<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 14 (filtered medium)"><!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
        {font-family:Calibri;
        panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
        {font-family:Tahoma;
        panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0in;
        margin-bottom:.0001pt;
        font-size:12.0pt;
        font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
        {mso-style-priority:99;
        color:blue;
        text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
        {mso-style-priority:99;
        color:purple;
        text-decoration:underline;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
        {mso-style-priority:99;
        mso-style-link:"Balloon Text Char";
        margin:0in;
        margin-bottom:.0001pt;
        font-size:8.0pt;
        font-family:"Tahoma","sans-serif";}
p.xmsonormal, li.xmsonormal, div.xmsonormal
        {mso-style-name:x_msonormal;
        margin:0in;
        margin-bottom:.0001pt;
        font-size:12.0pt;
        font-family:"Times New Roman","serif";}
p.xmsoacetate, li.xmsoacetate, div.xmsoacetate
        {mso-style-name:x_msoacetate;
        margin:0in;
        margin-bottom:.0001pt;
        font-size:8.0pt;
        font-family:"Tahoma","sans-serif";}
p.xmsochpdefault, li.xmsochpdefault, div.xmsochpdefault
        {mso-style-name:x_msochpdefault;
        mso-margin-top-alt:auto;
        margin-right:0in;
        mso-margin-bottom-alt:auto;
        margin-left:0in;
        font-size:10.0pt;
        font-family:"Times New Roman","serif";}
span.xmsohyperlink
        {mso-style-name:x_msohyperlink;
        color:blue;
        text-decoration:underline;}
span.xmsohyperlinkfollowed
        {mso-style-name:x_msohyperlinkfollowed;
        color:purple;
        text-decoration:underline;}
span.xballoontextchar
        {mso-style-name:x_balloontextchar;
        font-family:"Tahoma","sans-serif";}
span.xemailstyle19
        {mso-style-name:x_emailstyle19;
        font-family:"Calibri","sans-serif";
        color:#1F497D;}
span.BalloonTextChar
        {mso-style-name:"Balloon Text Char";
        mso-style-priority:99;
        mso-style-link:"Balloon Text";
        font-family:"Tahoma","sans-serif";}
span.EmailStyle26
        {mso-style-type:personal-reply;
        font-family:"Calibri","sans-serif";
        color:#1F497D;}
.MsoChpDefault
        {mso-style-type:export-only;
        font-size:10.0pt;}
@page WordSection1
        {size:8.5in 11.0in;
        margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
        {page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Thanks – but I still have to process the tarball, correct? Not just other rules files (I know, it sounds weird)…. But we process the rules on our management station and then push them out to the sensors… so the rules look just like we want them to (what is enabled, disabled, etc… for each sensor) when we push them…. Just need the sid-msg.map file.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>I will keep searching for a solution.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Thanks<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> JJ Cummings [mailto:cummingsj@...11827...] <br><b>Sent:</b> Thursday, July 11, 2013 2:33 PM<br><b>To:</b> Y M<br><b>Cc:</b> Starner, Mark; snort-users@...974...rceforge.net<br><b>Subject:</b> Re: [Snort-users] Pulled Pork Question<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal>Specify like you would local.rules for Ang other custom rules file...<br><br>Sent from the iRoad<o:p></o:p></p></div><div><p class=MsoNormal style='margin-bottom:12.0pt'><br>On Jul 11, 2013, at 12:26, Y M <<a href="mailto:snort@...15979...">snort@...15979...</a>> wrote:<o:p></o:p></p></div><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><div><div><div><p class=MsoNormal style='margin-bottom:12.0pt'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>Sorry if I didn't make it clear. You still need to have the rules tarball stored at your /tmp directory since pulledpork will extract and massage the rules into the snort.rules file.<br><br>PulledPork processes the individual rules files from the rules snapshot and will take into account the local rules file as configured in pulledpork.conf file and populate the sid-msg.map file. If you have the emerging threats tarball in /tmp directory, and enable the ET URL in pulledpork.conf file, PulledPork will also process these and populate the sid-msg.map. By this, now you have the VRT, ET, and local rules all being populated in sid-msg.map file, but all rules are in the snort.rules file (you still can keep individual rules files separate if you want using the -k option).<br><br>As for company.rules, I have no knowledge of PulledPork being able to include custom/dynamic rules file other than the ones specified above.<o:p></o:p></span></p></div></div><div><div class=MsoNormal align=center style='text-align:center'><hr size=2 width="100%" align=center></div><p class=MsoNormal style='margin-bottom:12.0pt'><b><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>From: </span></b><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'><a href="mailto:mark.starner@...5850...">Starner, Mark</a></span><br><b><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>Sent: </span></b><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>‎7/‎11/‎2013 9:09 PM</span><br><b><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>To: </span></b><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'><a href="mailto:snort@...15979...">Y M</a>; <a href="mailto:snort-users@...974...rceforge.net">snort-users@lists.sourceforge.net</a></span><br><b><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>Subject: </span></b><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>RE: [Snort-users] Pulled Pork Question</span><o:p></o:p></p></div><div><div><p class=xmsonormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Almost – I have 4 rules files</span><o:p></o:p></p><p class=xmsonormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>snort.rules </span><o:p></o:p></p><p class=xmsonormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>emerging-threats.rules</span><o:p></o:p></p><p class=xmsonormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>company.rules – private rules used on all sensors</span><o:p></o:p></p><p class=xmsonormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>local.rules – rules just for this sensor</span><o:p></o:p></p><p class=xmsonormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><o:p></o:p></p><p class=xmsonormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>This lets me manage which rules are in use without having to regenerate one big file.</span><o:p></o:p></p><p class=xmsonormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><o:p></o:p></p><p class=xmsonormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>So I don’t need the consolidated snort.rules, but I could throw that away I guess…. I will try it.</span><o:p></o:p></p><p class=xmsonormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><o:p></o:p></p><p class=xmsonormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>I made a pulledpork.conf file:</span><o:p></o:p></p><p class=xmsonormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>rule_url=<a href="https://www.snort.org/sub-rules/|snortrules-snapshot-2946.tar.gz|8e6c29d606b91be14b8a29cc23157051deac3047">https://www.snort.org/sub-rules/|snortrules-snapshot-2946.tar.gz|8e6c29d606b91be14b8a29cc23157051deac3047</a></span><o:p></o:p></p><p class=xmsonormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>#ignore=deleted.rules,experimental.rules,local.rules,sensitive-data</span><o:p></o:p></p><p class=xmsonormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>temp_path=/tmp</span><o:p></o:p></p><p class=xmsonormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>rule_path=/tmp/rules</span><o:p></o:p></p><p class=xmsonormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>sid_msg=/tmp/sid-msg.map</span><o:p></o:p></p><p class=xmsonormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>snort_path=/usr/bin/snort</span><o:p></o:p></p><p class=xmsonormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>version=0.6.0</span><o:p></o:p></p><p class=xmsonormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><o:p></o:p></p><p class=xmsonormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>(it seems to need rule_url even though I am not downloading anything)</span><o:p></o:p></p><p class=xmsonormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><o:p></o:p></p><p class=xmsonormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Then ran: </span><o:p></o:p></p><p class=xmsonormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>pulledpork.pl -n -c ./pulledpork.conf</span><o:p></o:p></p><p class=xmsonormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><o:p></o:p></p><p class=xmsonormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>And got: file /tmp//snortrules-snapshot-2946.tar.gz does not exist!</span><o:p></o:p></p><p class=xmsonormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><o:p></o:p></p><p class=xmsonormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>So it is still looking for the Snapshot file….. </span><o:p></o:p></p><p class=xmsonormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><o:p></o:p></p><p class=xmsonormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>I don’t see an option which allows me to specify a directory to read .rules files from…. What am I missing????</span><o:p></o:p></p><p class=xmsonormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><o:p></o:p></p><p class=xmsonormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Thanks</span><o:p></o:p></p><p class=xmsonormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Mark</span><o:p></o:p></p><p class=xmsonormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><o:p></o:p></p><p class=xmsonormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><o:p></o:p></p><p class=xmsonormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><o:p></o:p></p><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'><p class=xmsonormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> Y M [<a href="mailto:snort@...15979...">mailto:snort@...846....15979...</a>] <br><b>Sent:</b> Thursday, July 11, 2013 1:24 PM<br><b>To:</b> Starner, Mark; <a href="mailto:snort-users@lists.sourceforge.net">snort-users@lists.sourceforge.net</a><br><b>Subject:</b> RE: [Snort-users] Pulled Pork Question</span><o:p></o:p></p></div></div><p class=xmsonormal> <o:p></o:p></p><div><div><p class=xmsonormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>If you use -n with your PulledPork, it will not download the ruleset from Snort website, instead it will process a local ruleset (default directory is /tmp). This will generate generate the sid-msg.map as well as the snort.rules file, given the configurations setup in your pulledpork.conf file. Is this what you are after?<br><br>Sent from my Windows Phone</span><o:p></o:p></p></div></div><div><div class=MsoNormal align=center style='text-align:center'><hr size=2 width="100%" align=center></div><p class=xmsonormal style='margin-bottom:12.0pt'><b><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>From: </span></b><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'><a href="mailto:mark.starner@...5850...">Starner, Mark</a></span><br><b><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>Sent: </span></b><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>‎7/‎11/‎2013 7:57 PM</span><br><b><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>To: </span></b><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'><a href="mailto:snort-users@lists.sourceforge.net">snort-users@...974...rceforge.net</a></span><br><b><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>Subject: </span></b><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>[Snort-users] Pulled Pork Question</span><o:p></o:p></p></div><div><div><p class=xmsonormal style='margin-bottom:12.0pt'>Is there a combination of options to Pulled Pork (running 0.6.1 right now)<br>to only generate the sid-msg.map file?<br>Ie I give it a list of rules files, or a directory holding rules files and<br>all it does is generate the sid-msg.map file?<br><br>My sid-msg.map file is different on each sensor I have, because each sensor<br>may have local rules only on that sensor. So while I use PP to do everything<br>else, I generate the sid-msg.map file on the sensor itself once I push the<br>new rules to it.<br><br>I have been using the old create_sidmap.pl file from oinkmaster (but it<br>looks like it will be difficult to modify to support sid-msg.map v2.<br><br>So I would like to use PP to do this, and upgrade to the newer version that<br>supports v2 of the sid-msg.map file.<br><br>Thanks<br>Mark<br><br><o:p></o:p></p></div></div></div></div></div></blockquote><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><div><p class=MsoNormal>------------------------------------------------------------------------------<br>See everything from the browser to the database with AppDynamics<br>Get end-to-end visibility with application monitoring from AppDynamics<br>Isolate bottlenecks and diagnose root cause in seconds.<br>Start your free trial of AppDynamics Pro today!<br><a href="http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk">http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk</a><o:p></o:p></p></div></blockquote><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><div><p class=MsoNormal>_______________________________________________<br>Snort-users mailing list<br><a href="mailto:Snort-users@...3783...net">Snort-users@lists.sourceforge.net</a><br>Go to this URL to change user options or unsubscribe:<br><a href="https://lists.sourceforge.net/lists/listinfo/snort-users">https://lists.sourceforge.net/lists/listinfo/snort-users</a><br>Snort-users list archive:<br><a href="http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users">http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users</a><br><br>Please visit <a href="http://blog.snort.org">http://blog.snort.org</a> to stay current on all the latest Snort news!<o:p></o:p></p></div></blockquote></div></body></html>