Snort mailing list archives
Re: Strange events happening after installing PulledPork
From: "Michael Steele" <michaels () winsnort com>
Date: Tue, 28 Apr 2015 15:03:03 -0400
Here is a new run. It looks like the file in question is getting created. However there are a couple of errors above the creation of the file. The file is getting a new creation date. Barnyard2 .conf: config sid_file: d:\winids\snort\etc\sid-msg.map Is there a way to verify the correct file is being written? C:\Users\Operator>perl d:\winids\pulledpork\pulledpork.pl -c d:\winids\pulledpork\etc\pulledpork.conf -T -nP http://code.google.com/p/pulledpork/ _____ ____ `----,\ ) `--==\\ / PulledPork v0.7.0 - Swine Flu! `--==\\/ .-~~~~-.Y|\\_ Copyright (C) 2009-2013 JJ Cummings @_/ / 66\_ cummingsj () gmail com | \ \ _(") \ /-| ||'--' Rules give me wings! \_\ \_\\ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 'uname' is not recognized as an internal or external command, operable program or batch file. Prepping rules from snortrules-snapshot-2972.tar.gz for work.... No such file in archive: 'doc/signatures/rules/VRT-License.txt' at d:\winids\pulledpork\pulledpork.pl line 292 Could not find an entry for 'doc/signatures/rules/VRT-License.txt' at d:\winids\pulledpork\pulledpork.pl line 292 Done! Prepping rules from snortrules-snapshot-2972.tar.gz for work.... No such file in archive: 'doc/signatures/rules/VRT-License.txt' at d:\winids\pulledpork\pulledpork.pl line 292 Could not find an entry for 'doc/signatures/rules/VRT-License.txt' at d:\winids\pulledpork\pulledpork.pl line 292 Done! Reading rules... readline() on closed filehandle DATA at d:\winids\pulledpork\pulledpork.pl line 558. readline() on closed filehandle DATA at d:\winids\pulledpork\pulledpork.pl line 558. readline() on closed filehandle DATA at d:\winids\pulledpork\pulledpork.pl line 558. Activating security rulesets.... Done Modifying Sids.... Done! Processing d:\winids\pulledpork\etc\enablesid.conf.... Modified 0 rules Done Processing d:\winids\pulledpork\etc\dropsid.conf.... Modified 0 rules Done Processing d:\winids\pulledpork\etc\disablesid.conf.... Modified 0 rules Done Setting Flowbit State.... Enabled 775 flowbits Enabled 25 flowbits Enabled 4 flowbits Enabled 2 flowbits Done Writing d:\winids\snort\rules\winids.rules.... Done Generating sid-msg.map.... Done Writing v1 d:\winids\snort\etc\sid-msg.map.... Done Writing d:\winids\snort\log\sid_changes.log.... Done Rule Stats... New:-------24101 Deleted:---0 Enabled Rules:----9365 Dropped Rules:----0 Disabled Rules:---14736 Total Rules:------24101 No IP Blacklist Changes Done Please review d:\winids\snort\log\sid_changes.log for additional details Fly Piggy Fly! From: Joel Esler (jesler) [mailto:jesler () cisco com] Sent: Tuesday, April 28, 2015 1:51 PM To: Michael Steele Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] Strange events happening after installing PulledPork Looks like your barnyard instance (or something) isn’t reading from the correct sic-msg.map file? On Apr 28, 2015, at 12:20 AM, Michael Steele <michaels () winsnort com <mailto:michaels () winsnort com> > wrote: I’m not sure what’s going on. I just setup a new PulledPork instance, and its set to security for the rule set. My previous instance ran a full set of rules for testing and I didn’t see the events below being logged I’m getting hundreds of the events below. I’m only seeing this after setting up PulledPork 0.7.0 04/28-00:11:04.389178 [**] [1:1620:6] Snort Alert [1:1620:6] [**] 04/28-00:11:04.758601 [**] [1:1620:6] Snort Alert [1:1620:6] [**] 04/28-00:11:04.781636 [**] [1:1620:6] Snort Alert [1:1620:6] [**] [Classification: Detection of a Non-Standard Protocol or Event] [Priority: 2] {UDP} 192.168.0.2:57503 -> 239.255.255.250:1900 04/28-00:11:05.758296 [**] [1:1620:6] Snort Alert [1:1620:6] [**] 04/28-00:11:06.192448 [**] [1:1620:6] Snort Alert [1:1620:6] [**] [Classification: Detection of a Non-Standard Protocol or Event] [Priority: 2] {UDP} 192.168.0.2:55549 -> 192.168.0.255:32412 Any ideas why I’m getting these with PulledPork? ------------------------------------------------------------------------------ One dashboard for servers and applications across Physical-Virtual-Cloud Widest out-of-the-box monitoring support with 50+ applications Performance metrics, stats and reports that give you Actionable Insights Deep dive visibility with transaction tracing using APM Insight. <http://ad.doubleclick.net/ddm/clk/290420510;117567292;y_______________________________________________> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y_______________________________________________ Snort-users mailing list <mailto:Snort-users () lists sourceforge net> Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: <https://lists.sourceforge.net/lists/listinfo/snort-users> https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: <http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit <http://blog.snort.org/> http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ One dashboard for servers and applications across Physical-Virtual-Cloud Widest out-of-the-box monitoring support with 50+ applications Performance metrics, stats and reports that give you Actionable Insights Deep dive visibility with transaction tracing using APM Insight. http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Strange events happening after installing PulledPork Michael Steele (Apr 27)
- Re: Strange events happening after installing PulledPork Joel Esler (jesler) (Apr 28)
- Re: Strange events happening after installing PulledPork Michael Steele (Apr 28)
- Re: Strange events happening after installing PulledPork Joel Esler (jesler) (Apr 28)
- Re: Strange events happening after installing PulledPork Michael Steele (Apr 28)
- Re: Strange events happening after installing PulledPork Joel Esler (jesler) (Apr 28)