Snort mailing list archives
Re: snort and snort-rules/ET alerts
From: Michael Shirk <shirkdog.bsd () gmail com>
Date: Fri, 2 Dec 2016 15:28:21 -0500
If it does not work, run the latest pulledpork with -vvv to see where things are at, and post it as an issue on the GitHub repo. The Snort policy is a special case, but without using -l, all SIG's should be processed and loaded up, as this is how it works for me. -- Michael Shirk Daemon Security, Inc. http://www.daemon-security.com On Dec 2, 2016 3:22 PM, "Keith Pachulski" < keith.pachulski () healthnetworklabs com> wrote:
For giggles sake I reran it as: /home/snort/pulledpork/pulledpork.pl -c /home/snort/pulledpork/etc/pulledpork.conf -I security HUP’d snort..waiting to see what happens..so far just ET sigs and preprocessors again *From:* Joel Esler (jesler) [mailto:jesler () cisco com] *Sent:* Friday, December 02, 2016 3:06 PM *To:* Y M *Cc:* Keith Pachulski; snort-users () lists sourceforge net *Subject:* Re: [Snort-users] snort and snort-rules/ET alerts Is that intentional? I thought the default behavior without policy specification is “as is, shipped”. If not, we should fix that (It’s been awhile since I’ve actually *used* pulledpork) *--* *Joel Esler *| *Talos:* Manager | jesler () cisco com On Dec 2, 2016, at 2:52 PM, Y M <snort () outlook com> wrote: The PulledPork command does not specify any rules policy (connectivity, balanced, security) to allow PulledPork enable the rules. Try running PulledPork with -I <policy>. Keep in mind that this may mess up your ET rules enablement since ET rules do not contain rules policy metadata. YM On Fri, Dec 2, 2016 at 10:47 PM +0300, "Keith Pachulski" <keith.pachulski@ healthnetworklabs.com> wrote: Pulledpork Cronjob 0 0 * * * /home/snort/pulledpork/pulledpork.pl -c /home/snort/pulledpork/etc/pulledpork.conf Pulledpork Config rule_url=https://www.snort.org/rules/|snortrules-snapshot.tar.gz|<> rule_url=http://talosintelligence.com/feeds/ip-filter.blf|IPBLACKLIST|open ignore=deleted.rules,experimental.rules temp_path=/tmp rule_path=/home/snort/rules/snort.rules local_rules=/home/snort/rules/local.rules sid_msg=/home/snort/rules/etc/sid-msg.map sid_msg_version=1 sid_changelog=/home/snort/rules/pullpork-sid_changes.log sorule_path=/usr/local/lib/snort_dynamicrules/ snort_path=/usr/local/bin/snort config_path=/home/snort/rules/snort.conf distro=Ubuntu-12-04 black_list=/home/snort/rules/black_list.rules IPRVersion=/home/snort/rules/iplists This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. ------------------------------------------------------------ ------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- snort and snort-rules/ET alerts Keith Pachulski (Dec 02)
- Re: snort and snort-rules/ET alerts Joel Esler (jesler) (Dec 02)
- Re: snort and snort-rules/ET alerts Keith Pachulski (Dec 02)
- Re: snort and snort-rules/ET alerts Y M (Dec 02)
- Re: snort and snort-rules/ET alerts Joel Esler (jesler) (Dec 02)
- Re: snort and snort-rules/ET alerts Keith Pachulski (Dec 02)
- Re: snort and snort-rules/ET alerts Michael Shirk (Dec 02)
- Re: snort and snort-rules/ET alerts Keith Pachulski (Dec 02)
- Re: snort and snort-rules/ET alerts James Lay (Dec 02)
- Re: snort and snort-rules/ET alerts Joel Esler (jesler) (Dec 02)
- Re: snort and snort-rules/ET alerts Marcin Dulak (Dec 02)
- Re: snort and snort-rules/ET alerts Marcin Dulak (Dec 02)
- Re: [Snort-users] snort and snort-rules/ET alerts Michael Steele (Dec 03)
- Message not available
- Message not available
- Re: [Snort-users] snort and snort-rules/ET alerts Michael Steele (Dec 03)
- Re: [Snort-users] snort and snort-rules/ET alerts Joel Esler (jesler) (Dec 03)
- Re: [Snort-users] snort and snort-rules/ET alerts Michael Shirk (Dec 03)
- Re: [Snort-users] snort and snort-rules/ET alerts Joel Esler (jesler) (Dec 03)
- Re: snort and snort-rules/ET alerts Keith Pachulski (Dec 02)
- Re: snort and snort-rules/ET alerts Joel Esler (jesler) (Dec 02)