Snort mailing list archives
Re: [Snort-users] snort and snort-rules/ET alerts
From: "Michael Steele" <michaels () winsnort com>
Date: Sat, 3 Dec 2016 09:06:26 -0500
PulledPork will pull the version of Snort, Unless you are using Windows, and then you need to make SURE The version is updated in PullePork.conf with every new version of the rules that are released. There should be some ingenious way for PulledPork to pull the version of Snort using Windows. This may take a collaboration between the Snort development team and the PulledPork programmer. Kindest regards, Michael... WINSNORT.com Management -- ****************** Established ~ 2001 ******************* * Visit Us @ <http://www.winsnort.com/> http://www.winsnort.com * * ~~ FREE WinIDS Snort installation guides ~~ * * ~~ FREE support forums ~~ * * Snort: Open Source Network IDS - <http://www.snort.org/> http://www.snort.org * ********************************************************* From: Marcin Dulak [mailto:marcin.dulak () gmail com] Sent: Friday, December 2, 2016 10:32 PM To: Joel Esler (jesler) <jesler () cisco com> Cc: James Lay <jlay () slave-tothe-box net>; snort-users () lists sourceforge net Subject: Re: [Snort-users] snort and snort-rules/ET alerts snortrules-snapshot.tar.gz On Sat, Dec 3, 2016 at 4:30 AM, Marcin Dulak <marcin.dulak () gmail com <mailto:marcin.dulak () gmail com> > wrote: "snort-snapshot.tar.gz" alone should work, pulledpork will guess the version based on the snort version installed: https://github.com/shirkdog/pulledpork/blob/06177884f0c8ccb94c8fccdc0fa2a4206b4b6549/pulledpork.pl#L1977 Marcin On Fri, Dec 2, 2016 at 10:41 PM, Joel Esler (jesler) <jesler () cisco com <mailto:jesler () cisco com> > wrote: Correct. -- Joel Esler | Talos: Manager | jesler () cisco com <mailto:jesler () cisco com> On Dec 2, 2016, at 3:44 PM, James Lay <jlay () slave-tothe-box net <mailto:jlay () slave-tothe-box net> > wrote: I think your snort-snapshot file needs to have a version number, not just "snort-snapshot.tar.gz" if I'm not mistaken. James On 2016-12-02 13:35, Keith Pachulski wrote: Thanks guys. Ill give this a shot and see what happens, will post an update later. Stuck in a meeting and laptop battery just died. On Fri, Dec 2, 2016 at 3:28 PM -0500, "Michael Shirk" <shirkdog.bsd () gmail com <mailto:shirkdog.bsd () gmail com> > wrote: If it does not work, run the latest pulledpork with -vvv to see where things are at, and post it as an issue on the GitHub repo. The Snort policy is a special case, but without using -l, all SIG's should be processed and loaded up, as this is how it works for me. -- Michael Shirk Daemon Security, Inc. http://www.daemon-security.com On Dec 2, 2016 3:22 PM, "Keith Pachulski" <keith.pachulski () healthnetworklabs com <mailto:keith.pachulski () healthnetworklabs com> > wrote: For giggles sake I reran it as: /home/snort/pulledpork/pulledpork.pl <http://pulledpork.pl> [1] -c /home/snort/pulledpork/etc/pulledpork.conf -I security HUP’d snort..waiting to see what happens..so far just ET sigs and preprocessors again FROM: Joel Esler (jesler) [mailto:jesler () cisco com <mailto:jesler () cisco com> ] SENT: Friday, December 02, 2016 3:06 PM TO: Y M CC: Keith Pachulski; snort-users () lists sourceforge net <mailto:snort-users () lists sourceforge net> SUBJECT: Re: [Snort-users] snort and snort-rules/ET alerts Is that intentional? I thought the default behavior without policy specification is “as is, shipped”. If not, we should fix that (It’s been awhile since I’ve actually _used_ pulledpork) -- JOEL ESLER | TALOS: Manager | jesler () cisco com <mailto:jesler () cisco com> On Dec 2, 2016, at 2:52 PM, Y M <snort () outlook com <mailto:snort () outlook com> > wrote: The PulledPork command does not specify any rules policy (connectivity, balanced, security) to allow PulledPork enable the rules. Try running PulledPork with -I <policy>. Keep in mind that this may mess up your ET rules enablement since ET rules do not contain rules policy metadata. YM On Fri, Dec 2, 2016 at 10:47 PM +0300, "Keith Pachulski" <keith.pachulski () healthnetworklabs com <mailto:keith.pachulski () healthnetworklabs com> > wrote: Pulledpork Cronjob 0 0 * * * /home/snort/pulledpork/pulledpork.pl <http://pulledpork.pl> [1] -c /home/snort/pulledpork/etc/pulledpork.conf Pulledpork Config rule_url=https://www.snort.org/rules/|snortrules-snapshot.tar.gz| <https://www.snort.org/rules/%7Csnortrules-snapshot.tar.gz%7C> <> [2] rule_url=http://talosintelligence.com/feeds/ip-filter.blf|IPBLACKLIST|open <http://talosintelligence.com/feeds/ip-filter.blf%7CIPBLACKLIST%7Copen> [3] ignore=deleted.rules,experimental.rules temp_path=/tmp rule_path=/home/snort/rules/snort.rules local_rules=/home/snort/rules/local.rules sid_msg=/home/snort/rules/etc/sid-msg.map sid_msg_version=1 sid_changelog=/home/snort/rules/pullpork-sid_changes.log sorule_path=/usr/local/lib/snort_dynamicrules/ snort_path=/usr/local/bin/snort config_path=/home/snort/rules/snort.conf distro=Ubuntu-12-04 black_list=/home/snort/rules/black_list.rules IPRVersion=/home/snort/rules/iplists This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot [4] _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net <mailto:Snort-users () lists sourceforge net> Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users [5] Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users [6] Please visit http://blog.snort.org to stay current on all the latest Snort news! This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Links: ------ [1] http://pulledpork.pl [2] https://www.snort.org/rules/%7Csnortrules-snapshot.tar.gz%7C%3c%3e [3] http://talosintelligence.com/feeds/ip-filter.blf%7CIPBLACKLIST%7Copen [4] http://sdm.link/slashdot [5] https://lists.sourceforge.net/lists/listinfo/snort-users [6] http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net <mailto:Snort-users () lists sourceforge net> Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org <http://SlashDot.org> ! http://sdm.link/slashdot _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net <mailto:Snort-users () lists sourceforge net> Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net <mailto:Snort-users () lists sourceforge net> Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Re: snort and snort-rules/ET alerts, (continued)
- Re: snort and snort-rules/ET alerts Keith Pachulski (Dec 02)
- Re: snort and snort-rules/ET alerts Y M (Dec 02)
- Re: snort and snort-rules/ET alerts Joel Esler (jesler) (Dec 02)
- Re: snort and snort-rules/ET alerts Keith Pachulski (Dec 02)
- Re: snort and snort-rules/ET alerts Michael Shirk (Dec 02)
- Re: snort and snort-rules/ET alerts Keith Pachulski (Dec 02)
- Re: snort and snort-rules/ET alerts James Lay (Dec 02)
- Re: snort and snort-rules/ET alerts Joel Esler (jesler) (Dec 02)
- Re: snort and snort-rules/ET alerts Marcin Dulak (Dec 02)
- Re: snort and snort-rules/ET alerts Marcin Dulak (Dec 02)
- Re: [Snort-users] snort and snort-rules/ET alerts Michael Steele (Dec 03)
- Message not available
- Message not available
- Re: [Snort-users] snort and snort-rules/ET alerts Michael Steele (Dec 03)
- Re: [Snort-users] snort and snort-rules/ET alerts Joel Esler (jesler) (Dec 03)
- Re: [Snort-users] snort and snort-rules/ET alerts Michael Shirk (Dec 03)
- Re: [Snort-users] snort and snort-rules/ET alerts Joel Esler (jesler) (Dec 03)
- Re: [Snort-users] snort and snort-rules/ET alerts Michael Steele (Dec 03)
- Re: snort and snort-rules/ET alerts Keith Pachulski (Dec 02)
- Message not available
- Re: [Snort-users] snort and snort-rules/ET alerts Joel Esler (jesler) (Dec 03)
- Message not available
- Re: [Snort-users] snort and snort-rules/ET alerts Joel Esler (jesler) (Dec 04)
- Re: snort and snort-rules/ET alerts Y M (Dec 02)
- Re: snort and snort-rules/ET alerts Y M (Dec 02)