Snort mailing list archives
Re: PulledPork 0.7.0 not parsing enablesid, disablesid, modifysid or threshold.conf files when there are no rule updates
From: Y M <snort () outlook com>
Date: Fri, 29 Aug 2014 20:39:50 +0000
I see. I have always used -nP when processing rules locally. I just assumed that -n tells Pulledpork not to reach the internet to download files, and then -P to do the actual processing of rules. That's how I read (assumed) it :). YM From: jason.weir () nhrs org To: snort-users () lists sourceforge net Date: Fri, 29 Aug 2014 20:12:42 +0000 Subject: Re: [Snort-users] PulledPork 0.7.0 not parsing enablesid, disablesid, modifysid or threshold.conf files when there are no rule updates Thanks I’ve read the readme. I didn’t equate –P to parse disablesid.conf because –n indicated it would (but doesn’t). Am I reading things wrong? Thanks! -J From: Y M [mailto:snort () outlook com] Sent: Friday, August 29, 2014 4:07 PM To: Weir, Jason Cc: snort-users Subject: RE: [Snort-users] PulledPork 0.7.0 not parsing enablesid, disablesid, modifysid or threshold.conf files when there are no rule updates From: jason.weir () nhrs org To: snort-users () lists sourceforge net Date: Fri, 29 Aug 2014 20:02:22 +0000 Subject: Re: [Snort-users] PulledPork 0.7.0 not parsing enablesid, disablesid, modifysid or threshold.conf files when there are no rule updates OK that worked, so what’s the –n switch for then? -n Do everything other than download of new files (disablesid, etc). More info here: https://code.google.com/p/pulledpork/source/browse/trunk/README From: Y M [mailto:snort () outlook com] Sent: Friday, August 29, 2014 3:55 PM To: Weir, Jason Cc: snort-users Subject: RE: [Snort-users] PulledPork 0.7.0 not parsing enablesid, disablesid, modifysid or threshold.conf files when there are no rule updates Try running PulledPork with -P. YM From: jason.weir () nhrs org To: snort-users () lists sourceforge net Date: Fri, 29 Aug 2014 19:43:59 +0000 Subject: [Snort-users] PulledPork 0.7.0 not parsing enablesid, disablesid, modifysid or threshold.conf files when there are no rule updates I’m testing PP 0.7.0 and seeing what looks like a bug but want to confirm it’s not a config issue on my end. As I tune the sensor I add entries in each of the config files (enablesid,disablesid,modifysid conf files) and then run pulledpork and restart snort /usr/local/bin/pulledpork.pl -c /usr/local/etc/snort/pulledpork.conf –vv If there are no rule updates to download (from either VRT or ET) I get this output http://code.google.com/p/pulledpork/ _____ ____ `----,\ ) `--==\\ / PulledPork v0.7.0 - Swine Flu! `--==\\/ .-~~~~-.Y|\\_ Copyright (C) 2009-2013 JJ Cummings @_/ / 66\_ cummingsj () gmail com | \ \ _(") \ /-| ||'--' Rules give me wings! \_\ \_\\ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Config File Variable Debug /usr/local/etc/snort/pulledpork.conf snort_path = /usr/local/bin/snort enablesid = /usr/local/etc/snort/enablesid.conf modifysid = /usr/local/etc/snort/modifysid.conf IPRVersion = /usr/local/etc/snort/rules/iplists rule_path = /usr/local/etc/snort/rules/snort.rules ignore = deleted.rules,experimental.rules,local.rules state_order = disable,drop,enable snort_control = /usr/local/bin/snort_control rule_url = ARRAY(0x8e1aac8) sid_msg_version = 2 sid_changelog = /var/log/sid_changes.log sid_msg = /usr/local/etc/snort/sid-msg.map config_path = /usr/local/etc/snort/snort.conf temp_path = /tmp distro = Debian-6-0 version = 0.7.0 sorule_path = /usr/local/lib/snort_dynamicrules/ disablesid = /usr/local/etc/snort/disablesid.conf dropsid = /usr/local/etc/snort/dropsid.conf local_rules = /usr/local/etc/snort/rules/local.rules MISC (CLI and Autovar) Variable Debug: arch Def is: i386 Config Path is: /usr/local/etc/snort/pulledpork.conf Distro Def is: Debian-6-0 Disabled policy specified local.rules path is: /usr/local/etc/snort/rules/local.rules Rules file is: /usr/local/etc/snort/rules/snort.rules Path to disablesid file: /usr/local/etc/snort/disablesid.conf Path to dropsid file: /usr/local/etc/snort/dropsid.conf Path to enablesid file: /usr/local/etc/snort/enablesid.conf Path to modifysid file: /usr/local/etc/snort/modifysid.conf sid changes will be logged to: /var/log/sid_changes.log sid-msg.map Output Path is: /usr/local/etc/snort/sid-msg.map Snort Version is: 2.9.6.2 Snort Config File: /usr/local/etc/snort/snort.conf Snort Path is: /usr/local/bin/snort SO Output Path is: /usr/local/lib/snort_dynamicrules/ Will process SO rules Extra Verbose Flag is Set Verbose Flag is Set *********** Removed Download Logging where the checksums matched and there were no new rules to download ********************* Cleanup.... removed 0 temporary snort files or directories from /tmp/tha_rules! Writing /var/log/sid_changes.log.... Done No Rule Changes No IP Blacklist Changes Done Please review /var/log/sid_changes.log for additional details Fly Piggy Fly! If I delete all the rules and re-run PP I get the following output http://code.google.com/p/pulledpork/ _____ ____ `----,\ ) `--==\\ / PulledPork v0.7.0 - Swine Flu! `--==\\/ .-~~~~-.Y|\\_ Copyright (C) 2009-2013 JJ Cummings @_/ / 66\_ cummingsj () gmail com | \ \ _(") \ /-| ||'--' Rules give me wings! \_\ \_\\ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Config File Variable Debug /usr/local/etc/snort/pulledpork.conf snort_path = /usr/local/bin/snort enablesid = /usr/local/etc/snort/enablesid.conf modifysid = /usr/local/etc/snort/modifysid.conf IPRVersion = /usr/local/etc/snort/rules/iplists rule_path = /usr/local/etc/snort/rules/snort.rules ignore = deleted.rules,experimental.rules,local.rules state_order = disable,drop,enable snort_control = /usr/local/bin/snort_control rule_url = ARRAY(0xa41cac8) sid_msg_version = 2 sid_changelog = /var/log/sid_changes.log sid_msg = /usr/local/etc/snort/sid-msg.map config_path = /usr/local/etc/snort/snort.conf temp_path = /tmp distro = Debian-6-0 version = 0.7.0 sorule_path = /usr/local/lib/snort_dynamicrules/ disablesid = /usr/local/etc/snort/disablesid.conf dropsid = /usr/local/etc/snort/dropsid.conf local_rules = /usr/local/etc/snort/rules/local.rules MISC (CLI and Autovar) Variable Debug: arch Def is: i386 Config Path is: /usr/local/etc/snort/pulledpork.conf Distro Def is: Debian-6-0 Disabled policy specified local.rules path is: /usr/local/etc/snort/rules/local.rules Rules file is: /usr/local/etc/snort/rules/snort.rules Path to disablesid file: /usr/local/etc/snort/disablesid.conf Path to dropsid file: /usr/local/etc/snort/dropsid.conf Path to enablesid file: /usr/local/etc/snort/enablesid.conf Path to modifysid file: /usr/local/etc/snort/modifysid.conf sid changes will be logged to: /var/log/sid_changes.log sid-msg.map Output Path is: /usr/local/etc/snort/sid-msg.map Snort Version is: 2.9.6.2 Snort Config File: /usr/local/etc/snort/snort.conf Snort Path is: /usr/local/bin/snort SO Output Path is: /usr/local/lib/snort_dynamicrules/ Will process SO rules Extra Verbose Flag is Set Verbose Flag is Set *********** Removed Download Logging where the checksums didn’t match and the rules files were downloaded ********************* Prepping rules from opensource.gz for work.... **************removed extra logging ***************** Prepping rules from snortrules-snapshot-2962.tar.gz for work.... **************removed extra logging ***************** Prepping rules from emerging.rules.tar.gz for work.... **************removed extra logging ***************** Prepping rules from community-rules.tar.gz for work.... **************removed extra logging ***************** Generating Stub Rules.... Generating shared object stubs via:/usr/local/bin/snort -c /usr/local/etc/snort/snort.conf --dump-dynamic-rules=/tmp/tha_rules/so_rules/ An error occurred: WARNING: ip4 normalizations disabled because not inline. An error occurred: WARNING: tcp normalizations disabled because not inline. An error occurred: WARNING: icmp4 normalizations disabled because not inline. An error occurred: WARNING: ip6 normalizations disabled because not inline. An error occurred: WARNING: icmp6 normalizations disabled because not inline. Dumping dynamic rules... **************removed extra logging ***************** Finished dumping dynamic rules. Done Reading rules... Reading rules... Cleanup.... removed 202 temporary snort files or directories from /tmp/tha_rules! Modifying Sids.... Done! Processing /usr/local/etc/snort/disablesid.conf.... Disabled 1:xxxxxxx Disabled 1:xxxxxxx Disabled 1:xxxxxxx Disabled 1:xxxxxxx Disabled 1:xxxxxxx Disabled 1:xxxxxxx Disabled 1:xxxxxxx Disabled 1:xxxxxxx Modified 8 rules Done Processing /usr/local/etc/snort/dropsid.conf.... Modified 0 rules Done Processing /usr/local/etc/snort/enablesid.conf.... Modified 0 rules Done Setting Flowbit State.... Enabled 119 flowbits Done Writing /usr/local/etc/snort/rules/snort.rules.... Done Generating sid-msg.map.... Done Writing v2 /usr/local/etc/snort/sid-msg.map.... Done Writing /var/log/sid_changes.log.... Done Rule Stats... New:-------344 Deleted:---16 Enabled Rules:----21793 Dropped Rules:----0 Disabled Rules:---20007 Total Rules:------41800 No IP Blacklist Changes Done Please review /var/log/sid_changes.log for additional details Fly Piggy Fly! Next if I go into disablesid.conf and add another entry and re-run pp I get the same output as the first run – the new entry in disablesid.conf doesn’t get parsed or disabled in the snort.rules file. Any ideas? Jason ------------------------------------------------------------------------------ Slashdot TV. Video for Nerds. Stuff that matters. http://tv.slashdot.org/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! ------------------------------------------------------------------------------ Slashdot TV. Video for Nerds. Stuff that matters. http://tv.slashdot.org/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! ------------------------------------------------------------------------------ Slashdot TV. Video for Nerds. Stuff that matters. http://tv.slashdot.org/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Slashdot TV. Video for Nerds. Stuff that matters. http://tv.slashdot.org/
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- PulledPork 0.7.0 not parsing enablesid, disablesid, modifysid or threshold.conf files when there are no rule updates Weir, Jason (Aug 29)
- Re: PulledPork 0.7.0 not parsing enablesid, disablesid, modifysid or threshold.conf files when there are no rule updates Doug Burks (Aug 29)
- Re: PulledPork 0.7.0 not parsing enablesid, disablesid, modifysid or threshold.conf files when there are no rule updates Y M (Aug 29)
- Re: PulledPork 0.7.0 not parsing enablesid, disablesid, modifysid or threshold.conf files when there are no rule updates Weir, Jason (Aug 29)
- Re: PulledPork 0.7.0 not parsing enablesid, disablesid, modifysid or threshold.conf files when there are no rule updates Y M (Aug 29)
- Re: PulledPork 0.7.0 not parsing enablesid, disablesid, modifysid or threshold.conf files when there are no rule updates Weir, Jason (Aug 29)
- Re: PulledPork 0.7.0 not parsing enablesid, disablesid, modifysid or threshold.conf files when there are no rule updates Y M (Aug 29)
- Re: PulledPork 0.7.0 not parsing enablesid, disablesid, modifysid or threshold.conf files when there are no rule updates Weir, Jason (Aug 29)