Re: IP REP / Pulled Pork / Snort Difficulties

[Y M <snort () outlook com>]

Hi Bradley;
 
What I have noticed is that the ability to process IP lists "offline"/locally as PulledPork would with rulesets  dose 
not seem to be implemented. If it is, then both of us are making the same mistake :).  What I do is that I run 
PulledPork twice, once against the configs to process rulesets locally,  and the second time against configs to only 
fetch the IP list and process it. 
 
YM
 
> From: bturnbough () belcan com
> To: snort-users () lists sourceforge net
> Date: Thu, 6 Mar 2014 16:44:39 +0000
> Subject: [Snort-users] IP REP / Pulled Pork / Snort Difficulties
>
> Good Morning,
>
> I'm having some difficulties getting the ip reputation piece up and working the way that I want it.  Can someone 
> please correct me where I am wrong?
>
> PulledPork 0.7.0
> Snort 2.9.5.5
>
> PulledPork configuration:
> rule_url=http://labs.snort.org/feeds/ip-filter.blf|IPBLACKLIST|open<http://labs.snort.org/feeds/ip-filter.blf%7CIPBLACKLIST%7Copen>
> black_list=/etc/snort/rules/black_list-p2p1.rules
> IPRVersion=/etc/snort/rules/
>
> Snort configuration:
>
> var WHITE_LIST_PATH rules
> var BLACK_LIST_PATH rules
>
> preprocessor reputation: \
>    memcap 500, \
>    priority whitelist, \
>    nested_ip inner, \
> #   whitelist $WHITE_LIST_PATH/white_list-p2p1.rules, \
>    blacklist $BLACK_LIST_PATH/black_list-p2p1.rules
>
>
> I have a cron script that downloads the ip list every night at a predetermined time:
>
> wget -v http://labs.snort.org/feeds/ip-filter.blf -O /opt/pulledpork/tmp/sigs/IPBLACKLIST
>
> The machine has multiple interfaces, so I only want to download the file once and then process from that downloaded 
> copy for all interfaces. Pulled pork is run with the '-P' so that rules are processed even though they weren't 
> downloaded and '-n' "do everything other than download of new files (disablesid, etc).
>
> So, the steps would be:
>
> 1) download file and place it in /opt/pulledpork/tmp/sigs/IPBLACKLIST
> 2) run pulledpork and process the rules / ip lists.
> 3) PP then generates a ipblacklist file called 'black_list-p2p1.rules' and places it in 
> /etc/snort/rules/black_list-p2p1.rules
>
> Everything except for this ip reputation is working properly, and has been working properly for some time.
>
> Does anyone have a clue why this isn't working?
>
> Thanks,
>
> Brad
> _____________________________________________________________ This e-mail transmission contains information that is 
> confidential and may be privileged. It is intended only for the addressee(s) named above. If you receive this e-mail 
> in error, please do not read, copy or disseminate it in any manner. If you are not the intended recipient, any 
> disclosure, copying, distribution or use of the contents of this information is prohibited. Please reply to the 
> message immediately by informing the sender that the message was misdirected. After replying, please erase it from 
> your computer system. Your assistance in correcting this error is appreciated.
>
> ------------------------------------------------------------------------------
> Subversion Kills Productivity. Get off Subversion & Make the Move to Perforce.
> With Perforce, you get hassle-free workflows. Merge that actually works. 
> Faster operations. Version large binaries.  Built-in WAN optimization and the
> freedom to use Git, Perforce or both. Make the move to Perforce.
> http://pubads.g.doubleclick.net/gampad/clk?id=122218951&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------
Subversion Kills Productivity. Get off Subversion & Make the Move to Perforce.
With Perforce, you get hassle-free workflows. Merge that actually works. 
Faster operations. Version large binaries.  Built-in WAN optimization and the
freedom to use Git, Perforce or both. Make the move to Perforce.
http://pubads.g.doubleclick.net/gampad/clk?id=122218951&iu=/4140/ostg.clktrk

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!