<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">
Correct.
<div class=""><br class="">
<div class="">
<div style="color: rgb(0, 0, 0); letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">
<div style="color: rgb(0, 0, 0); letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">
<div style="color: rgb(0, 0, 0); letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">
<div class=""><b style="font-family: Calibri, sans-serif; font-size: 10px;" class=""><font color="#5e5e5e" class="">--</font></b></div>
<div style="font-size: 14px;" class=""><b style="font-family: Calibri, sans-serif; font-size: 12px;" class=""><font color="#5e5e5e" class="">Joel Esler </font></b><span style="font-family: Calibri, sans-serif; font-size: 12px;" class="">| </span><b style="font-family: Calibri, sans-serif; font-size: 12px;" class=""><font color="#0096ff" class="">Talos:</font></b><span style="font-family: Calibri, sans-serif; font-size: 12px;" class=""> M</span><font color="#424242" style="font-family: Calibri, sans-serif; font-size: 12px;" class="">anager
 | <a href="mailto:jesler@...589..." class="">jesler@...589...</a></font></div>
<div class=""><font color="#424242" style="font-family: Calibri, sans-serif; font-size: 10px;" class=""><br class="">
</font></div>
</div>
<br class="Apple-interchange-newline">
</div>
<br class="Apple-interchange-newline">
</div>
<br class="Apple-interchange-newline">
<br class="Apple-interchange-newline">
</div>
<br class="">
<div style="">
<blockquote type="cite" class="">
<div class="">On Dec 2, 2016, at 3:44 PM, James Lay <<a href="mailto:jlay@...13475..." class="">jlay@...13475...</a>> wrote:</div>
<br class="Apple-interchange-newline">
<div class="">
<div class="">I think your snort-snapshot file needs to have a version number, not
<br class="">
just "snort-snapshot.tar.gz" if I'm not mistaken.<br class="">
<br class="">
James<br class="">
<br class="">
On 2016-12-02 13:35, Keith Pachulski wrote:<br class="">
<blockquote type="cite" class="">Thanks guys.  Ill give this a shot and see what happens, will post an<br class="">
update later. Stuck in a meeting and laptop battery just died.<br class="">
<br class="">
On Fri, Dec 2, 2016 at 3:28 PM -0500, "Michael Shirk"<br class="">
<<a href="mailto:shirkdog.bsd@...11827..." class="">shirkdog.bsd@...11827...</a>> wrote:<br class="">
<br class="">
If it does not work, run the latest pulledpork with -vvv to see where<br class="">
things are at, and post it as an issue on the GitHub repo.<br class="">
<br class="">
The Snort policy is a special case, but without using -l, all SIG's<br class="">
should be processed and loaded up, as this is how it works for me.<br class="">
<br class="">
--<br class="">
Michael Shirk<br class="">
Daemon Security, Inc.<br class="">
<a href="http://www.daemon-security.com" class="">http://www.daemon-security.com</a><br class="">
<br class="">
On Dec 2, 2016 3:22 PM, "Keith Pachulski"<br class="">
<keith.pachulski@...17691...> wrote:<br class="">
<br class="">
<blockquote type="cite" class="">For giggles sake I reran it as: /home/snort/pulledpork/pulledpork.pl<br class="">
[1] -c /home/snort/pulledpork/etc/pulledpork.conf -I security<br class="">
<br class="">
HUP’d snort..waiting to see what happens..so far just ET sigs and<br class="">
preprocessors again<br class="">
<br class="">
FROM: Joel Esler (jesler) [mailto:jesler@...589...]<br class="">
SENT: Friday, December 02, 2016 3:06 PM<br class="">
TO: Y M<br class="">
CC: Keith Pachulski; snort-users@lists.sourceforge.net<br class="">
SUBJECT: Re: [Snort-users] snort and snort-rules/ET alerts<br class="">
<br class="">
Is that intentional?  I thought the default behavior without policy<br class="">
specification is “as is, shipped”.  If not, we should fix that<br class="">
(It’s been awhile since I’ve actually _used_ pulledpork)<br class="">
<br class="">
--<br class="">
<br class="">
JOEL ESLER | TALOS: Manager | jesler@...589...<br class="">
<br class="">
<blockquote type="cite" class="">On Dec 2, 2016, at 2:52 PM, Y M <snort@...15979...> wrote:<br class="">
<br class="">
The PulledPork command does not specify any rules policy<br class="">
(connectivity, balanced, security) to allow PulledPork enable the<br class="">
rules.<br class="">
<br class="">
Try running PulledPork with -I <policy>.<br class="">
<br class="">
Keep in mind that this may mess up your ET rules enablement since<br class="">
ET rules do not contain rules policy metadata.<br class="">
<br class="">
YM<br class="">
<br class="">
On Fri, Dec 2, 2016 at 10:47 PM +0300, "Keith Pachulski"<br class="">
<keith.pachulski@...17691...> wrote:<br class="">
<br class="">
Pulledpork Cronjob<br class="">
<br class="">
0 0 * * * /home/snort/pulledpork/pulledpork.pl [1] -c<br class="">
/home/snort/pulledpork/etc/pulledpork.conf<br class="">
<br class="">
Pulledpork Config<br class="">
<br class="">
<br class="">
</blockquote>
rule_url=https://www.snort.org/rules/|snortrules-snapshot.tar.gz|<><br class="">
<blockquote type="cite" class="">[2]<br class="">
<br class="">
<br class="">
</blockquote>
<br class="">
</blockquote>
rule_url=http://talosintelligence.com/feeds/ip-filter.blf|IPBLACKLIST|open<br class="">
<blockquote type="cite" class="">
<blockquote type="cite" class="">[3]<br class="">
<br class="">
ignore=deleted.rules,experimental.rules<br class="">
<br class="">
temp_path=/tmp<br class="">
<br class="">
rule_path=/home/snort/rules/snort.rules<br class="">
<br class="">
local_rules=/home/snort/rules/local.rules<br class="">
<br class="">
sid_msg=/home/snort/rules/etc/sid-msg.map<br class="">
<br class="">
sid_msg_version=1<br class="">
<br class="">
sid_changelog=/home/snort/rules/pullpork-sid_changes.log<br class="">
<br class="">
sorule_path=/usr/local/lib/snort_dynamicrules/<br class="">
<br class="">
snort_path=/usr/local/bin/snort<br class="">
<br class="">
config_path=/home/snort/rules/snort.conf<br class="">
<br class="">
distro=Ubuntu-12-04<br class="">
<br class="">
black_list=/home/snort/rules/black_list.rules<br class="">
<br class="">
IPRVersion=/home/snort/rules/iplists<br class="">
<br class="">
This message (including any attachments) is intended only for the<br class="">
use of the individual or entity to which it is addressed and may<br class="">
contain information that is non-public, proprietary, privileged,<br class="">
confidential, and exempt from disclosure under applicable law or<br class="">
may constitute as attorney work product. If you are not the<br class="">
intended recipient, you are hereby notified that any use,<br class="">
dissemination, distribution, or copying of this communication is<br class="">
strictly prohibited. If you have received this communication in<br class="">
error, notify us immediately by telephone and (i) destroy this<br class="">
message if a facsimile or (ii) delete this message immediately if<br class="">
this is an electronic communication.<br class="">
</blockquote>
<br class="">
This message (including any attachments) is intended only for the<br class="">
use of the individual or entity to which it is addressed and may<br class="">
contain information that is non-public, proprietary, privileged,<br class="">
confidential, and exempt from disclosure under applicable law or may<br class="">
constitute as attorney work product. If you are not the intended<br class="">
recipient, you are hereby notified that any use, dissemination,<br class="">
distribution, or copying of this communication is strictly<br class="">
prohibited. If you have received this communication in error, notify<br class="">
us immediately by telephone and (i) destroy this message if a<br class="">
facsimile or (ii) delete this message immediately if this is an<br class="">
electronic communication.<br class="">
<br class="">
</blockquote>
------------------------------------------------------------------------------<br class="">
<blockquote type="cite" class="">Check out the vibrant tech community on one of the world's most<br class="">
engaging tech sites, SlashDot.org! http://sdm.link/slashdot [4]<br class="">
_______________________________________________<br class="">
Snort-users mailing list<br class="">
Snort-users@lists.sourceforge.net<br class="">
Go to this URL to change user options or unsubscribe:<br class="">
https://lists.sourceforge.net/lists/listinfo/snort-users [5]<br class="">
Snort-users list archive:<br class="">
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users<br class="">
[6]<br class="">
<br class="">
Please visit http://blog.snort.org to stay current on all the latest<br class="">
Snort news!<br class="">
</blockquote>
This message (including any attachments) is intended only for the use<br class="">
of the individual or entity to which it is addressed and may contain<br class="">
information that is non-public, proprietary, privileged, confidential,<br class="">
and exempt from disclosure under applicable law or may constitute as<br class="">
attorney work product. If you are not the intended recipient, you are<br class="">
hereby notified that any use, dissemination, distribution, or copying<br class="">
of this communication is strictly prohibited. If you have received<br class="">
this communication in error, notify us immediately by telephone and<br class="">
(i) destroy this message if a facsimile or (ii) delete this message<br class="">
immediately if this is an electronic communication.<br class="">
<br class="">
Links:<br class="">
------<br class="">
[1] http://pulledpork.pl<br class="">
[2] https://www.snort.org/rules/%7Csnortrules-snapshot.tar.gz%7C%3c%3e<br class="">
[3] <br class="">
http://talosintelligence.com/feeds/ip-filter.blf%7CIPBLACKLIST%7Copen<br class="">
[4] http://sdm.link/slashdot<br class="">
[5] https://lists.sourceforge.net/lists/listinfo/snort-users<br class="">
[6] http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users<br class="">
<br class="">
------------------------------------------------------------------------------<br class="">
Check out the vibrant tech community on one of the world's most<br class="">
engaging tech sites, SlashDot.org! http://sdm.link/slashdot<br class="">
_______________________________________________<br class="">
Snort-users mailing list<br class="">
Snort-users@lists.sourceforge.net<br class="">
Go to this URL to change user options or unsubscribe:<br class="">
https://lists.sourceforge.net/lists/listinfo/snort-users<br class="">
Snort-users list archive:<br class="">
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users<br class="">
<br class="">
Please visit http://blog.snort.org to stay current on all the latest <br class="">
Snort news!<br class="">
</blockquote>
<br class="">
------------------------------------------------------------------------------<br class="">
Check out the vibrant tech community on one of the world's most <br class="">
engaging tech sites, <a href="http://SlashDot.org" class="">SlashDot.org</a>! <a href="http://sdm.link/slashdot" class="">
http://sdm.link/slashdot</a><br class="">
_______________________________________________<br class="">
Snort-users mailing list<br class="">
<a href="mailto:Snort-users@lists.sourceforge.net" class="">Snort-users@lists.sourceforge.net</a><br class="">
Go to this URL to change user options or unsubscribe:<br class="">
https://lists.sourceforge.net/lists/listinfo/snort-users<br class="">
Snort-users list archive:<br class="">
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users<br class="">
<br class="">
Please visit http://blog.snort.org to stay current on all the latest Snort news!</div>
</div>
</blockquote>
</div>
<br class="">
</div>
</body>
</html>