Re: Manually download and install Snort Rules updates

[Y M <snort () outlook com>]

Yes, from PulledPork.conf file.

PulledPork v0.7 no longer maintains a separate file for so_rules, all rules go into the snort.rules file (except 
local.rule).

You may be able to just copy without hiccups, as long as all configurations and versions match. You will be better off 
having everything setup so you won't have to worry about it everytime you need to update.

Sent from Mobile

-----Original Message-----
From: "Hanson.Webster () salemfive com" <Hanson.Webster () salemfive com>
Sent: ‎10/‎20/‎2014 11:25 PM
Cc: "snort-sigs () lists sourceforge net" <snort-sigs () lists sourceforge net>
Subject: Re: [Snort-sigs] Manually download and install Snort Rules updates

How do I know where Pulledpork reads the tarball from?  Is it on the pulledpork.conf file or the pulledporl.pl script?  
Also could I just copy over the snort.rules and so_rules.rules files from one device to another?
 
From: Y M [mailto:snort () outlook com] 
Sent: Monday, October 20, 2014 3:34 PM
To: Webster, Hanson
Cc: snort-sigs
Subject: RE: [Snort-sigs] Manually download and install Snort Rules updates
 
 
> From: Hanson.Webster () salemfive com
> To: snort-sigs () lists sourceforge net
> Date: Mon, 20 Oct 2014 19:16:55 +0000
> Subject: [Snort-sigs] Manually download and install Snort Rules updates
>
> I am getting an error when downloading Snort rules updates with pulledpork:
>
> Checking latest MD5 for snortrules-snapshot-2962.tar.gz....
> Error 500 when fetching https://www.snort.org/reg-rules/snortrules-snapshot-2962.tar.gz.md5 at 
> /usr/local/snort/pulledpork/pulledpork.pl line 453
> main::md5file('5bdefe8b8ab9de3c9b8bc4d1f85a353d96d05f36', 'snortrules-snapshot-2962.tar.gz', '/tmp/', 
> 'https://www.snort.org/reg-rules/&apos;) called at /usr/local/snort/pulledpork/pulledpork.pl line 1758
>
> I believe it is a network/firewall issue as this IDS is on a different segment of the network and the other SNORT 
> devices we have are able to successfully download the rules. Until I can get our networking guys to fix this, is 
> there a way to do this manually? 

You can either download them directly from snort.org and scp them to the box or you can copy them from other sensors 
you have. In either case, you would place the rules tarball into the directory where PulledPork is configured to read 
the tarball from. For example, PulledPork is configured to read the tarball from /tmp; this is where you want to copy 
the tarball.

> Could I take the rules that are downloaded to one of the other devices and copy them to this box? Where would I find 
> the rules and where would I copy them to?

Once the tarball is copied as explained above, you will run PulledPork with some extra parameters, in addition to the 
ones you have already, to update the rules locally -nP

-n Do everything other than download of new files (disablesid, etc)
-P Process rules even if no new rules were downloaded

This will force PulledPork to process the tarball from the local disk instead of downloading the tarball from the 
internet.

YM

> ------------------------------------------------------------------------------
> Comprehensive Server Monitoring with Site24x7.
> Monitor 10 servers for $9/Month.
> Get alerted through email, SMS, voice calls or mobile push notifications.
> Take corrective actions from your mobile device.
> http://p.sf.net/sfu/Zoho
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs () lists sourceforge net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
>
> Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------
Comprehensive Server Monitoring with Site24x7.
Monitor 10 servers for $9/Month.
Get alerted through email, SMS, voice calls or mobile push notifications.
Take corrective actions from your mobile device.
http://p.sf.net/sfu/Zoho
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!