RULE_PATH/file-identify.rules</p>
<p class="MsoNormal">include $RULE_PATH/finger.rules</p>
<p class="MsoNormal">include $RULE_PATH/ftp.rules</p>
<p class="MsoNormal">include $RULE_PATH/icmp.rules</p>
<p class="MsoNormal">include $RULE_PATH/icmp-info.rules</p>
<p class="MsoNormal">include $RULE_PATH/imap.rules</p>
<p class="MsoNormal">include $RULE_PATH/info.rules</p>
<p class="MsoNormal">include $RULE_PATH/misc.rules</p>
<p class="MsoNormal">include $RULE_PATH/multimedia.rules</p>
<p class="MsoNormal">include $RULE_PATH/mysql.rules</p>
<p class="MsoNormal">include $RULE_PATH/netbios.rules</p>
<p class="MsoNormal">include $RULE_PATH/nntp.rules</p>
<p class="MsoNormal">include $RULE_PATH/oracle.rules</p>
<p class="MsoNormal">include $RULE_PATH/other-ids.rules</p>
<p class="MsoNormal">include $RULE_PATH/p2p.rules</p>
<p class="MsoNormal">include $RULE_PATH/phishing-spam.rules</p>
<p class="MsoNormal">include $RULE_PATH/policy.rules</p>
<p class="MsoNormal">include $RULE_PATH/pop2.rules</p>
<p class="MsoNormal">include $RULE_PATH/pop3.rules</p>
<p class="MsoNormal">include $RULE_PATH/rpc.rules</p>
<p class="MsoNormal">include $RULE_PATH/rservices.rules</p>
<p class="MsoNormal">include $RULE_PATH/scada.rules</p>
<p class="MsoNormal">include $RULE_PATH/scan.rules</p>
<p class="MsoNormal">include $RULE_PATH/shellcode.rules</p>
<p class="MsoNormal">include $RULE_PATH/smtp.rules</p>
<p class="MsoNormal">include $RULE_PATH/snmp.rules</p>
<p class="MsoNormal">include $RULE_PATH/specific-threats.rules</p>
<p class="MsoNormal">include $RULE_PATH/spyware-put.rules</p>
<p class="MsoNormal">include $RULE_PATH/sql.rules</p>
<p class="MsoNormal">include $RULE_PATH/telnet.rules</p>
<p class="MsoNormal">include $RULE_PATH/tftp.rules</p>
<p class="MsoNormal">include $RULE_PATH/virus.rules</p>
<p class="MsoNormal">include $RULE_PATH/voip.rules</p>
<p class="MsoNormal">include $RULE_PATH/web-activex.rules</p>
<p class="MsoNormal">include $RULE_PATH/web-attacks.rules</p>
<p class="MsoNormal">include $RULE_PATH/web-cgi.rules</p>
<p class="MsoNormal">include $RULE_PATH/web-client.rules</p>
<p class="MsoNormal">include $RULE_PATH/web-coldfusion.rules</p>
<p class="MsoNormal">include $RULE_PATH/web-frontpage.rules</p>
<p class="MsoNormal">include $RULE_PATH/web-iis.rules</p>
<p class="MsoNormal">include $RULE_PATH/web-misc.rules</p>
<p class="MsoNormal">include $RULE_PATH/web-php.rules</p>
<p class="MsoNormal">include $RULE_PATH/x11.rules</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">When I compile snort, the $RULE_PATH directory isn’t created.  I create it by `mkdir /opt/snort/rules`.  I then run pulled pork with the following command:</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">./pulledpork.pl -c /opt/pulledpork/etc/pulledpork.conf -o /opt/snort/rules/ -i /opt/pulledpork/etc/disablesid.conf -T –H</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">The only file that shows up is `snort.rules`  where are all of the other files that are specified in the snort.conf? 
</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal"> </p>
</div>
This e-mail transmission contains information that is confidential and may be privileged. It is intended only for the addressee(s) named above. If you receive this e-mail in error, please do not read, copy or disseminate it in any manner. If you are not the
 intended recipient, any disclosure, copying, distribution or use of the contents of this information is prohibited. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please erase it from your
 computer system. Your assistance in correcting this error is appreciated.
</body>
</html>