<html>
<head>
<style><!--
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 12pt;
font-family:Calibri
}
--></style></head>
<body class='hmmessage'><div dir='ltr'><div>From: jason.weir@...14918....<br>To: snort-users@lists.sourceforge.net<br>Date: Fri, 29 Aug 2014 20:02:22 +0000<br>Subject: Re: [Snort-users] PulledPork 0.7.0 not parsing enablesid, disablesid, modifysid or threshold.conf files when there are no rule updates<br><br>



<style><!--
.ExternalClass .ecxshape {
}
--></style><style><!--
.ExternalClass p.ecxMsoNormal, .ExternalClass li.ecxMsoNormal, .ExternalClass div.ecxMsoNormal {
font-size:12.0pt;
font-family:"Times New Roman","serif";
}

.ExternalClass a:link, .ExternalClass span.ecxMsoHyperlink {
color:blue;
text-decoration:underline;
}

.ExternalClass span.ecxMsoHyperlinkFollowed {
color:purple;
text-decoration:underline;
}

.ExternalClass p {
font-size:12.0pt;
font-family:"Times New Roman","serif";
}

.ExternalClass p.ecxMsoAcetate, .ExternalClass li.ecxMsoAcetate, .ExternalClass div.ecxMsoAcetate {
font-size:8.0pt;
font-family:"Tahoma","sans-serif";
}

.ExternalClass p.ecxmsonormal, .ExternalClass li.ecxmsonormal, .ExternalClass div.ecxmsonormal {
font-size:12.0pt;
font-family:"Times New Roman","serif";
}

.ExternalClass p.ecxmsoacetate, .ExternalClass li.ecxmsoacetate, .ExternalClass div.ecxmsoacetate {
font-size:12.0pt;
font-family:"Times New Roman","serif";
}

.ExternalClass p.ecxmsochpdefault, .ExternalClass li.ecxmsochpdefault, .ExternalClass div.ecxmsochpdefault {
font-size:12.0pt;
font-family:"Times New Roman","serif";
}

.ExternalClass span.ecxmsohyperlink {
}

.ExternalClass span.ecxmsohyperlinkfollowed {
}

.ExternalClass span.ecxemailstyle17 {
}

.ExternalClass span.ecxballoontextchar {
}

.ExternalClass p.ecxmsonormal1, .ExternalClass li.ecxmsonormal1, .ExternalClass div.ecxmsonormal1 {
font-size:11.0pt;
font-family:"Calibri","sans-serif";
}

.ExternalClass span.ecxmsohyperlink1 {
color:blue;
text-decoration:underline;
}

.ExternalClass span.ecxmsohyperlinkfollowed1 {
color:purple;
text-decoration:underline;
}

.ExternalClass p.ecxmsoacetate1, .ExternalClass li.ecxmsoacetate1, .ExternalClass div.ecxmsoacetate1 {
font-size:8.0pt;
font-family:"Tahoma","sans-serif";
}

.ExternalClass span.ecxemailstyle171 {
font-family:"Calibri","sans-serif";
color:windowtext;
}

.ExternalClass span.ecxballoontextchar1 {
font-family:"Tahoma","sans-serif";
}

.ExternalClass p.ecxmsochpdefault1, .ExternalClass li.ecxmsochpdefault1, .ExternalClass div.ecxmsochpdefault1 {
font-size:12.0pt;
font-family:"Calibri","sans-serif";
}

.ExternalClass span.ecxEmailStyle32 {
font-family:"Calibri","sans-serif";
color:#1F497D;
}

.ExternalClass span.ecxBalloonTextChar {
font-family:"Tahoma","sans-serif";
}

.ExternalClass .ecxMsoChpDefault {
font-size:10.0pt;
}

.ExternalClass div.ecxWordSection1 {
}

--></style>


<div class="ecxWordSection1">
<p class="ecxMsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D;">OK that worked, so whats the n switch for then?</span></p>
<p class="ecxMsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D;"> </span></p>
<p class="ecxMsoNormal"><span style="font-family: Monaco, 'DejaVu Sans Mono', 'Bitstream Vera Sans Mono', 'Lucida Console', monospace; font-size: 12px; white-space: pre; background-color: rgb(255, 255, 255);">-n Do everything other than download of new files (disablesid, etc). More info here: </span><a href="https://code.google.com/p/pulledpork/source/browse/trunk/README" target="_blank" style="font-size: 12pt;">https://code.google.com/p/pulledpork/source/browse/trunk/README</a></p><p class="ecxMsoNormal"><span style="color: rgb(31, 73, 125); font-size: 11pt;"> </span></p><p class="ecxMsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D;"><br></span></p><p class="ecxMsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D;"><br></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in;">
<p class="ecxMsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";"> Y M [mailto:snort@...15979...]
<br>
<b>Sent:</b> Friday, August 29, 2014 3:55 PM<br>
<b>To:</b> Weir, Jason<br>
<b>Cc:</b> snort-users<br>
<b>Subject:</b> RE: [Snort-users] PulledPork 0.7.0 not parsing enablesid, disablesid, modifysid or threshold.conf files when there are no rule updates</span></p>
</div>
</div>
<p class="ecxMsoNormal"> </p>
<div>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">Try running PulledPork with -P.</span></p>
<div>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";"> </span></p>
</div>
<div>
<p class="ecxMsoNormal" style=""><span style="font-family:"Calibri","sans-serif";">YM</span></p>
<div>
<div class="ecxMsoNormal" align="center" style="text-align:center;"><span style="font-family:"Calibri","sans-serif";">
<hr size="2" width="100%" align="center" id="ecxstopSpelling">
</span></div>
<p class="ecxMsoNormal" style=""><span style="font-family:"Calibri","sans-serif";">From:
<a href="mailto:jason.weir@...14916...">jason.weir@...14916...</a><br>
To: <a href="mailto:snort-users@lists.sourceforge.net">snort-users@...8192...sourceforge.net</a><br>
Date: Fri, 29 Aug 2014 19:43:59 +0000<br>
Subject: [Snort-users] PulledPork 0.7.0 not parsing enablesid, disablesid, modifysid or threshold.conf files when there are no rule updates</span></p>
<div>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">Im testing PP 0.7.0 and seeing what looks like a bug but want to confirm its not a config issue on my end.</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";"> </span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">As I tune the sensor I add entries in each of the config files (enablesid,disablesid,modifysid conf files) and then run pulledpork and restart snort</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";"> </span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">/usr/local/bin/pulledpork.pl -c /usr/local/etc/snort/pulledpork.conf vv</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";"> </span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">If there are no rule updates to download (from either VRT or ET) I get this output</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";"> </span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";"> </span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">    <a href="http://code.google.com/p/pulledpork/" target="_blank">
http://code.google.com/p/pulledpork/</a></span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">      _____ ____</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">     `----,\    )</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">      `--==\\  /    PulledPork v0.7.0 - Swine Flu!</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">       `--==\\/</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">     .-~~~~-.Y|\\_  Copyright (C) 2009-2013 JJ Cummings</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">  @_/        /  66\_ 
<a href="mailto:cummingsj@...11827...">cummingsj@...11827...</a></span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">    |    \   \   _(")</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">     \   /-| ||'--'  Rules give me wings!</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">      \_\  \_\\</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";"> </span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">Config File Variable Debug /usr/local/etc/snort/pulledpork.conf</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">        snort_path = /usr/local/bin/snort</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">        enablesid = /usr/local/etc/snort/enablesid.conf</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">        modifysid = /usr/local/etc/snort/modifysid.conf</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">        IPRVersion = /usr/local/etc/snort/rules/iplists</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">        rule_path = /usr/local/etc/snort/rules/snort.rules</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">        ignore = deleted.rules,experimental.rules,local.rules</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">        state_order = disable,drop,enable</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">        snort_control = /usr/local/bin/snort_control</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">        rule_url = ARRAY(0x8e1aac8)</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">        sid_msg_version = 2</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">        sid_changelog = /var/log/sid_changes.log</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">        sid_msg = /usr/local/etc/snort/sid-msg.map</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">        config_path = /usr/local/etc/snort/snort.conf</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">        temp_path = /tmp</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">        distro = Debian-6-0</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">        version = 0.7.0</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">        sorule_path = /usr/local/lib/snort_dynamicrules/</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">        disablesid = /usr/local/etc/snort/disablesid.conf</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">        dropsid = /usr/local/etc/snort/dropsid.conf</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">        local_rules = /usr/local/etc/snort/rules/local.rules</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">MISC (CLI and Autovar) Variable Debug:</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">        arch Def is: i386</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">        Config Path is: /usr/local/etc/snort/pulledpork.conf</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">        Distro Def is: Debian-6-0</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">        Disabled policy specified</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">        local.rules path is: /usr/local/etc/snort/rules/local.rules</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">        Rules file is: /usr/local/etc/snort/rules/snort.rules</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">        Path to disablesid file: /usr/local/etc/snort/disablesid.conf</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">        Path to dropsid file: /usr/local/etc/snort/dropsid.conf</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">        Path to enablesid file: /usr/local/etc/snort/enablesid.conf</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">        Path to modifysid file: /usr/local/etc/snort/modifysid.conf</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">        sid changes will be logged to: /var/log/sid_changes.log</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">        sid-msg.map Output Path is: /usr/local/etc/snort/sid-msg.map</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">        Snort Version is: 2.9.6.2</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">        Snort Config File: /usr/local/etc/snort/snort.conf</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">        Snort Path is: /usr/local/bin/snort</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">        SO Output Path is: /usr/local/lib/snort_dynamicrules/</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">        Will process SO rules</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">        Extra Verbose Flag is Set</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">        Verbose Flag is Set</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";"> </span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">*********** Removed Download Logging where the checksums matched and there were no new rules to download *********************</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";"> </span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">Cleanup....</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">        removed 0 temporary snort files or directories from /tmp/tha_rules!</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">Writing /var/log/sid_changes.log....</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">        Done</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";"> </span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">No Rule Changes</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";"> </span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">No IP Blacklist Changes</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";"> </span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">Done</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">Please review /var/log/sid_changes.log for additional details</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">Fly Piggy Fly!</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";"> </span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">If I delete all the rules and re-run PP I get the following output</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";"> </span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";"> </span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">    <a href="http://code.google.com/p/pulledpork/" target="_blank">
http://code.google.com/p/pulledpork/</a></span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">      _____ ____</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">     `----,\    )</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">      `--==\\  /    PulledPork v0.7.0 - Swine Flu!</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">       `--==\\/</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">     .-~~~~-.Y|\\_  Copyright (C) 2009-2013 JJ Cummings</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">  @_/        /  66\_ 
<a href="mailto:cummingsj@...11827...">cummingsj@...11827...</a></span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">    |    \   \   _(")</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">     \   /-| ||'--'  Rules give me wings!</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">      \_\  \_\\</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";"> </span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">Config File Variable Debug /usr/local/etc/snort/pulledpork.conf</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">        snort_path = /usr/local/bin/snort</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">        enablesid = /usr/local/etc/snort/enablesid.conf</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">        modifysid = /usr/local/etc/snort/modifysid.conf</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">        IPRVersion = /usr/local/etc/snort/rules/iplists</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">        rule_path = /usr/local/etc/snort/rules/snort.rules</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">        ignore = deleted.rules,experimental.rules,local.rules</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">        state_order = disable,drop,enable</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">        snort_control = /usr/local/bin/snort_control</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">        rule_url = ARRAY(0xa41cac8)</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">        sid_msg_version = 2</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">        sid_changelog = /var/log/sid_changes.log</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">        sid_msg = /usr/local/etc/snort/sid-msg.map</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">        config_path = /usr/local/etc/snort/snort.conf</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">        temp_path = /tmp</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">        distro = Debian-6-0</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">        version = 0.7.0</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">        sorule_path = /usr/local/lib/snort_dynamicrules/</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">        disablesid = /usr/local/etc/snort/disablesid.conf</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">        dropsid = /usr/local/etc/snort/dropsid.conf</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">        local_rules = /usr/local/etc/snort/rules/local.rules</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">MISC (CLI and Autovar) Variable Debug:</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">        arch Def is: i386</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">        Config Path is: /usr/local/etc/snort/pulledpork.conf</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">        Distro Def is: Debian-6-0</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">        Disabled policy specified</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">        local.rules path is: /usr/local/etc/snort/rules/local.rules</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">        Rules file is: /usr/local/etc/snort/rules/snort.rules</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">        Path to disablesid file: /usr/local/etc/snort/disablesid.conf</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">        Path to dropsid file: /usr/local/etc/snort/dropsid.conf</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">        Path to enablesid file: /usr/local/etc/snort/enablesid.conf</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">        Path to modifysid file: /usr/local/etc/snort/modifysid.conf</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">        sid changes will be logged to: /var/log/sid_changes.log</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">        sid-msg.map Output Path is: /usr/local/etc/snort/sid-msg.map</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">        Snort Version is: 2.9.6.2</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">        Snort Config File: /usr/local/etc/snort/snort.conf</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">        Snort Path is: /usr/local/bin/snort</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">        SO Output Path is: /usr/local/lib/snort_dynamicrules/</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">        Will process SO rules</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">        Extra Verbose Flag is Set</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">        Verbose Flag is Set</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";"> </span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">*********** Removed Download Logging where the checksums didnt match and the rules files were downloaded *********************</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";"> </span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">Prepping rules from opensource.gz for work....</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">                **************removed extra logging *****************</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">Prepping rules from snortrules-snapshot-2962.tar.gz for work....</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">                **************removed extra logging *****************</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">Prepping rules from emerging.rules.tar.gz for work....</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">                **************removed extra logging *****************</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">Prepping rules from community-rules.tar.gz for work....</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">                **************removed extra logging *****************</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">Generating Stub Rules....</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">       Generating shared object stubs via:/usr/local/bin/snort -c /usr/local/etc/snort/snort.conf --dump-dynamic-rules=/tmp/tha_rules/so_rules/</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">        An error occurred: WARNING: ip4 normalizations disabled because not inline.</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";"> </span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">        An error occurred: WARNING: tcp normalizations disabled because not inline.</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";"> </span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">        An error occurred: WARNING: icmp4 normalizations disabled because not inline.</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";"> </span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">        An error occurred: WARNING: ip6 normalizations disabled because not inline.</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";"> </span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">        An error occurred: WARNING: icmp6 normalizations disabled because not inline.</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";"> </span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">        Dumping dynamic rules...</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">                **************removed extra logging *****************</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">          Finished dumping dynamic rules.</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">        Done</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">        Reading rules...</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">        Reading rules...</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">Cleanup....</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">        removed 202 temporary snort files or directories from /tmp/tha_rules!</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">Modifying Sids....</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">        Done!</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">Processing /usr/local/etc/snort/disablesid.conf....</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">        Disabled 1:xxxxxxx</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">        Disabled 1:xxxxxxx</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">        Disabled 1:xxxxxxx</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">        Disabled 1:xxxxxxx</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">        Disabled 1:xxxxxxx</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">        Disabled 1:xxxxxxx</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">        Disabled 1:xxxxxxx</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">        Disabled 1:xxxxxxx</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">        Modified 8 rules</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">        Done</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">Processing /usr/local/etc/snort/dropsid.conf....</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">        Modified 0 rules</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">        Done</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">Processing /usr/local/etc/snort/enablesid.conf....</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">        Modified 0 rules</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">        Done</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">Setting Flowbit State....</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">        Enabled 119 flowbits</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">        Done</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">Writing /usr/local/etc/snort/rules/snort.rules....</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">        Done</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">Generating sid-msg.map....</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">        Done</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">Writing v2 /usr/local/etc/snort/sid-msg.map....</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">        Done</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">Writing /var/log/sid_changes.log....</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">        Done</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">Rule Stats...</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">        New:-------344</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">        Deleted:---16</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">        Enabled Rules:----21793</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">       Dropped Rules:----0</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">        Disabled Rules:---20007</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">        Total Rules:------41800</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">No IP Blacklist Changes</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";"> </span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">Done</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">Please review /var/log/sid_changes.log for additional details</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">Fly Piggy Fly!</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";"> </span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">Next if I go into disablesid.conf and add another entry and re-run pp I get the same output as the first run  the new entry in disablesid.conf doesnt get parsed or disabled in the snort.rules
 file.</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";"> </span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">Any ideas?</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";"> </span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";">Jason</span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";"> </span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";"> </span></p>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";"> </span></p>
</div>
<p class="ecxMsoNormal"><span style="font-family:"Calibri","sans-serif";"><br>
------------------------------------------------------------------------------ Slashdot TV. Video for Nerds. Stuff that matters.
<a href="http://tv.slashdot.org/" target="_blank">http://tv.slashdot.org/</a><br>
_______________________________________________ Snort-users mailing list <a href="mailto:Snort-users@lists.sourceforge.net">
Snort-users@lists.sourceforge.net</a> Go to this URL to change user options or unsubscribe:
<a href="https://lists.sourceforge.net/lists/listinfo/snort-users" target="_blank">https://lists.sourceforge.net/lists/listinfo/snort-users</a> Snort-users list archive:
<a href="http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users" target="_blank">http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users</a> Please visit
<a href="http://blog.snort.org" target="_blank">http://blog.snort.org</a> to stay current on all the latest Snort news!</span></p>
</div>
</div>
</div>
</div>


<br>------------------------------------------------------------------------------
Slashdot TV.  
Video for Nerds.  Stuff that matters.
http://tv.slashdot.org/<br>_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!</div>                                      </div></body>
</html>