Re: [Snort-users] snort and snort-rules/ET alerts

["Michael Steele" <michaels () winsnort com>]

PulledPork will pull the version of Snort, Unless you are using Windows,  and then you need to make SURE The version is 
updated in PullePork.conf with every new version of the rules that are released.

 

There should be some ingenious way for PulledPork to pull the version of Snort using Windows. This may take a 
collaboration between the Snort development team and the PulledPork programmer.

 

Kindest regards,

Michael...

 

WINSNORT.com Management

--

****************** Established ~ 2001 *******************

*          Visit Us @  <http://www.winsnort.com/> http://www.winsnort.com           *

*      ~~ FREE WinIDS Snort installation guides ~~      *

*               ~~ FREE support forums ~~               *

* Snort: Open Source Network IDS -  <http://www.snort.org/> http://www.snort.org *

*********************************************************

 

From: Marcin Dulak [mailto:marcin.dulak () gmail com] 
Sent: Friday, December 2, 2016 10:32 PM
To: Joel Esler (jesler) <jesler () cisco com>
Cc: James Lay <jlay () slave-tothe-box net>; snort-users () lists sourceforge net
Subject: Re: [Snort-users] snort and snort-rules/ET alerts

 

snortrules-snapshot.tar.gz

 

On Sat, Dec 3, 2016 at 4:30 AM, Marcin Dulak <marcin.dulak () gmail com <mailto:marcin.dulak () gmail com> > wrote:

"snort-snapshot.tar.gz" alone should work, pulledpork will guess the version based on the snort version installed:
https://github.com/shirkdog/pulledpork/blob/06177884f0c8ccb94c8fccdc0fa2a4206b4b6549/pulledpork.pl#L1977

Marcin

 

On Fri, Dec 2, 2016 at 10:41 PM, Joel Esler (jesler) <jesler () cisco com <mailto:jesler () cisco com> > wrote:

Correct. 

 

--

Joel Esler | Talos: Manager | jesler () cisco com <mailto:jesler () cisco com> 

 

 

 

 

 

On Dec 2, 2016, at 3:44 PM, James Lay <jlay () slave-tothe-box net <mailto:jlay () slave-tothe-box net> > wrote:

 

I think your snort-snapshot file needs to have a version number, not 
just "snort-snapshot.tar.gz" if I'm not mistaken.

James

On 2016-12-02 13:35, Keith Pachulski wrote:



Thanks guys.  Ill give this a shot and see what happens, will post an
update later. Stuck in a meeting and laptop battery just died.

On Fri, Dec 2, 2016 at 3:28 PM -0500, "Michael Shirk"
<shirkdog.bsd () gmail com <mailto:shirkdog.bsd () gmail com> > wrote:

If it does not work, run the latest pulledpork with -vvv to see where
things are at, and post it as an issue on the GitHub repo.

The Snort policy is a special case, but without using -l, all SIG's
should be processed and loaded up, as this is how it works for me.

--
Michael Shirk
Daemon Security, Inc.
http://www.daemon-security.com

On Dec 2, 2016 3:22 PM, "Keith Pachulski"
<keith.pachulski () healthnetworklabs com <mailto:keith.pachulski () healthnetworklabs com> > wrote:




For giggles sake I reran it as: /home/snort/pulledpork/pulledpork.pl <http://pulledpork.pl> 
[1] -c /home/snort/pulledpork/etc/pulledpork.conf -I security

HUP’d snort..waiting to see what happens..so far just ET sigs and
preprocessors again

FROM: Joel Esler (jesler) [mailto:jesler () cisco com <mailto:jesler () cisco com> ]
SENT: Friday, December 02, 2016 3:06 PM
TO: Y M
CC: Keith Pachulski; snort-users () lists sourceforge net <mailto:snort-users () lists sourceforge net> 
SUBJECT: Re: [Snort-users] snort and snort-rules/ET alerts

Is that intentional?  I thought the default behavior without policy
specification is “as is, shipped”.  If not, we should fix that
(It’s been awhile since I’ve actually _used_ pulledpork)

--

JOEL ESLER | TALOS: Manager | jesler () cisco com <mailto:jesler () cisco com> 




On Dec 2, 2016, at 2:52 PM, Y M <snort () outlook com <mailto:snort () outlook com> > wrote:

The PulledPork command does not specify any rules policy
(connectivity, balanced, security) to allow PulledPork enable the
rules.

Try running PulledPork with -I <policy>.

Keep in mind that this may mess up your ET rules enablement since
ET rules do not contain rules policy metadata.

YM

On Fri, Dec 2, 2016 at 10:47 PM +0300, "Keith Pachulski"
<keith.pachulski () healthnetworklabs com <mailto:keith.pachulski () healthnetworklabs com> > wrote:

Pulledpork Cronjob

0 0 * * * /home/snort/pulledpork/pulledpork.pl <http://pulledpork.pl>  [1] -c
/home/snort/pulledpork/etc/pulledpork.conf

Pulledpork Config



rule_url=https://www.snort.org/rules/|snortrules-snapshot.tar.gz| 
<https://www.snort.org/rules/%7Csnortrules-snapshot.tar.gz%7C> <>



[2]



 

rule_url=http://talosintelligence.com/feeds/ip-filter.blf|IPBLACKLIST|open 
<http://talosintelligence.com/feeds/ip-filter.blf%7CIPBLACKLIST%7Copen> 



[3]

ignore=deleted.rules,experimental.rules

temp_path=/tmp

rule_path=/home/snort/rules/snort.rules

local_rules=/home/snort/rules/local.rules

sid_msg=/home/snort/rules/etc/sid-msg.map

sid_msg_version=1

sid_changelog=/home/snort/rules/pullpork-sid_changes.log

sorule_path=/usr/local/lib/snort_dynamicrules/

snort_path=/usr/local/bin/snort

config_path=/home/snort/rules/snort.conf

distro=Ubuntu-12-04

black_list=/home/snort/rules/black_list.rules

IPRVersion=/home/snort/rules/iplists

This message (including any attachments) is intended only for the
use of the individual or entity to which it is addressed and may
contain information that is non-public, proprietary, privileged,
confidential, and exempt from disclosure under applicable law or
may constitute as attorney work product. If you are not the
intended recipient, you are hereby notified that any use,
dissemination, distribution, or copying of this communication is
strictly prohibited. If you have received this communication in
error, notify us immediately by telephone and (i) destroy this
message if a facsimile or (ii) delete this message immediately if
this is an electronic communication.


This message (including any attachments) is intended only for the
use of the individual or entity to which it is addressed and may
contain information that is non-public, proprietary, privileged,
confidential, and exempt from disclosure under applicable law or may
constitute as attorney work product. If you are not the intended
recipient, you are hereby notified that any use, dissemination,
distribution, or copying of this communication is strictly
prohibited. If you have received this communication in error, notify
us immediately by telephone and (i) destroy this message if a
facsimile or (ii) delete this message immediately if this is an
electronic communication.

------------------------------------------------------------------------------



Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot [4]
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net <mailto:Snort-users () lists sourceforge net> 
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users [5]
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
[6]

Please visit http://blog.snort.org to stay current on all the latest
Snort news!

This message (including any attachments) is intended only for the use
of the individual or entity to which it is addressed and may contain
information that is non-public, proprietary, privileged, confidential,
and exempt from disclosure under applicable law or may constitute as
attorney work product. If you are not the intended recipient, you are
hereby notified that any use, dissemination, distribution, or copying
of this communication is strictly prohibited. If you have received
this communication in error, notify us immediately by telephone and
(i) destroy this message if a facsimile or (ii) delete this message
immediately if this is an electronic communication.

Links:
------
[1] http://pulledpork.pl
[2] https://www.snort.org/rules/%7Csnortrules-snapshot.tar.gz%7C%3c%3e
[3] 
http://talosintelligence.com/feeds/ip-filter.blf%7CIPBLACKLIST%7Copen
[4] http://sdm.link/slashdot
[5] https://lists.sourceforge.net/lists/listinfo/snort-users
[6] http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net <mailto:Snort-users () lists sourceforge net> 
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest 
Snort news!


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org <http://SlashDot.org> ! http://sdm.link/slashdot
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net <mailto:Snort-users () lists sourceforge net> 
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

 


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net <mailto:Snort-users () lists sourceforge net> 
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

 

 

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot

_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel

Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!