Snort mailing list archives
Re: Pulled Pork and SO_rules
From: beenph <beenph () gmail com>
Date: Wed, 18 May 2011 09:55:20 -0400
[gid:sid:revision] [3:16413:0] So_rule alert, and as your previous e-mail its only because the definition for the rule is not in gen-id.msg. (should be there) because if it would have been a signature the alert would look like [1:16413:0] Im sure JJC can help you more on this tho. On Wed, May 18, 2011 at 8:24 AM, Dheeraj Gupta <dheeraj.gupta4 () gmail com> wrote:
Nevermind...I got that to work...I had wrong directories for so stub files in conf file. I fixed it and got a new sid-msg.map file. But there is another probblem. My sid-msg.map file is new but still Barnyard is logging alerts as Snort Alert [3:16413:0] Barnyard is started using command /usr/local/bin/barnyard -c /etc/snort/barnyard.conf -g /etc/snort/gen-msg.map -s /etc/snort/sid-msg.map -d /var/log/snort -f snort.log -w /var/log/snort/barnyard.waldo -D Grepping the /etc/snort/sid-msg.map gives # grep "16413" /etc/snort/sid-msg.map 16413 || WEB-CLIENT Microsoft PowerPoint invalid TextCharsAtom remote code execution attempt || url,www.microsoft.com/technet/security/bulletin/MS10-004.mspx || cve,2010-0034 So clearly the signature is there in sid-msg.map. Nut still barnyard is not logging it correctly. I have restarted barnyard after the new sid-msg.map file was generated. I had read somewhere that this happens because of gid=3 which barnyard can't handle. Is there a fix or should I upgrade to barnyard2 regards, Dheeraj On Wed, May 18, 2011 at 3:15 PM, Dheeraj Gupta <dheeraj.gupta4 () gmail com> wrote:Hi, So I installed pulled pork and used it in offline mode (-n option). The execution went off perfectly. I got a new generated sid-msg.map file and all that stuff. Even dynamic rules were (presumably) loaded. Here's PP output- Prepping rules from snortrules-snapshot-2861.tar.gz for work.... Done! Reading rules... Reading rules... Reading rules... Setting Flowbit State.... Enabled 47 flowbits Enabled 25 flowbits Done Writing /etc/snort/rules/snort.rules.... Done Writing /etc/snort/rules/so_rules.rules.... Done Generating sid-msg.map.... Done Writing /etc/snort/sid-msg.map.... Done Writing /var/log/sid_changes.log.... Done Rule Stats.... New:-------0 Deleted:---0 Enabled Rules:----4901 Dropped Rules:----0 Disabled Rules:---5491 Total Rules:------10392 Done (As you can see there is no "Generating Stub Rules" entry) However, Even now Barnyard (not barnyard2) will log alerts like SnortAlert [3:13308:0] i.e. it does not find relevant information in sid-msg.map files. What have I missed? Here's my pulledpork.conf file (Rulkes and So_Rules part only) ####### ####### The below section is for rule processing. This section is ####### required if you are not specifying the configuration using ####### runtime switches. Note that runtime switches do SUPERSEED ####### any values that you have specified here! ####### # What path you want the .rules file containing all of the processed # rules? (this value has changed as of 0.4.0, previously we copied # all of the rules, now we are creating a single large rules file # but still keeping a separate file for your so_rules! rule_path=/etc/snort/rules/snort.rules # What path you want the .rules files to be written to, this is UNIQUE # from the rule_path and cannot be used in conjunction, this is to be used with the # -k runtime flag, this can be set at runtime using the -K flag or specified # here. If specified here, the -k option must also be passed at runtime, however # specifying -K <path> at runtime forces the -k option to also be set out_path=etc/snort/rules/ # If you are running any rules in your local.rules file, we need to # know about them to properly build a sid-msg.map that will contain your # local.rules metadata (msg) information. You can specify other rules # files that are local to your system here by adding a comma and more paths... # remember that the FULL path must be specified for EACH value. # local_rules=/path/to/these.rules,/path/to/those.rules local_rules=/etc/snort/rules/local.rules # Where should I put the sid-msg.map file? sid_msg=/etc/snort/sid-msg.map # Where do you want me to put the sid changelog? This is a changelog # that pulledpork maintains of all new sids that are imported sid_changelog=/var/log/sid_changes.log # this value is optional ####### ####### The below section is for so_rule processing only. If you don't ####### need to use them.. then comment this section out! ####### Alternately, if you are not using pulledpork to process ####### so_rules, you can specify -T at runtime to bypass this altogether ####### # What path you want the .so files to actually go to *i.e. where is it # defined in your snort.conf, needs a trailing slash sorule_path=/usr/local/lib/snort_dynamicrules/ # Path to the snort binary, we need this to generate the stub files snort_path=/usr/local/bin/snort # We need to know where your snort.conf file lives so that we can # generate the stub files config_path=/etc/snort/snort.conf # This is the file that contains all of the shared object rules that pulledpork # has processed, note that this has changed as of 0.4.0 just like the rules_path! sostub_path=/etc/snort/rules/so_rules.rules # Define your distro, this is for the precompiled shared object libs! # Valid Distro Types=Debian-Lenny, Ubuntu-6.01.1, Ubuntu-8.04 # CentOS-4.6, Centos-4-8, CentOS-5.0, Centos-5-4 # FC-5, FC-9, FC-11, FC-12, RHEL-5.0 # FreeBSD-6.3, FreeBSD-7-2, FreeBSD-7-3, FreeBSD-7.0, FreeBSD-8-0, FreeBSD-8-1 # OpenSUSE-11-3 distro=Centos-5-4 Regards, Dheeraj------------------------------------------------------------------------------ What Every C/C++ and Fortran developer Should Know! Read this article and learn how Intel has extended the reach of its next-generation tools to help Windows* and Linux* C/C++ and Fortran developers boost performance applications - including clusters. http://p.sf.net/sfu/intel-dev2devmay _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ What Every C/C++ and Fortran developer Should Know! Read this article and learn how Intel has extended the reach of its next-generation tools to help Windows* and Linux* C/C++ and Fortran developers boost performance applications - including clusters. http://p.sf.net/sfu/intel-dev2devmay _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Pulled Pork and SO_rules Dheeraj Gupta (May 18)
- Re: Pulled Pork and SO_rules Dheeraj Gupta (May 18)
- Re: Pulled Pork and SO_rules beenph (May 18)
- Re: Pulled Pork and SO_rules Dheeraj Gupta (May 18)