Snort mailing list archives

Re: pulled pork

From: NA <dustypath () comcast net>
Date: Sat, 05 Mar 2011 12:47:11 -0800

Hello,

I am trying to get started on enabling/disabling rules via PulledPork 
but need more info.

First off, the question asked about commenting out rules files in 
snort.conf is irrelevant with PulledPork? It was not answered.

Second, if I wish to say, allow Skype on the network (inline deployment) 
do I use the rule number to allow Skype in PulledPork or comment it out 
in p2p.rules, enabled or not in snort.conf? Or just use p2p.rules to get 
the rule number to put in dropsid.conf. The latter seems to make the 
most sense, per this section of the file:

Example of modifying state for individual rules
# 1:1034,1:9837,1:1270,1:3390,1:710,1:1249,3:13010

Thanks

Bill B

looks correct, if PP reports no file change then the md5 file is not 
actually changing, I would manually download the rules tarball that 
you are talking about and compare to the md5 that ET publishes.. if 
they are different then we need to talk to the ET folks about making 
sure that the md5 file is updated with the file.

On Sat, Mar 5, 2011 at 4:48 AM, Michael Lubinski 
<michael.lubinski () gmail com <mailto:michael.lubinski () gmail com>> wrote:

    The pulledpork also always says that nothing has changed even
    though I know the sigs are changing daily for the ET ruleset. My
    rule URL is

    rule_url=http://rules.emergingthreats.net/|emerging.rules.tar.gz|open-nogpl
    <http://rules.emergingthreats.net/%7Cemerging.rules.tar.gz%7Copen-nogpl>

    Is this incorrect syntax?



    On Fri, Mar 4, 2011 at 11:28 PM, Jason Wallace
    <jason.r.wallace () gmail com <mailto:jason.r.wallace () gmail com>> wrote:

        Michael,

        In the pulledpork.conf file there is a section near the
        beginning of the file where you can add a list of rule file
        names to ignore.

        Thx,
        Wally

        On Mar 4, 2011 11:04 PM, "Michael Lubinski"
        <michael.lubinski () gmail com
        <mailto:michael.lubinski () gmail com>> wrote:
        > If I am not mistaken pulled pork combines the rules into a
        snort.rules file
        > so the rest of the rules for snort should be commented out
        except for
        > snort.rules.
        >
        > If that is correct I have another question, the block rules
        from ET are
        > contained within that snort.rules, i get an unknown rule
        option for fwsam
        > which I am not running. What option do I have to modify in
        pulledpork.conf
        > to have it not bull these block rules down?



    ------------------------------------------------------------------------------
    What You Don't Know About Data Connectivity CAN Hurt You
    This paper provides an overview of data connectivity, details
    its effect on application quality, and explores various alternative
    solutions. http://p.sf.net/sfu/progress-d2d
    _______________________________________________
    Snort-users mailing list
    Snort-users () lists sourceforge net
    <mailto:Snort-users () lists sourceforge net>
    Go to this URL to change user options or unsubscribe:
    https://lists.sourceforge.net/lists/listinfo/snort-users
    Snort-users list archive:
    http://www.geocrawler.com/redir-sf.php3?list=snort-users



------------------------------------------------------------------------------
What You Don't Know About Data Connectivity CAN Hurt You
This paper provides an overview of data connectivity, details
its effect on application quality, and explores various alternative
solutions. http://p.sf.net/sfu/progress-d2d


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



------------------------------------------------------------------------------
What You Don't Know About Data Connectivity CAN Hurt You
This paper provides an overview of data connectivity, details
its effect on application quality, and explores various alternative
solutions. http://p.sf.net/sfu/progress-d2d
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

pulled pork Michael Lubinski (Feb 03)
- Re: pulled pork Joel Esler (Feb 04)
- <Possible follow-ups>
- pulled pork Michael Lubinski (Mar 04)
  - Re: pulled pork Jason Wallace (Mar 04)
    - Re: pulled pork Michael Lubinski (Mar 05)
    - Re: pulled pork JJC (Mar 05)
    - Re: pulled pork NA (Mar 05)