Snort mailing list archives
Re: Misses with Pulledpork
From: "Joel Esler \(jesler\) via Snort-users" <snort-users () lists snort org>
Date: Thu, 5 Sep 2019 18:38:57 +0000
Absolutely. It rarely changes (don’t remember the last time it changed matter of fact). Sent from my iPad
On Sep 5, 2019, at 13:56, James Lay via Snort-users <snort-users () lists snort org> wrote: So after digging in, looks like the preprocessor rules are all pulled into the snort.rules file proper, which explains old rules in preproc_rules. The only other item is gen-msg.map isn't updated, isn't in the snort rules tarball, and is only found in the snort source tarball, so going forward that's a file to remember to install on upgrading. Thanks all! JamesOn 2019-09-04 11:00, James Lay via Snort-users wrote: Here we go!!!! So ok....after the events of last Friday it was time to revisit exactly how/what pulledpork updates; test environment, minimal pulledpork.conf and snort.conf designed just for testing updates (NOT FOR ACTUAL IDS/IPS USAGE). I prefer to keep most compiled apps in /opt so here's the config line for 2.9.14.1: ./configure --prefix=/opt/snort --disable-open-appid --enable-sourcefire --enable-non-ether-decoders snort.conf ################################################################### var CONF_PATH /opt/snort/etc var RULE_PATH /opt/snort/etc/rules var LIB_PATH /opt/snort/lib var PREPROC_RULE_PATH $RULE_PATH/preproc_rules var WHITE_LIST_PATH $RULE_PATH/iplists var BLACK_LIST_PATH $RULE_PATH/iplists dynamicpreprocessor directory /opt/snort/lib/snort_dynamicpreprocessor dynamicengine /opt/snort/lib/snort_dynamicengine/libsf_engine.so dynamicdetection directory /opt/snort/lib/snort_dynamicrules include /opt/snort/etc/classification.config include /opt/snort/etc/reference.config output alert_fast: /opt/snort/var/log/snort.fast include $RULE_PATH/snort.rules ################################################################### pulledpork.conf: ################################################################### rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot-.tar.gz|xxxxxxxxxxxxxxxxxxxxxxxxx rule_url=https://rules.emergingthreatspro.com/|etpro.rules.tar.gz|xxxxxxxxxxxxxxxxx rule_url=http://labs.snort.org/feeds/ip-filter.blf|IPBLACKLIST|open ignore=deleted.rules,experimental.rules temp_path=/tmp rule_path=/opt/snort/etc/rules/snort.rules local_rules=/opt/snort/etc/rules/local.rules sid_msg=/opt/snort/etc/sid-msg.map sid_msg_version=1 sid_changelog=/opt/var/log/sid_changes.log sorule_path=/opt/snort/lib/snort_dynamicrules snort_path=/opt/bin/snort config_path=/opt/snort/etc/snort.conf distro=Ubuntu-18-4 black_list=/opt/snort/etc/rules/iplists/black_list.rules IPRVersion=/opt/snort/etc/rules/iplists version=0.7.4 ################################################################### Some notes for the above you MUST have the directories for sorule_path 100% correct and matching for your stub rules to update. Also mind the distro= line and make sure it's not wildly off. If either of the previous are the case, Pulledpork will silently skip over so rules when these aren't correct....those of you having so rules issues double check these....every time I think these aren't the reason they uh.....are the reason. Yesterday after a pulledpork update run I did a mass touch of my entire snort directory, timestamping it for Sep 3rd. Today I've ran the below: /opt/bin/pulledpork.pl -P -l -c /opt/snort/etc/pulledpork/pulledpork.conf first up, dynamic rules: drwxr-xr-x 2 root root 4096 Sep 4 16:46 /opt/snort/lib/snort_dynamicrules total 11432 -rwxr-xr-x 1 root root 73960 Aug 29 16:24 browser-chrome.so stubs were generated, directory timestamp shows that, also pulledpork run reflects this: Generating Stub Rules.... Done next, sid-msg.map: -rw-r--r-- 1 root root 13187819 Sep 4 16:46 sid-msg.map udpated....expected. next, snort.rules: -rw-r--r-- 1 root root 56614387 Sep 4 16:46 snort.rules updated...expected. next preproc_rules: drwxr-xr-x 2 root root 4096 Sep 3 20:42 preproc_rules -rw------- 1 root root 18748 Sep 3 20:42 decoder.rules -rw------- 1 root root 36577 Sep 3 20:42 preprocessor.rules -rw------- 1 root root 1309 Sep 3 20:42 sensitive-data.rules these are a miss...indeed checking some systems I've had running for years I see the same files with a timestamp of 2011(!!!). Either pulledpork will want to incorporate these in, or we'll have to roll our own. lastly, gen-msg.map: -rw-r--r-- 1 root root 29805 Sep 3 20:42 gen-msg.map a miss as well, so again...either pulledpork will want to incorporate this as well, or we'll have to roll our own. So there we go....unless I've missed something my update process has been missing a few things for the past...oh.....13 years? Thank you....comments and corrections always welcome as I usually end up screwing something up :) James _______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users To unsubscribe, send an email to: snort-users-leave () lists snort org Please visit http://blog.snort.org to stay current on all the latest Snort news! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette_______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users To unsubscribe, send an email to: snort-users-leave () lists snort org Please visit http://blog.snort.org to stay current on all the latest Snort news! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
Attachment:
smime.p7s
Description:
_______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users To unsubscribe, send an email to: snort-users-leave () lists snort org Please visit http://blog.snort.org to stay current on all the latest Snort news! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
Current thread:
- Misses with Pulledpork James Lay via Snort-users (Sep 04)
- Re: Misses with Pulledpork Joel Esler (jesler) via Snort-users (Sep 04)
- Re: Misses with Pulledpork James Lay via Snort-users (Sep 04)
- Re: Misses with Pulledpork James Lay via Snort-users (Sep 05)
- Re: Misses with Pulledpork Joel Esler (jesler) via Snort-users (Sep 05)
- Re: Misses with Pulledpork Joel Esler (jesler) via Snort-users (Sep 05)
- Re: Misses with Pulledpork James Lay via Snort-users (Sep 05)
- Re: Misses with Pulledpork Joel Esler (jesler) via Snort-users (Sep 05)
- Re: Misses with Pulledpork James Lay via Snort-users (Sep 05)
- Re: Misses with Pulledpork Joel Esler (jesler) via Snort-users (Sep 05)
- Re: Misses with Pulledpork Joel Esler (jesler) via Snort-users (Sep 04)