Thanks I’ve read the readme.

 

I didn’t equate –P to parse disablesid.conf because –n indicated it would (but doesn’t).

 

Am I reading things wrong?

 

Thanks!

 

-J

 

From: Y M [mailto:snort@outlook.com]
Sent: Friday, August 29, 2014 4:07 PM
To: Weir, Jason
Cc: snort-users
Subject: RE: [Snort-users] PulledPork 0.7.0 not parsing enablesid, disablesid, modifysid or threshold.conf files when there are no rule updates

 

From: jason.weir@nhrs.org
To: snort-users@lists.sourceforge.net
Date: Fri, 29 Aug 2014 20:02:22 +0000
Subject: Re: [Snort-users] PulledPork 0.7.0 not parsing enablesid, disablesid, modifysid or threshold.conf files when there are no rule updates

OK that worked, so what’s the –n switch for then?

 

-n Do everything other than download of new files (disablesid, etc). More info here: https://code.google.com/p/pulledpork/source/browse/trunk/README

 

 

 

From: Y M [mailto:snort@outlook.com]
Sent: Friday, August 29, 2014 3:55 PM
To: Weir, Jason
Cc: snort-users
Subject: RE: [Snort-users] PulledPork 0.7.0 not parsing enablesid, disablesid, modifysid or threshold.conf files when there are no rule updates

 

Try running PulledPork with -P.

 

YM


From: jason.weir@nhrs.org
To: snort-users@lists.sourceforge.net
Date: Fri, 29 Aug 2014 19:43:59 +0000
Subject: [Snort-users] PulledPork 0.7.0 not parsing enablesid, disablesid, modifysid or threshold.conf files when there are no rule updates

I’m testing PP 0.7.0 and seeing what looks like a bug but want to confirm it’s not a config issue on my end.

 

As I tune the sensor I add entries in each of the config files (enablesid,disablesid,modifysid conf files) and then run pulledpork and restart snort

 

/usr/local/bin/pulledpork.pl -c /usr/local/etc/snort/pulledpork.conf –vv

 

If there are no rule updates to download (from either VRT or ET) I get this output

 

 

    http://code.google.com/p/pulledpork/

      _____ ____

     `----,\    )

      `--==\\  /    PulledPork v0.7.0 - Swine Flu!

       `--==\\/

     .-~~~~-.Y|\\_  Copyright (C) 2009-2013 JJ Cummings

  @_/        /  66\_  cummingsj@gmail.com

    |    \   \   _(")

     \   /-| ||'--'  Rules give me wings!

      \_\  \_\\

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

Config File Variable Debug /usr/local/etc/snort/pulledpork.conf

        snort_path = /usr/local/bin/snort

        enablesid = /usr/local/etc/snort/enablesid.conf

        modifysid = /usr/local/etc/snort/modifysid.conf

        IPRVersion = /usr/local/etc/snort/rules/iplists

        rule_path = /usr/local/etc/snort/rules/snort.rules

        ignore = deleted.rules,experimental.rules,local.rules

        state_order = disable,drop,enable

        snort_control = /usr/local/bin/snort_control

        rule_url = ARRAY(0x8e1aac8)

        sid_msg_version = 2

        sid_changelog = /var/log/sid_changes.log

        sid_msg = /usr/local/etc/snort/sid-msg.map

        config_path = /usr/local/etc/snort/snort.conf

        temp_path = /tmp

        distro = Debian-6-0

        version = 0.7.0

        sorule_path = /usr/local/lib/snort_dynamicrules/

        disablesid = /usr/local/etc/snort/disablesid.conf

        dropsid = /usr/local/etc/snort/dropsid.conf

        local_rules = /usr/local/etc/snort/rules/local.rules

MISC (CLI and Autovar) Variable Debug:

        arch Def is: i386

        Config Path is: /usr/local/etc/snort/pulledpork.conf

        Distro Def is: Debian-6-0

        Disabled policy specified

        local.rules path is: /usr/local/etc/snort/rules/local.rules

        Rules file is: /usr/local/etc/snort/rules/snort.rules

        Path to disablesid file: /usr/local/etc/snort/disablesid.conf

        Path to dropsid file: /usr/local/etc/snort/dropsid.conf

        Path to enablesid file: /usr/local/etc/snort/enablesid.conf

        Path to modifysid file: /usr/local/etc/snort/modifysid.conf

        sid changes will be logged to: /var/log/sid_changes.log

        sid-msg.map Output Path is: /usr/local/etc/snort/sid-msg.map

        Snort Version is: 2.9.6.2

        Snort Config File: /usr/local/etc/snort/snort.conf

        Snort Path is: /usr/local/bin/snort

        SO Output Path is: /usr/local/lib/snort_dynamicrules/

        Will process SO rules

        Extra Verbose Flag is Set

        Verbose Flag is Set

 

*********** Removed Download Logging where the checksums matched and there were no new rules to download *********************

 

Cleanup....

        removed 0 temporary snort files or directories from /tmp/tha_rules!

Writing /var/log/sid_changes.log....

        Done

 

No Rule Changes

 

No IP Blacklist Changes

 

Done

Please review /var/log/sid_changes.log for additional details

Fly Piggy Fly!

 

If I delete all the rules and re-run PP I get the following output

 

 

    http://code.google.com/p/pulledpork/

      _____ ____

     `----,\    )

      `--==\\  /    PulledPork v0.7.0 - Swine Flu!

       `--==\\/

     .-~~~~-.Y|\\_  Copyright (C) 2009-2013 JJ Cummings

  @_/        /  66\_  cummingsj@gmail.com

    |    \   \   _(")

     \   /-| ||'--'  Rules give me wings!

      \_\  \_\\

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

Config File Variable Debug /usr/local/etc/snort/pulledpork.conf

        snort_path = /usr/local/bin/snort

        enablesid = /usr/local/etc/snort/enablesid.conf

        modifysid = /usr/local/etc/snort/modifysid.conf

        IPRVersion = /usr/local/etc/snort/rules/iplists

        rule_path = /usr/local/etc/snort/rules/snort.rules

        ignore = deleted.rules,experimental.rules,local.rules

        state_order = disable,drop,enable

        snort_control = /usr/local/bin/snort_control

        rule_url = ARRAY(0xa41cac8)

        sid_msg_version = 2

        sid_changelog = /var/log/sid_changes.log

        sid_msg = /usr/local/etc/snort/sid-msg.map

        config_path = /usr/local/etc/snort/snort.conf

        temp_path = /tmp

        distro = Debian-6-0

        version = 0.7.0

        sorule_path = /usr/local/lib/snort_dynamicrules/

        disablesid = /usr/local/etc/snort/disablesid.conf

        dropsid = /usr/local/etc/snort/dropsid.conf

        local_rules = /usr/local/etc/snort/rules/local.rules

MISC (CLI and Autovar) Variable Debug:

        arch Def is: i386

        Config Path is: /usr/local/etc/snort/pulledpork.conf

        Distro Def is: Debian-6-0

        Disabled policy specified

        local.rules path is: /usr/local/etc/snort/rules/local.rules

        Rules file is: /usr/local/etc/snort/rules/snort.rules

        Path to disablesid file: /usr/local/etc/snort/disablesid.conf

        Path to dropsid file: /usr/local/etc/snort/dropsid.conf

        Path to enablesid file: /usr/local/etc/snort/enablesid.conf

        Path to modifysid file: /usr/local/etc/snort/modifysid.conf

        sid changes will be logged to: /var/log/sid_changes.log

        sid-msg.map Output Path is: /usr/local/etc/snort/sid-msg.map

        Snort Version is: 2.9.6.2

        Snort Config File: /usr/local/etc/snort/snort.conf

        Snort Path is: /usr/local/bin/snort

        SO Output Path is: /usr/local/lib/snort_dynamicrules/

        Will process SO rules

        Extra Verbose Flag is Set

        Verbose Flag is Set

 

*********** Removed Download Logging where the checksums didn’t match and the rules files were downloaded *********************

 

Prepping rules from opensource.gz for work....

                **************removed extra logging *****************

Prepping rules from snortrules-snapshot-2962.tar.gz for work....

                **************removed extra logging *****************

Prepping rules from emerging.rules.tar.gz for work....

                **************removed extra logging *****************

Prepping rules from community-rules.tar.gz for work....

                **************removed extra logging *****************

Generating Stub Rules....

       Generating shared object stubs via:/usr/local/bin/snort -c /usr/local/etc/snort/snort.conf --dump-dynamic-rules=/tmp/tha_rules/so_rules/

        An error occurred: WARNING: ip4 normalizations disabled because not inline.

 

        An error occurred: WARNING: tcp normalizations disabled because not inline.

 

        An error occurred: WARNING: icmp4 normalizations disabled because not inline.

 

        An error occurred: WARNING: ip6 normalizations disabled because not inline.

 

        An error occurred: WARNING: icmp6 normalizations disabled because not inline.

 

        Dumping dynamic rules...

                **************removed extra logging *****************

          Finished dumping dynamic rules.

        Done

        Reading rules...

        Reading rules...

Cleanup....

        removed 202 temporary snort files or directories from /tmp/tha_rules!

Modifying Sids....

        Done!

Processing /usr/local/etc/snort/disablesid.conf....

        Disabled 1:xxxxxxx

        Disabled 1:xxxxxxx

        Disabled 1:xxxxxxx

        Disabled 1:xxxxxxx

        Disabled 1:xxxxxxx

        Disabled 1:xxxxxxx

        Disabled 1:xxxxxxx

        Disabled 1:xxxxxxx

        Modified 8 rules

        Done

Processing /usr/local/etc/snort/dropsid.conf....

        Modified 0 rules

        Done

Processing /usr/local/etc/snort/enablesid.conf....

        Modified 0 rules

        Done

Setting Flowbit State....

        Enabled 119 flowbits

        Done

Writing /usr/local/etc/snort/rules/snort.rules....

        Done

Generating sid-msg.map....

        Done

Writing v2 /usr/local/etc/snort/sid-msg.map....

        Done

Writing /var/log/sid_changes.log....

        Done

Rule Stats...

        New:-------344

        Deleted:---16

        Enabled Rules:----21793

       Dropped Rules:----0

        Disabled Rules:---20007

        Total Rules:------41800

No IP Blacklist Changes

 

Done

Please review /var/log/sid_changes.log for additional details

Fly Piggy Fly!

 

Next if I go into disablesid.conf and add another entry and re-run pp I get the same output as the first run – the new entry in disablesid.conf doesn’t get parsed or disabled in the snort.rules file.

 

Any ideas?

 

Jason

 

 

 


------------------------------------------------------------------------------ Slashdot TV. Video for Nerds. Stuff that matters. http://tv.slashdot.org/
_______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!


------------------------------------------------------------------------------ Slashdot TV. Video for Nerds. Stuff that matters. http://tv.slashdot.org/
_______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!