<div dir="ltr">snortrules-snapshot.tar.gz<br></div><div class="gmail_extra"><br><div class="gmail_quote">On Sat, Dec 3, 2016 at 4:30 AM, Marcin Dulak <span dir="ltr"><<a href="mailto:marcin.dulak@...11827..." target="_blank">marcin.dulak@...11827...</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div>"snort-snapshot.tar.gz" alone should work, pulledpork will guess the version based on the snort version installed:<br><a href="https://github.com/shirkdog/pulledpork/blob/06177884f0c8ccb94c8fccdc0fa2a4206b4b6549/pulledpork.pl#L1977" target="_blank">https://github.com/shirkdog/<wbr>pulledpork/blob/<wbr>06177884f0c8ccb94c8fccdc0fa2a4<wbr>206b4b6549/pulledpork.pl#L1977</a><span class="HOEnZb"><font color="#888888"><br><br></font></span></div><span class="HOEnZb"><font color="#888888">Marcin<br></font></span></div><div class="HOEnZb"><div class="h5"><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Dec 2, 2016 at 10:41 PM, Joel Esler (jesler) <span dir="ltr"><<a href="mailto:jesler@...589..." target="_blank">jesler@...589...</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">



<div style="word-wrap:break-word">
Correct.
<div><br>
<div>
<div style="color:rgb(0,0,0);letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;word-wrap:break-word">
<div style="color:rgb(0,0,0);letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;word-wrap:break-word">
<div style="color:rgb(0,0,0);letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;word-wrap:break-word">
<div><b style="font-family:Calibri,sans-serif;font-size:10px"><font color="#5e5e5e">--</font></b></div>
<div style="font-size:14px"><b style="font-family:Calibri,sans-serif;font-size:12px"><font color="#5e5e5e">Joel Esler </font></b><span style="font-family:Calibri,sans-serif;font-size:12px">| </span><b style="font-family:Calibri,sans-serif;font-size:12px"><font color="#0096ff">Talos:</font></b><span style="font-family:Calibri,sans-serif;font-size:12px"> M</span><font style="font-family:Calibri,sans-serif;font-size:12px" color="#424242">anager
 | <a href="mailto:jesler@...589..." target="_blank">jesler@...16686......</a></font></div>
<div><font style="font-family:Calibri,sans-serif;font-size:10px" color="#424242"><br>
</font></div>
</div>
<br class="m_445435314578550124m_5482109019555835194Apple-interchange-newline">
</div>
<br class="m_445435314578550124m_5482109019555835194Apple-interchange-newline">
</div>
<br class="m_445435314578550124m_5482109019555835194Apple-interchange-newline">
<br class="m_445435314578550124m_5482109019555835194Apple-interchange-newline">
</div>
<br>
<div>
<blockquote type="cite">
<div>On Dec 2, 2016, at 3:44 PM, James Lay <<a href="mailto:jlay@...7093...475..." target="_blank">jlay@...13475...</a>> wrote:</div>
<br class="m_445435314578550124m_5482109019555835194Apple-interchange-newline">
<div>
<div>I think your snort-snapshot file needs to have a version number, not
<br>
just "snort-snapshot.tar.gz" if I'm not mistaken.<br>
<br>
James<br>
<br>
On 2016-12-02 13:35, Keith Pachulski wrote:<br>
<blockquote type="cite">Thanks guys.  Ill give this a shot and see what happens, will post an<br>
update later. Stuck in a meeting and laptop battery just died.<br>
<br>
On Fri, Dec 2, 2016 at 3:28 PM -0500, "Michael Shirk"<br>
<<a href="mailto:shirkdog.bsd@...11827..." target="_blank">shirkdog.bsd@...11827...</a>> wrote:<br>
<br>
If it does not work, run the latest pulledpork with -vvv to see where<br>
things are at, and post it as an issue on the GitHub repo.<br>
<br>
The Snort policy is a special case, but without using -l, all SIG's<br>
should be processed and loaded up, as this is how it works for me.<br>
<br>
--<br>
Michael Shirk<br>
Daemon Security, Inc.<br>
<a href="http://www.daemon-security.com" target="_blank">http://www.daemon-security.com</a><br>
<br>
On Dec 2, 2016 3:22 PM, "Keith Pachulski"<br>
<<a href="mailto:keith.pachulski@...17691..." target="_blank">keith.pachulski@...17693...<wbr>labs.com</a>> wrote:<br>
<br>
<blockquote type="cite">For giggles sake I reran it as: /home/snort/pulledpork/<a href="http://pulledpork.pl" target="_blank">pulledp<wbr>ork.pl</a><br>
[1] -c /home/snort/pulledpork/etc/pul<wbr>ledpork.conf -I security<br>
<br>
HUP’d snort..waiting to see what happens..so far just ET sigs and<br>
preprocessors again<br>
<br>
FROM: Joel Esler (jesler) [mailto:<a href="mailto:jesler@...589..." target="_blank">jesler@...589...</a>]<br>
SENT: Friday, December 02, 2016 3:06 PM<br>
TO: Y M<br>
CC: Keith Pachulski; <a href="mailto:snort-users@lists.sourceforge.net" target="_blank">snort-users@...3783...<wbr>net</a><br>
SUBJECT: Re: [Snort-users] snort and snort-rules/ET alerts<br>
<br>
Is that intentional?  I thought the default behavior without policy<br>
specification is “as is, shipped”.  If not, we should fix that<br>
(It’s been awhile since I’ve actually _used_ pulledpork)<br>
<br>
--<br>
<br>
JOEL ESLER | TALOS: Manager | <a href="mailto:jesler@...589..." target="_blank">jesler@...589...</a><br>
<br>
<blockquote type="cite">On Dec 2, 2016, at 2:52 PM, Y M <<a href="mailto:snort@...15979..." target="_blank">snort@...15979...</a>> wrote:<br>
<br>
The PulledPork command does not specify any rules policy<br>
(connectivity, balanced, security) to allow PulledPork enable the<br>
rules.<br>
<br>
Try running PulledPork with -I <policy>.<br>
<br>
Keep in mind that this may mess up your ET rules enablement since<br>
ET rules do not contain rules policy metadata.<br>
<br>
YM<br>
<br>
On Fri, Dec 2, 2016 at 10:47 PM +0300, "Keith Pachulski"<br>
<<a href="mailto:keith.pachulski@...17691..." target="_blank">keith.pachulski@...17693...<wbr>labs.com</a>> wrote:<br>
<br>
Pulledpork Cronjob<br>
<br>
0 0 * * * /home/snort/pulledpork/<a href="http://pulledpork.pl" target="_blank">pulledp<wbr>ork.pl</a> [1] -c<br>
/home/snort/pulledpork/etc/pul<wbr>ledpork.conf<br>
<br>
Pulledpork Config<br>
<br>
<br>
</blockquote>
rule_url=<a href="https://www.snort.org/rules/%7Csnortrules-snapshot.tar.gz%7C" target="_blank">https://www.snort.org<wbr>/rules/|snortrules-snapshot.<wbr>tar.gz|</a><><br>
<blockquote type="cite">[2]<br>
<br>
<br>
</blockquote>
<br>
</blockquote>
rule_url=<a href="http://talosintelligence.com/feeds/ip-filter.blf%7CIPBLACKLIST%7Copen" target="_blank">http://talosintellige<wbr>nce.com/feeds/ip-filter.blf|<wbr>IPBLACKLIST|open</a><br>
<blockquote type="cite">
<blockquote type="cite">[3]<br>
<br>
ignore=deleted.rules,experimen<wbr>tal.rules<br>
<br>
temp_path=/tmp<br>
<br>
rule_path=/home/snort/rules/sn<wbr>ort.rules<br>
<br>
local_rules=/home/snort/rules/<wbr>local.rules<br>
<br>
sid_msg=/home/snort/rules/etc/<wbr>sid-msg.map<br>
<br>
sid_msg_version=1<br>
<br>
sid_changelog=/home/snort/rule<wbr>s/pullpork-sid_changes.log<br>
<br>
sorule_path=/usr/local/lib/sno<wbr>rt_dynamicrules/<br>
<br>
snort_path=/usr/local/bin/snor<wbr>t<br>
<br>
config_path=/home/snort/rules/<wbr>snort.conf<br>
<br>
distro=Ubuntu-12-04<br>
<br>
black_list=/home/snort/rules/b<wbr>lack_list.rules<br>
<br>
IPRVersion=/home/snort/rules/i<wbr>plists<br>
<br>
This message (including any attachments) is intended only for the<br>
use of the individual or entity to which it is addressed and may<br>
contain information that is non-public, proprietary, privileged,<br>
confidential, and exempt from disclosure under applicable law or<br>
may constitute as attorney work product. If you are not the<br>
intended recipient, you are hereby notified that any use,<br>
dissemination, distribution, or copying of this communication is<br>
strictly prohibited. If you have received this communication in<br>
error, notify us immediately by telephone and (i) destroy this<br>
message if a facsimile or (ii) delete this message immediately if<br>
this is an electronic communication.<br>
</blockquote>
<br>
This message (including any attachments) is intended only for the<br>
use of the individual or entity to which it is addressed and may<br>
contain information that is non-public, proprietary, privileged,<br>
confidential, and exempt from disclosure under applicable law or may<br>
constitute as attorney work product. If you are not the intended<br>
recipient, you are hereby notified that any use, dissemination,<br>
distribution, or copying of this communication is strictly<br>
prohibited. If you have received this communication in error, notify<br>
us immediately by telephone and (i) destroy this message if a<br>
facsimile or (ii) delete this message immediately if this is an<br>
electronic communication.<br>
<br>
</blockquote>
------------------------------<wbr>------------------------------<wbr>------------------<br>
<blockquote type="cite">Check out the vibrant tech community on one of the world's most<br>
engaging tech sites, SlashDot.org! <a href="http://sdm.link/slashdot" target="_blank">http://sdm.link/slashdot</a> [4]<br>
______________________________<wbr>_________________<br>
Snort-users mailing list<br>
<a href="mailto:Snort-users@lists.sourceforge.net" target="_blank">Snort-users@...3783...<wbr>net</a><br>
Go to this URL to change user options or unsubscribe:<br>
<a href="https://lists.sourceforge.net/lists/listinfo/snort-users" target="_blank">https://lists.sourceforge.net/<wbr>lists/listinfo/snort-users</a> [5]<br>
Snort-users list archive:<br>
<a href="http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users" target="_blank">http://sourceforge.net/mailarc<wbr>hive/forum.php?forum_name=<wbr>snort-users</a><br>
[6]<br>
<br>
Please visit <a href="http://blog.snort.org" target="_blank">http://blog.snort.org</a> to stay current on all the latest<br>
Snort news!<br>
</blockquote>
This message (including any attachments) is intended only for the use<br>
of the individual or entity to which it is addressed and may contain<br>
information that is non-public, proprietary, privileged, confidential,<br>
and exempt from disclosure under applicable law or may constitute as<br>
attorney work product. If you are not the intended recipient, you are<br>
hereby notified that any use, dissemination, distribution, or copying<br>
of this communication is strictly prohibited. If you have received<br>
this communication in error, notify us immediately by telephone and<br>
(i) destroy this message if a facsimile or (ii) delete this message<br>
immediately if this is an electronic communication.<br>
<br>
Links:<br>
------<br>
[1] <a href="http://pulledpork.pl" target="_blank">http://pulledpork.pl</a><br>
[2] <a href="https://www.snort.org/rules/%7Csnortrules-snapshot.tar.gz%7C%3c%3e" target="_blank">https://www.snort.org/rules/%7<wbr>Csnortrules-snapshot.tar.gz%7C<wbr>%3c%3e</a><br>
[3] <br>
<a href="http://talosintelligence.com/feeds/ip-filter.blf%7CIPBLACKLIST%7Copen" target="_blank">http://talosintelligence.com/f<wbr>eeds/ip-filter.blf%7CIPBLACKLI<wbr>ST%7Copen</a><br>
[4] <a href="http://sdm.link/slashdot" target="_blank">http://sdm.link/slashdot</a><br>
[5] <a href="https://lists.sourceforge.net/lists/listinfo/snort-users" target="_blank">https://lists.sourceforge.net/<wbr>lists/listinfo/snort-users</a><br>
[6] <a href="http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users" target="_blank">http://sourceforge.net/mailarc<wbr>hive/forum.php?forum_name=<wbr>snort-users</a><br>
<br>
------------------------------<wbr>------------------------------<wbr>------------------<br>
Check out the vibrant tech community on one of the world's most<br>
engaging tech sites, SlashDot.org! <a href="http://sdm.link/slashdot" target="_blank">http://sdm.link/slashdot</a><br>
______________________________<wbr>_________________<br>
Snort-users mailing list<br>
<a href="mailto:Snort-users@lists.sourceforge.net" target="_blank">Snort-users@...3783...<wbr>net</a><br>
Go to this URL to change user options or unsubscribe:<br>
<a href="https://lists.sourceforge.net/lists/listinfo/snort-users" target="_blank">https://lists.sourceforge.net/<wbr>lists/listinfo/snort-users</a><br>
Snort-users list archive:<br>
<a href="http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users" target="_blank">http://sourceforge.net/mailarc<wbr>hive/forum.php?forum_name=<wbr>snort-users</a><br>
<br>
Please visit <a href="http://blog.snort.org" target="_blank">http://blog.snort.org</a> to stay current on all the latest <br>
Snort news!<br>
</blockquote>
<br>
------------------------------<wbr>------------------------------<wbr>------------------<br>
Check out the vibrant tech community on one of the world's most <br>
engaging tech sites, <a href="http://SlashDot.org" target="_blank">SlashDot.org</a>! <a href="http://sdm.link/slashdot" target="_blank">
http://sdm.link/slashdot</a><br>
______________________________<wbr>_________________<br>
Snort-users mailing list<br>
<a href="mailto:Snort-users@lists.sourceforge.net" target="_blank">Snort-users@...3783...<wbr>net</a><br>
Go to this URL to change user options or unsubscribe:<br>
<a href="https://lists.sourceforge.net/lists/listinfo/snort-users" target="_blank">https://lists.sourceforge.net/<wbr>lists/listinfo/snort-users</a><br>
Snort-users list archive:<br>
<a href="http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users" target="_blank">http://sourceforge.net/mailarc<wbr>hive/forum.php?forum_name=<wbr>snort-users</a><br>
<br>
Please visit <a href="http://blog.snort.org" target="_blank">http://blog.snort.org</a> to stay current on all the latest Snort news!</div>
</div>
</blockquote>
</div>
<br>
</div>
</div>

<br>------------------------------<wbr>------------------------------<wbr>------------------<br>
Check out the vibrant tech community on one of the world's most<br>
engaging tech sites, SlashDot.org! <a href="http://sdm.link/slashdot" rel="noreferrer" target="_blank">http://sdm.link/slashdot</a><br>______________________________<wbr>_________________<br>
Snort-users mailing list<br>
<a href="mailto:Snort-users@lists.sourceforge.net" target="_blank">Snort-users@...3783...<wbr>net</a><br>
Go to this URL to change user options or unsubscribe:<br>
<a href="https://lists.sourceforge.net/lists/listinfo/snort-users" rel="noreferrer" target="_blank">https://lists.sourceforge.net/<wbr>lists/listinfo/snort-users</a><br>
Snort-users list archive:<br>
<a href="http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users" rel="noreferrer" target="_blank">http://sourceforge.net/mailarc<wbr>hive/forum.php?forum_name=<wbr>snort-users</a><br>
<br>
Please visit <a href="http://blog.snort.org" rel="noreferrer" target="_blank">http://blog.snort.org</a> to stay current on all the latest Snort news!<br></blockquote></div><br></div>
</div></div></blockquote></div><br></div>