Snort mailing list archives
Is there something about pulledpork 0.7.0 I'm not getting?
From: Tony Robinson <deusexmachina667 () gmail com>
Date: Sun, 26 Jan 2014 02:31:19 -0500
So I'll admit, I'm a little bit late to the party. I hadn't realized that pulled pork was updated. nearly four months ago. Better late than never, I guess. In any case, as a part of a side project of mine that I've talked about on here before, I'm trying to integrate the newest version of pulled pork into my scripts and I'm running into a strange issue. I have a script that calls pulledpork twice. The first time it calls pulledpork with the -g or "grab only" option to just pull down the rule files, and that's it. My script then unpacks the tarball and copies everything out of "etc" from the snortrules-snapshot file downloaded to where snort is installed and expects to find it. My script then runs pulledpork again with the -S option, the -c option (to my pulledpork.conf file), the -T option (text rules only) and the -n option, telling it that all the files it should need to do its job should be on the box already; don't try to download any files from the net. The problem I'm running into, is that running pulledpork.pl the second time around appears to do absolutely nothing. running pulledpork in extra verbose mode seems to indicate that it unpacks the rules, then deletes them; doesn't create a snort.rules file, so_rules.rules file, sid-msg.map file, or configure rules for a certain rule policy set (e.g. "Security over Connectivity"). Alternatively, if I run pulledpork without the -n option, everything just works the way I'm expecting it to -- snort.rules gets made, sid-msg.map gets created, and all is well with the universe. I've attached a copy of the pulledpork.conf I've used. It's stripped down, but it works. It almost feels like if you use the grab-only option, or if there is a snortrules-snapshot file in the working directory for pulledpork (/tmp in my case) that pulledpork does nothing. I've attached the output from the following command: perl pulledpork.pl -c /usr/src/pulledpork-*/etc/pulledpork.conf -S 2.9.5.6 -T -vv "Run pulledpork, use my config file I provided. Download rules for Snort 2.9.5.6, process text rules only, print all debug information." ..as the file "output1.txt" -- I figured attachments would probably be better than spewing output all over the mailing list, using the exact pulledpork config above. Everything works as expected. Tarballs are pulled down, rules are processed, all is well with the world. I also ran the following command: perl pulledpork.pl -c /usr/src/pulledpork-*/etc/pulledpork.conf -S 2.9.5.6 -g -vv "Run pulledpork, use my config file I provided. Download rules for Snort 2.9.5.6. Don't do any further processing. Print all debug info." ..as the file "output2.txt" -- This command seems to run as expected, but according to verbose mode, extracts all the rules, then removes the files It still results in the tarballs being downloaded in left in /tmp to work with. perl pulledpork.pl -c /usr/src/pulledpork-*/etc/pulledpork.conf -S 2.9.5.6 -T -n -vv "Run pulledpork, use the config file I provided. Don't download anything, but process rules for Snort 2.9.5.6, text rules only. Print all debug info." ..as the file "output3.txt" -- This command doesn't seem to work at all. It appears to extract the rule tarball twice then just bails out, without processing any of the rules. So pulledpork knows the tarball is in the working directory, extracts it, but does no rule processing with it. So... my work-around for now is to just download and process the rules up front, in one go, with the first command I ran. The rule tarball is still there for me to do my thing with after pulledpork processes the rules how I want it to. That's fine for me, but what about offline users who can't download the rule tarball from the internet, and have to sneakernet the tarball to the system they're running snort on (e.g. airgapped networks)? Would this be considered a bug, or working as intended? Thank you for your insight in advance. -- when does reality end? when does fantasy begin?
Attachment:
output1.txt
Description:
Attachment:
pp.conf
Description:
Attachment:
output2.txt
Description:
Attachment:
output3.txt
Description:
------------------------------------------------------------------------------ CenturyLink Cloud: The Leader in Enterprise Cloud Services. Learn Why More Businesses Are Choosing CenturyLink Cloud For Critical Workloads, Development Environments & Everything In Between. Get a Quote or Start a Free Trial Today. http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Is there something about pulledpork 0.7.0 I'm not getting? Tony Robinson (Jan 25)
- Re: Is there something about pulledpork 0.7.0 I'm not getting? Y M (Jan 26)
- Re: Is there something about pulledpork 0.7.0 I'm not getting? Tony Robinson (Jan 26)
- Re: Is there something about pulledpork 0.7.0 I'm not getting? simegnew yihunie (Jan 26)
- Re: Is there something about pulledpork 0.7.0 I'm not getting? waldo kitty (Jan 26)
- Re: Is there something about pulledpork 0.7.0 I'm not getting? Tony Robinson (Jan 26)
- Re: Is there something about pulledpork 0.7.0 I'm not getting? Y M (Jan 26)