Snort mailing list archives
Re: I'm getting close, I smell more bacon
From: PR <oly562 () gmail com>
Date: Fri, 14 Sep 2012 10:11:19 -0700
Hi and thanks JJ, appreciate your time in this matter. Yes see enclosed is the manual/howto for ubuntu distro. however i did not specify that. i will specify more in the pulledpork.conf for disablesids, and such. as for so rules. im a little confused what they are for. i am reading the manual 2.9.3 from snort.org now. large manual which is good. the most issues i have had is absolute path. in one .conf it states, full path, and the ./rules was changed back to ../rules as it is located in /etc/snort - this is where i put everything, so_rules, gen-msg so forth. perms may be an issue. each howto says a little something diff so i just start from scratch each time it doesn't work - snort, barnyard2, or pulledpork fails. as for this build, it is going smoother, and surely i will save the working configs once i understand so rules better, and other features. snort works, barnyard2 works, but pulledpork is the issue right now, and will be until figure out what i am doing. i used to use oinkmaster, but now i will use PP per snort.org suggestions. more to follow, thanks again,, pete On Fri, 2012-09-14 at 09:22 -0600, JJC wrote:
Absolutely... so pretty straightforward.. everything that you specified at runtime can be specified in the pulledpork.conf file that can then be called (as you have done) using the -c <path to pulledpork.conf> runtime flag.. You have a few errors: 1. If you are planning on using SO rules, you must specify an arch 2. You have specified the path to an existing directory as the exact same path that you want to write your snort rules to. You will need to add an additional /filename and specify said filename in your snort.conf as the rules file... 3. Was there a guide that you used to get to this point or? JJC On Fri, Sep 14, 2012 at 9:10 AM, Joel Esler <jesler () sourcefire com> wrote: JJ, can you help out here? On Sep 14, 2012, at 3:34 AM, PR <oly562 () gmail com> wrote: > ok, i commented out ET rules. bah, i will deal with that later. > > > 1. i ran > > ./pulledpork.pl -s /etc/snort/so_rules -p /usr/local/bin/snort > -C /etc/snort.conf -i /etc/snort/disablesid.conf > -b /etc/snort/dropsid.conf -e /etc/snort/enablesid.conf > -M /etc/snort/modifysid.conf -e /etc/snort/enablesid.conf > -c /etc/snort/pulledpork.conf -o /etc/snort/rules/ > > > 2. I got: > > Use of uninitialized value $arch in regexp compilation > at ./pulledpork.pl line 271. > Done! > Reading rules... > Generating Stub Rules.... > Something failed in the gen_stubs sub, please verify your shared object > config! > Done > Reading rules... > Reading rules... > Processing /etc/snort/enablesid.conf.... > Modified 0 rules > Done > Processing /etc/snort/dropsid.conf.... > Modified 0 rules > Done > Processing /etc/snort/disablesid.conf.... > Modified 0 rules > Done > Modifying Sids.... > Done! > Setting Flowbit State.... > Enabled 11 flowbits > Enabled 1 flowbits > Done > Writing /etc/snort/rules.... > Unable to write /etc/snort/rules - Is a directory > at ./pulledpork.pl line 1083. > main::rule_write('HASH(0x8f682ac)', '/etc/snort/rules', 1, undef) > called at ./pulledpork.pl line 1870 > > > 3. also, do i need to define all that stuff in cmdline, couldn't i just > uncomment the /etc/snort/disablesid.confs in pulledpork.conf? just > wondering. > > > Thanks!!! any input is really appreciated. i'm learning more and more > every day. Pretty soon i will be asking about rule creation lol > > > ------------------------------------------------------------------------------ Got visibility? Most devs has no idea what their production app looks like. Find out how fast your code is with AppDynamics Lite. http://ad.doubleclick.net/clk;262219671;13503038;y? http://info.appdynamics.com/FreeJavaPerformanceDownload.html _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Attachment:
deb_snort_howto.pdf
Description:
------------------------------------------------------------------------------ How fast is your code? 3 out of 4 devs don\\\'t know how their code performs in production. Find out how slow your code is with AppDynamics Lite. http://ad.doubleclick.net/clk;262219672;13503038;z? http://info.appdynamics.com/FreeJavaPerformanceDownload.html
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- I'm getting close, I smell more bacon PR (Sep 15)
- Re: I'm getting close, I smell more bacon Joel Esler (Sep 14)
- Re: I'm getting close, I smell more bacon JJC (Sep 14)
- Re: I'm getting close, I smell more bacon PR (Sep 15)
- Re: I'm getting close, I smell more bacon JJC (Sep 14)
- Re: I'm getting close, I smell more bacon Joel Esler (Sep 14)