Re: [Snort-users] snort and snort-rules/ET alerts

["Michael Steele" <michaels () winsnort com>]

I believe PP uses 'uname' to pull the Snort version, and it's not Windows
compatible.

Kindest regards,
Michael...

-----Original Message-----
From: Joel Esler (jesler) [mailto:jesler () cisco com] 
Sent: Saturday, December 3, 2016 1:19 PM
To: Michael Steele <michaels () winsnort com>
Cc: wkitty42 () windstream net; Michael Shirk <shirkdog.bsd () gmail com>;
snort-devel () lists sourceforge net
Subject: Re: [Snort-users] snort and snort-rules/ET alerts

Pulledpork does do this automatically, but I am not sure if it does it on
the Windows platform.  

--
Sent from my iPhone

> On Dec 3, 2016, at 12:17 PM, Michael Steele <michaels () winsnort com> wrote:
>
> I think the primary objective is to get PP to be all inclusive, and 
> cross platform compatible.
>
> I'm sure there is a solution that works under both platforms, but it 
> may take the development team to include a specific output switch to 
> display version only output (x.x.x.x), which would simplify the process.
>
> PP seems to be pretty popular, so maybe they would be open to 
> including something like that?
>
> However, anything that works will do because there are those that 
> update Snort and forget to change the snort_version in the 
> pulledpork.conf every time there is a version change.
>
> -----Original Message-----
> From: Joel Esler (jesler) [mailto:jesler () cisco com]
> Sent: Saturday, December 3, 2016 10:48 AM
> To: wkitty42 () windstream net
> Cc: Michael Steele <michaels () winsnort com>; Michael Shirk 
> <shirkdog.bsd () gmail com>
> Subject: Re: [Snort-users] snort and snort-rules/ET alerts
>
> That'd be a great faq
>
> --
> Sent from my iPhone
>
> > On Dec 3, 2016, at 10:32 AM, "wkitty42 () windstream net"
> <wkitty42 () windstream net> wrote:
> > *OFF LIST*
> >
> >
> > > On 12/03/2016 09:06 AM, Michael Steele wrote:
> > > There should be some ingenious way for PulledPork to pull the 
> > > version of Snort using Windows. This may take a collaboration 
> > > between the Snort development team and the PulledPork programmer.
> >
> >
> > in one of my linux apps that interfaces with snort, we simply do a 
> > "snort
> -V" and redirect the output for parsing... when we parse the output, 
> we specifically look for the line that has "Version" in it and pull 
> the version information from it...
> > ===== snip snortvertest.pl =====
> > #!/usr/bin/perl
> >
> > print "Snort version from 'snort -V' :\n"; 
> > open(MY_INPUT,"/usr/bin/snort -V 2>&1 |");
> > while(<MY_INPUT>) {
> >   chomp;
> >   if (/Version\s+(.*)/) {
> >       ($display_version, $sub1, $sub2, $sub3, $sub4) = split(/ /,$1);
> >       $snort_version = "$display_version";
> >       $snort_version =~ s/\.//g;
> >   }
> > }
> > close(MY_INPUT);
> >
> > # so far VRT/Talos hasn't used snort subversion numbers larger than # 
> > single digits so this should work fine for the foreseeable future.
> > # basically they seem to be numbering as [0-9]\.[0-9]\.[0-9]\.[0-9]...
> > # in the above we set $snort_version the same as what we grabbed as # 
> > $display_version... then we simply sed'ed out the dots to get a # raw 
> > numerical representation of the version... there must be # trailing 
> > zeros added to the version number for the url of the # VRT/Talos 
> > rules snapshots... trailing zeros which seem to be left # out when a 
> > version update is made and the new version number # generated.
> > # eg: 2.9   != 2.9.0.0
> > #     2.9.8 != 2.9.8.0
> > while (length($snort_version) < 4) {
> >   $snort_version .= '0';
> > }
> >
> > print "$display_version => $snort_version\n";
> >
> > my $VRT_file = "snortrules-snapshot-$snort_version.tar.gz";
> >
> > my %snortsettings;
> > &readhash("${somepath}/snort/settings", \%snortsettings); my $url = 
> > "https://www.snort.org/rules/$VRT_file?oinkcode=$snortsettings{'OINK&apos;
> > }
> > ";
> >
> > print "Request url: $url\n";
> > ===== snip =====
> >
> >
> > the output looks something like this...
> >
> > ===== snip =====
> > Snort version from 'snort -V' :
> > 2.9.8.3 => 2983
> > Request url: 
> > https://www.snort.org/rules/snortrules-snapshot-2983.tar.gz?oinkcode=
> > b
> > lahblahblahblahblahblahblah
> > ===== snip =====
> >
> >
> > granted, the above is on linux but the snort output should be able to 
> > be
> redirected to a temp text file in winwhatever and parsed with similar 
> code... as we've never messed with snort on winwhatever, we can only 
> assume that the output of the version option is plain text to a terminal
screen...
> if that is the case, the above piping method or using a temp text file 
> should work...
> > there is a settings file with some options in it... the oinkcode 
> > being the most important one... is it saved in the file as
> >
> > OINK=blahblahblahblahblahblahblah
> >
> > we have our own readhash procedure which loads the settings from the 
> > file... as you can see, the oinkcode is used directly in the url...
> > since this is a testing script, some assumptions are made and error 
> > checks like making sure there is something in the oinkcode field 
> > should be done before assuming such ;)


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel

Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!