Snort mailing list archives
Re: Pulledpork doesn't disable some rules
From: "C. L. Martinez" <carlopmart () gmail com>
Date: Mon, 14 Apr 2014 05:54:47 +0000
On Fri, Apr 11, 2014 at 5:53 AM, C. L. Martinez <carlopmart () gmail com> wrote:
Hi all, I have a strange problem with pulledpork 0.7.0. Under my disablesid.conf file, I have configured only two rules that needs be disabled: # Disable alert "ET MALWARE Simbar Spyware User-Agent Detected" 1:2009005 # Disable alert "ET POLICY Vulnerable Java Version 1.6.x Detected" 1:2011582 For rule 2009005, pulledpork works as expected, it is disabled when pulledpork, but for rule 2011582 it doesn't works. Always left enabled. Running pulledprok from command line, it seems all works: Use of uninitialized value $Snort_path in -B at /usr/local/bin/pulledpork.pl line 1630. http://code.google.com/p/pulledpork/ _____ ____ `----,\ ) `--==\\ / PulledPork v0.7.0 - Swine Flu! `--==\\/ .-~~~~-.Y|\\_ Copyright (C) 2009-2013 JJ Cummings @_/ / 66\_ cummingsj () gmail com | \ \ _(") \ /-| ||'--' Rules give me wings! \_\ \_\\ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Use of uninitialized value $Snort in pattern match (m//) at /usr/local/bin/pulledpork.pl line 1827. Use of uninitialized value $Snort in pattern match (m//) at /usr/local/bin/pulledpork.pl line 1831. Checking latest MD5 for emerging.rules.tar.gz.... Rules tarball download of emerging.rules.tar.gz.... They Match Done! Prepping rules from emerging.rules.tar.gz for work.... Use of uninitialized value $ignore in split at /usr/local/bin/pulledpork.pl line 230. Done! Reading rules... Reading rules... Processing /data/config/etc/idpsuricata02/pulledpork/disablesid.conf.... Modified 2 rules Done Setting Flowbit State.... Enabled 39 flowbits Done Writing rules to unique destination files.... Writing rules to /data/config/etc/idpsuricata02/rules/ Done Generating sid-msg.map.... Done Writing v1 /data/config/etc/idpsuricata02/sid-msg.map.... Done Fly Piggy Fly! As you can see pulledpork reads my disablesid.conf and tries to disable both rules, but this never happens for rule 2011582. Any idea?? Thanks.
Please, any idea about this?? ------------------------------------------------------------------------------ Learn Graph Databases - Download FREE O'Reilly Book "Graph Databases" is the definitive new guide to graph databases and their applications. Written by three acclaimed leaders in the field, this first edition is now available. Download your free book today! http://p.sf.net/sfu/NeoTech _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: Pulledpork doesn't disable some rules C. L. Martinez (Apr 13)
- Re: Pulledpork doesn't disable some rules Y M (Apr 13)
- Re: Pulledpork doesn't disable some rules C. L. Martinez (Apr 14)
- Re: Pulledpork doesn't disable some rules C. L. Martinez (Apr 14)
- Re: Pulledpork doesn't disable some rules Y M (Apr 14)
- Re: Pulledpork doesn't disable some rules C. L. Martinez (Apr 14)
- Re: Pulledpork doesn't disable some rules Y M (Apr 14)
- Re: Pulledpork doesn't disable some rules C. L. Martinez (Apr 14)
- Re: Pulledpork doesn't disable some rules Y M (Apr 13)
- Re: Pulledpork doesn't disable some rules waldo kitty (Apr 14)
- Re: Pulledpork doesn't disable some rules C. L. Martinez (Apr 14)
- Re: Pulledpork doesn't disable some rules JJC (Apr 15)