Snort mailing list archives
Re: pulledpork help
From: Jeremy Hoel <jthoel () gmail com>
Date: Fri, 12 Oct 2012 18:23:39 +0000
Right, so the version it's looking for, in regards to rules is 2.9.3.0. The pulledpork.pl script pulls the version number if looks for from snort. You can either get the 2.9.3.0 rules or upgrade your snort to 2.9.3.1 On Fri, Oct 12, 2012 at 6:20 PM, Tony Reusser <treusser () filertel com> wrote:
[root@briareos snort]# snort -V ,,_ -*> Snort! <*- o" )~ Version 2.9.3 IPv6 GRE (Build 37) '''' By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team Copyright (C) 1998-2012 Sourcefire, Inc., et al. Using libpcap version 1.0.0 Using PCRE version: 8.31 2012-07-06 Using ZLIB version: 1.2.3 -----Original Message----- From: Jeremy Hoel [mailto:jthoel () gmail com] Sent: Friday, October 12, 2012 12:15 PM To: Tony Reusser Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] pulledpork help What does 'snort -V' show? On Fri, Oct 12, 2012 at 6:03 PM, Tony Reusser <treusser () filertel com> wrote:My snort box: CentOS 6.3 Snort vers 2.9.3 Standard barnyard/pulledpork/mysql/BASE setup I'm fairly new to Snort. I've had it up and running for a couple of months now. About a month ago I downloaded the 2930 ruleset and successfully installed it using pulledpork. I am not a subscriber, so I only get the 'registered user' rulesets 30 days late. I'm fine with that as this whole thing is a learning process for me anyway. Because of that, I download the rule tarballs manually and place them in my /tmp folder on the snort machine. I run pulledpork with the /n option to process without downloading. With the latest rule tarball in /tmp, this should work right? It seemed to function properly with 2930. However, now that I've downloaded the 2931 ruleset, I get the following error when I run pulledpork. Why is it still looking for the 2930 file? I'm not a PERL guy, but line 1798 just refers to a variable $rule_file. Where is this actually defined? And why doesn't itreflect the current rule tarball file I have?Any help would be appreciated. -Tony Reusser [root@briareos pp]# ./pulledpork.pl -c ./etc/pulledpork.conf -E -n http://code.google.com/p/pulledpork/ _____ ____ `----,\ ) `--==\\ / PulledPork v0.6.1 the Smoking Pig <////~ `--==\\/ .-~~~~-.Y|\\_ Copyright (C) 2009-2011 JJ Cummings @_/ / 66\_ cummingsj () gmail com | \ \ _(") \ /-| ||'--' Rules give me wings! \_\ \_\\ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ file /tmp//snortrules-snapshot-2930.tar.gz does not exist! at ./pulledpork.pl line 1798 file listing of /tmp: [root@briareos pp]# ls -al /tmp total 23280 drwxrwxrwt. 13 root root 4096 Oct 12 11:39 . dr-xr-xr-x. 26 root root 4096 Oct 12 11:04 .. -rw-r--r--. 1 root root 1272869 Oct 12 09:32emerging.rules.tar.gz-rw-r--r--. 1 root root 0 Oct 12 10:53 etpro.rules.tar.gz srwxrwxr-x. 1 notroot notroot 0 Jul 31 11:46 gnome-system-monitor.treusser.2837431554 drwxrwxrwt. 2 root root 4096 Oct 12 11:05 .ICE-unix drwx------. 2 gdm gdm 4096 Oct 12 11:06 orbit-gdm -rw-rw-r--. 1 notroot notroot 22487562 Oct 12 11:19 snortrules-snapshot-2931.tar.gz -r--r--r--. 1 root root 11 Oct 12 11:05 .X0-lock drwxrwxrwt. 2 root root 4096 Oct 12 11:05 .X11-unix -r--r--r--. 1 notroot notroot 11 Oct 12 11:05 .X1-lock -rw-------. 1 root root 1671 Oct 3 15:24 yum_save_tx-2012-10-03-15-24H0Dg_g.yumtx -rw-------. 1 root root 3856 Oct 8 08:56 yum_save_tx-2012-10-08-08-56ONmnWM.yumtx -rw-------. 1 root root 1204 Oct 11 11:20 yum_save_tx-2012-10-11-11-20aPV3jH.yumtx ---------------------------------------------------------------------- -------- Don't let slow site performance ruin your business. Deploy New Relic APM Deploy New Relic app performance management and know exactly what is happening inside your Ruby, Python, PHP, Java, and .NET app Try New Relic at no cost today and get our sweet Data Nerd shirt too! http://p.sf.net/sfu/newrelic-dev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Don't let slow site performance ruin your business. Deploy New Relic APM Deploy New Relic app performance management and know exactly what is happening inside your Ruby, Python, PHP, Java, and .NET app Try New Relic at no cost today and get our sweet Data Nerd shirt too! http://p.sf.net/sfu/newrelic-dev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- pulledpork help Tony Reusser (Oct 12)
- Re: pulledpork help Jeremy Hoel (Oct 12)
- Message not available
- Re: pulledpork help Jeremy Hoel (Oct 12)
- Re: pulledpork help JJC (Oct 12)
- Message not available
- Re: pulledpork help Jeremy Hoel (Oct 12)