Snort mailing list archives
Re: Misses with Pulledpork
From: James Lay via Snort-users <snort-users () lists snort org>
Date: Thu, 05 Sep 2019 14:09:52 -0600
Odd....also of note, from the screenshots from my initial email (see https://lists.snort.org/pipermail/snort-users/2019-August/072706.html everyone), that stream when manually run through snort no longer fires: https://lists.snort.org/pipermail/snort-users/attachments/20190830/002b3eb3/attachment-0001.png
It's a wacky world we live in! James On 2019-09-05 13:52, Joel Esler (jesler) wrote:
Interesting. The Stream code should interpret mid-stream pickups correctly.Sent from my iPadOn Sep 5, 2019, at 15:25, James Lay <jlay () slave-tothe-box net> wrote:Thanks Joel. As a side note I re-enabled gen_id 129, sig_id 20 the TCP 3 way handshake rule, and now no issues. The cause? I suspect that tcp sessions that started before snort was restarted with the new rules, and then generated traffic caused these to fire off...which...makes sense really. Thank you!JamesOn 2019-09-05 12:39, Joel Esler (jesler) wrote: Whoops, hit send too fast. Sorry all. We decided that gen-msg.map should only ship with the Snort tarball, as it wasn’t going to change outside of that. Sent from my iPadAbsolutely. It rarely changes (don’t remember the last time it changed matter of fact).On Sep 5, 2019, at 14:38, jesler () cisco com wrote:Sent from my iPadOn Sep 5, 2019, at 13:56, James Lay via Snort-users <snort-users () lists snort org> wrote: So after digging in, looks like the preprocessor rules are all pulled into the snort.rules file proper, which explains old rules in preproc_rules. The only other item is gen-msg.map isn't updated, isn't in the snort rules tarball, and is only found in the snort source tarball, so going forward that's a file to remember to install on upgrading. Thanks all!JamesOn 2019-09-04 11:00, James Lay via Snort-users wrote:Here we go!!!! So ok....after the events of last Friday it was time to revisit exactly how/what pulledpork updates; test environment, minimalpulledpork.conf and snort.conf designed just for testing updates (NOTFOR ACTUAL IDS/IPS USAGE). I prefer to keep most compiled apps in /opt so here's the config line for 2.9.14.1: ./configure --prefix=/opt/snort --disable-open-appid --enable-sourcefire --enable-non-ether-decoders snort.conf ################################################################### var CONF_PATH /opt/snort/etc var RULE_PATH /opt/snort/etc/rules var LIB_PATH /opt/snort/lib var PREPROC_RULE_PATH $RULE_PATH/preproc_rules var WHITE_LIST_PATH $RULE_PATH/iplists var BLACK_LIST_PATH $RULE_PATH/iplistsdynamicpreprocessor directory /opt/snort/lib/snort_dynamicpreprocessordynamicengine /opt/snort/lib/snort_dynamicengine/libsf_engine.so dynamicdetection directory /opt/snort/lib/snort_dynamicrules include /opt/snort/etc/classification.config include /opt/snort/etc/reference.config output alert_fast: /opt/snort/var/log/snort.fast include $RULE_PATH/snort.rules ################################################################### pulledpork.conf: ################################################################### rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot-.tar.gz|xxxxxxxxxxxxxxxxxxxxxxxxx rule_url=https://rules.emergingthreatspro.com/|etpro.rules.tar.gz|xxxxxxxxxxxxxxxxx rule_url=http://labs.snort.org/feeds/ip-filter.blf|IPBLACKLIST|open ignore=deleted.rules,experimental.rules temp_path=/tmp rule_path=/opt/snort/etc/rules/snort.rules local_rules=/opt/snort/etc/rules/local.rules sid_msg=/opt/snort/etc/sid-msg.map sid_msg_version=1 sid_changelog=/opt/var/log/sid_changes.log sorule_path=/opt/snort/lib/snort_dynamicrules snort_path=/opt/bin/snort config_path=/opt/snort/etc/snort.conf distro=Ubuntu-18-4 black_list=/opt/snort/etc/rules/iplists/black_list.rules IPRVersion=/opt/snort/etc/rules/iplists version=0.7.4 ################################################################### Some notes for the above you MUST have the directories forsorule_path 100% correct and matching for your stub rules to update.Also mind the distro= line and make sure it's not wildly off. If either of the previous are the case, Pulledpork will silently skip over so rules when these aren't correct....those of you having sorules issues double check these....every time I think these aren't thereason they uh.....are the reason. Yesterday after a pulledpork update run I did a mass touch of myentire snort directory, timestamping it for Sep 3rd. Today I've ranthe below:/opt/bin/pulledpork.pl -P -l -c /opt/snort/etc/pulledpork/pulledpork.conffirst up, dynamic rules:drwxr-xr-x 2 root root 4096 Sep 4 16:46 /opt/snort/lib/snort_dynamicrulestotal 11432 -rwxr-xr-x 1 root root 73960 Aug 29 16:24 browser-chrome.sostubs were generated, directory timestamp shows that, also pulledporkrun reflects this: Generating Stub Rules.... Done next, sid-msg.map: -rw-r--r-- 1 root root 13187819 Sep 4 16:46 sid-msg.map udpated....expected. next, snort.rules: -rw-r--r-- 1 root root 56614387 Sep 4 16:46 snort.rules updated...expected. next preproc_rules: drwxr-xr-x 2 root root 4096 Sep 3 20:42 preproc_rules -rw------- 1 root root 18748 Sep 3 20:42 decoder.rules -rw------- 1 root root 36577 Sep 3 20:42 preprocessor.rules -rw------- 1 root root 1309 Sep 3 20:42 sensitive-data.rulesthese are a miss...indeed checking some systems I've had running foryears I see the same files with a timestamp of 2011(!!!). Eitherpulledpork will want to incorporate these in, or we'll have to rollour own. lastly, gen-msg.map: -rw-r--r-- 1 root root 29805 Sep 3 20:42 gen-msg.mapa miss as well, so again...either pulledpork will want to incorporatethis as well, or we'll have to roll our own.So there we go....unless I've missed something my update process hasbeen missing a few things for the past...oh.....13 years? Thank you....comments and corrections always welcome as I usually end up screwing something up :) James _______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users To unsubscribe, send an email to: snort-users-leave () lists snort orgPlease visit http://blog.snort.org to stay current on all the latest Snort news!Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette_______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users To unsubscribe, send an email to: snort-users-leave () lists snort orgPlease visit http://blog.snort.org to stay current on all the latest Snort news! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
_______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users To unsubscribe, send an email to: snort-users-leave () lists snort org Please visit http://blog.snort.org to stay current on all the latest Snort news! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
Current thread:
- Misses with Pulledpork James Lay via Snort-users (Sep 04)
- Re: Misses with Pulledpork Joel Esler (jesler) via Snort-users (Sep 04)
- Re: Misses with Pulledpork James Lay via Snort-users (Sep 04)
- Re: Misses with Pulledpork James Lay via Snort-users (Sep 05)
- Re: Misses with Pulledpork Joel Esler (jesler) via Snort-users (Sep 05)
- Re: Misses with Pulledpork Joel Esler (jesler) via Snort-users (Sep 05)
- Re: Misses with Pulledpork James Lay via Snort-users (Sep 05)
- Re: Misses with Pulledpork Joel Esler (jesler) via Snort-users (Sep 05)
- Re: Misses with Pulledpork James Lay via Snort-users (Sep 05)
- Re: Misses with Pulledpork Joel Esler (jesler) via Snort-users (Sep 05)
- Re: Misses with Pulledpork Joel Esler (jesler) via Snort-users (Sep 04)