Snort mailing list archives
so_rules are not processed by pulledpork under FreeBSD 9.1
From: "C. L. Martinez" <carlopmart () gmail com>
Date: Thu, 9 May 2013 13:14:14 +0000
Hi all,
I ma trying to manage all snort rules using pulledpork under FreeBSD.
All works ok, except so_rules: never they are processed.
Pulledpork output:
http://code.google.com/p/pulledpork/
_____ ____
`----,\ )
`--==\\ / PulledPork v0.6.2dev the Cigar Pig <////~
`--==\\/
.-~~~~-.Y|\\_ Copyright (C) 2009-2012 JJ Cummings
@_/ / 66\_ cummingsj () gmail com
| \ \ _(")
\ /-| ||'--' Rules give me wings!
\_\ \_\\
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Config File Variable Debug
/data/config/etc/idpsnort01/pulledpork/pulledpork.conf
snort_path = /usr/local/bin/snort
enablesid = /data/config/etc/idpsnort01/pulledpork/enablesid.conf
distro = FreeBSD-9-0
temp_path = /tmp
version = 0.6.1
sorule_path = /data/config/etc/idpsnort01/so_rules/
rule_path = /data/config/etc/idpsnort01/rules/all.rules
ignore = deleted.rules,experimental.rules,local.rules
rule_url = ARRAY(0x80258e5a0)
sid_msg_version = 1
sid_changelog = /tmp/sid_changes.log
out_path = /data/config/etc/idpsnort01/rules/
sid_msg = /data/config/etc/idpsnort01/sid-msg.map
ips_policy = security
config_path = /data/config/etc/idpsnort01/snort.conf
MISC (CLI and Autovar) Variable Debug:
Process flag specified!
arch Def is: x86-64
Config Path is: /data/config/etc/idpsnort01/pulledpork/pulledpork.conf
Distro Def is: FreeBSD-9-0
Keep rulefiles flag is Set
Keep rulefiles path: /data/config/etc/idpsnort01/rules/
security policy specified
No Download Flag is Set
Rules file is: /data/config/etc/idpsnort01/rules/all.rules
Path to enablesid file:
/data/config/etc/idpsnort01/pulledpork/enablesid.conf
sid changes will be logged to: /tmp/sid_changes.log
sid-msg.map Output Path is: /data/config/etc/idpsnort01/sid-msg.map
Snort Version is: 2.9.4.6
Snort Config File: /data/config/etc/idpsnort01/snort.conf
Snort Path is: /usr/local/bin/snort
SO Output Path is: /data/config/etc/idpsnort01/so_rules/
Will process SO rules
Verbose Flag is Set
Base URL is:
https://www.snort.org/reg-rules/|snortrules-snapshot-2945.tar.gz|69c3abc8e00c849390192c3e07666782df49abda
Prepping rules from snortrules-snapshot-2945.tar.gz for work....
extracting contents of /tmp/snortrules-snapshot-2945.tar.gz...
Ignoring plaintext rules: deleted.rules
Ignoring plaintext rules: experimental.rules
Ignoring plaintext rules: local.rules
Extracted: /tha_rules/VRT-server-other.rules
Extracted: /tha_rules/VRT-pua-adware.rules
Extracted: /tha_rules/VRT-misc.rules
Extracted: /tha_rules/VRT-malware-backdoor.rules
Extracted: /tha_rules/VRT-indicator-compromise.rules
Extracted: /tha_rules/VRT-file-pdf.rules
Extracted: /tha_rules/VRT-content-replace.rules
Extracted: /tha_rules/VRT-file-identify.rules
Extracted: /tha_rules/VRT-browser-webkit.rules
Extracted: /tha_rules/VRT-specific-threats.rules
Extracted: /tha_rules/VRT-file-office.rules
Extracted: /tha_rules/VRT-rpc.rules
Extracted: /tha_rules/VRT-dns.rules
Extracted: /tha_rules/VRT-os-other.rules
Extracted: /tha_rules/VRT-snmp.rules
Extracted: /tha_rules/VRT-policy-other.rules
Extracted: /tha_rules/VRT-web-coldfusion.rules
Extracted: /tha_rules/VRT-protocol-voip.rules
Extracted: /tha_rules/VRT-file-image.rules
Extracted: /tha_rules/VRT-chat.rules
Extracted: /tha_rules/VRT-voip.rules
Extracted: /tha_rules/VRT-os-solaris.rules
Extracted: /tha_rules/VRT-pop3.rules
Extracted: /tha_rules/VRT-server-mssql.rules
Extracted: /tha_rules/VRT-preprocessor.rules
Extracted: /tha_rules/VRT-policy-social.rules
Extracted: /tha_rules/VRT-protocol-ftp.rules
Extracted: /tha_rules/VRT-server-webapp.rules
Extracted: /tha_rules/VRT-server-oracle.rules
Extracted: /tha_rules/VRT-scada.rules
Extracted: /tha_rules/VRT-other-ids.rules
Extracted: /tha_rules/VRT-server-apache.rules
Extracted: /tha_rules/VRT-sql.rules
Extracted: /tha_rules/VRT-icmp.rules
Extracted: /tha_rules/VRT-file-multimedia.rules
Extracted: /tha_rules/VRT-pua-p2p.rules
Extracted: /tha_rules/VRT-info.rules
Extracted: /tha_rules/VRT-pua-other.rules
Extracted: /tha_rules/VRT-server-mail.rules
Extracted: /tha_rules/VRT-netbios.rules
Extracted: /tha_rules/VRT-smtp.rules
Extracted: /tha_rules/VRT-protocol-icmp.rules
Extracted: /tha_rules/VRT-sensitive-data.rules
Extracted: /tha_rules/VRT-indicator-shellcode.rules
Extracted: /tha_rules/VRT-web-iis.rules
Extracted: /tha_rules/VRT-protocol-finger.rules
Extracted: /tha_rules/VRT-botnet-cnc.rules
Extracted: /tha_rules/VRT-pua-toolbars.rules
Extracted: /tha_rules/VRT-mysql.rules
Extracted: /tha_rules/VRT-virus.rules
Extracted: /tha_rules/VRT-protocol-imap.rules
Extracted: /tha_rules/VRT-malware-cnc.rules
Extracted: /tha_rules/VRT-web-misc.rules
Extracted: /tha_rules/VRT-tftp.rules
Extracted: /tha_rules/VRT-blacklist.rules
Extracted: /tha_rules/VRT-shellcode.rules
Extracted: /tha_rules/VRT-spyware-put.rules
Extracted: /tha_rules/VRT-exploit.rules
Extracted: /tha_rules/VRT-protocol-services.rules
Extracted: /tha_rules/VRT-browser-ie.rules
Extracted: /tha_rules/VRT-os-windows.rules
Extracted: /tha_rules/VRT-ddos.rules
Extracted: /tha_rules/VRT-attack-responses.rules
Extracted: /tha_rules/VRT-browser-firefox.rules
Extracted: /tha_rules/VRT-browser-chrome.rules
Extracted: /tha_rules/VRT-telnet.rules
Extracted: /tha_rules/VRT-browser-other.rules
Extracted: /tha_rules/VRT-icmp-info.rules
Extracted: /tha_rules/VRT-os-linux.rules
Extracted: /tha_rules/VRT-indicator-obfuscation.rules
Extracted: /tha_rules/VRT-policy-spam.rules
Extracted: /tha_rules/VRT-malware-tools.rules
Extracted: /tha_rules/VRT-x11.rules
Extracted: /tha_rules/VRT-p2p.rules
Extracted: /tha_rules/VRT-scan.rules
Extracted: /tha_rules/VRT-ftp.rules
Extracted: /tha_rules/VRT-malware-other.rules
Extracted: /tha_rules/VRT-web-php.rules
Extracted: /tha_rules/VRT-web-activex.rules
Extracted: /tha_rules/VRT-decoder.rules
Extracted: /tha_rules/VRT-web-frontpage.rules
Extracted: /tha_rules/VRT-rservices.rules
Extracted: /tha_rules/VRT-file-executable.rules
Extracted: /tha_rules/VRT-file-other.rules
Extracted: /tha_rules/VRT-backdoor.rules
Extracted: /tha_rules/VRT-multimedia.rules
Extracted: /tha_rules/VRT-web-client.rules
Extracted: /tha_rules/VRT-exploit-kit.rules
Extracted: /tha_rules/VRT-protocol-pop.rules
Extracted: /tha_rules/VRT-browser-plugins.rules
Extracted: /tha_rules/VRT-policy.rules
Extracted: /tha_rules/VRT-web-attacks.rules
Extracted: /tha_rules/VRT-imap.rules
Extracted: /tha_rules/VRT-file-flash.rules
Extracted: /tha_rules/VRT-nntp.rules
Extracted: /tha_rules/VRT-dos.rules
Extracted: /tha_rules/VRT-finger.rules
Extracted: /tha_rules/VRT-phishing-spam.rules
Extracted: /tha_rules/VRT-server-mysql.rules
Extracted: /tha_rules/VRT-oracle.rules
Extracted: /tha_rules/VRT-server-iis.rules
Extracted: /tha_rules/VRT-app-detect.rules
Extracted: /tha_rules/VRT-policy-multimedia.rules
Extracted: /tha_rules/VRT-pop2.rules
Extracted: /tha_rules/VRT-bad-traffic.rules
Extracted: /tha_rules/VRT-web-cgi.rules
Reading rules...
Reading rules...
Cleanup....
removed 108 temporary snort files or directories from /tmp/tha_rules!
Activating security rulesets....
Done
Processing /data/config/etc/idpsnort01/pulledpork/enablesid.conf....
Modified 0 rules
Done
Setting Flowbit State....
Enabled 851 flowbits
Enabled 29 flowbits
Enabled 4 flowbits
Enabled 2 flowbits
Done
Writing rules to unique destination files....
Writing rules to /data/config/etc/idpsnort01/rules/
Done
Generating sid-msg.map....
Done
Writing v1 /data/config/etc/idpsnort01/sid-msg.map....
Done
Fly Piggy Fly!
And my pulledpork.conf:
#rule_url=http://rules.emergingthreats.net/|emerging.rules.tar.gz|open
#rule_url=https://s3.amazonaws.com/snort-org/www/rules/community/|community-rules.tar.gz|Community
# Ignored rules
ignore=deleted.rules,experimental.rules,local.rules
# What is our temp path, be sure this path has a bit of space for rule
# extraction and manipulation, no trailing slash
temp_path=/tmp
# What path you want the .rules file containing all of the processed
# rules? (this value has changed as of 0.4.0, previously we copied
# all of the rules, now we are creating a single large rules file
# but still keeping a separate file for your so_rules!
rule_path=/data/config/etc/idpsnort01/rules/all.rules
# Output path for download rules
out_path=/data/config/etc/idpsnort01/rules/
# Location for sid-msg.map file
sid_msg=/data/config/etc/idpsnort01/sid-msg.map
# New for by2 and more advanced msg mapping. Valid options are 1 or 2
# specify version 2 if you are running barnyard2.2+. Otherwise use 1
sid_msg_version=1
# Defined path for sid changelog file
sid_changelog=/tmp/sid_changes.log
# What path you want the .so files to actually go to *i.e. where is it
# defined in your snort.conf, needs a trailing slash
sorule_path=/data/config/etc/idpsnort01/so_rules/
# Define your distro, this is for the precompiled shared object libs!
distro=FreeBSD-9-0
# Path to the snort binary, we need this to generate the stub files
snort_path=/usr/local/bin/snort
# We need to know where your snort.conf file lives so that we can
# generate the stub files
config_path=/data/config/etc/idpsnort01/snort.conf
# Define the path to the pid files of any running process that you want to
# HUP after PP has completed its run.
#pid_path=/var/run/snort_em5.pid
# If you are using IP Reputation and getting some public lists, you
will probably
# want to tell pulledpork where your blacklist file lives, PP automagically will
# de-dupe any duplicate IPs from different sources.
#black_list=/data/config/etc/idpsnort01/iplists/default.blacklist
#IPRVersion=/data/config/etc/idpsnort01/iplists/
# Define local rules files
#local_rules=/data/config/etc/idpsnort01/rules/apt1.rules
# Here you can specify what rule modification files to run automatically.
# simply uncomment and specify the apt path.
enablesid=/data/config/etc/idpsnort01/pulledpork/enablesid.conf
# dropsid=/usr/local/etc/snort/dropsid.conf
#disablesid=/data/config/etc/idpsnort01/pulledpork/disablesid.conf
# modifysid=/usr/local/etc/snort/modifysid.conf
ips_policy=security
####### Remember, a number of these values are optional.. if you don't
####### need to process so_rules, simply comment out the so_rule section
####### you can also specify -T at runtime to process only GID 1 rules.
version=0.6.1
------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and
their applications. This 200-page book is written by three acclaimed
leaders in the field. The early access version is available now.
Download your free book today! http://p.sf.net/sfu/neotech_d2d_may
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- so_rules are not processed by pulledpork under FreeBSD 9.1 C. L. Martinez (May 09)
- Re: so_rules are not processed by pulledpork under FreeBSD 9.1 C. L. Martinez (May 09)
- Re: so_rules are not processed by pulledpork underFreeBSD 9.1 Seth Dunn (May 09)
- Re: so_rules are not processed by pulledpork underFreeBSD 9.1 C. L. Martinez (May 09)
- Re: so_rules are not processed by pulledpork underFreeBSD 9.1 Seth Dunn (May 09)
- Re: so_rules are not processed by pulledpork underFreeBSD 9.1 C. L. Martinez (May 09)
- Re: so_rules are not processed by pulledpork underFreeBSD 9.1 Seth Dunn (May 09)
- Re: so_rules are not processed by pulledpork underFreeBSD 9.1 C. L. Martinez (May 09)
- Re: so_rules are not processed by pulledpork underFreeBSD 9.1 C. L. Martinez (May 09)
- Re: so_rules are not processed by pulledpork underFreeBSD 9.1 Seth Dunn (May 09)
- Re: so_rules are not processed by pulledpork underFreeBSD 9.1 Seth Dunn (May 09)
- Re: so_rules are not processed by pulledpork underFreeBSD 9.1 Seth Dunn (May 09)
- Re: so_rules are not processed by pulledpork under FreeBSD 9.1 C. L. Martinez (May 09)