Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: PullePork SO Rules Management?

From: Eoin Miller <eoin.miller () trojanedbinaries com>
Date: Wed, 04 May 2011 16:32:25 +0000
On 5/4/2011 3:43 PM, JJC wrote:

It updates the actual .so rules and then generates updated stubs to 
stick in the so_rules.rules file.


Hmm, looks like if you have to specify a different version inside of the 
pulledpork.conf file it doesn't extract/move the *.so rules into the 
snort_dynamicrules folder? We are using 2.9.0.5 but since there is no 
2.9.0.5 tarball for registered users, I think that may be causing the 
issue. Also, when this error occurs pulledpork hangs at the generating 
sid-msg.map portion forever until you hit enter, then it will continue 
on. When we are running this command, there are no *.so files in the 
snort_dynamicrules/ directory. If I manually place them there and then 
run pulled pork, everything works as expected.

$ pulledpork.pl -c /nids/pulledpork/etc/pulledpork.conf

     http://code.google.com/p/pulledpork/
       _____ ____
      `----,\    )
       `--==\\  /    PulledPork v0.6.1 the Smoking Pig <////~
        `--==\\/
      .-~~~~-.Y|\\_  Copyright (C) 2009-2011 JJ Cummings
   @_/        /  66\_  cummingsj () gmail com
     |    \   \   _(")
      \   /-| ||'--'  Rules give me wings!
       \_\  \_\\
  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Checking latest MD5 for snortrules-snapshot-2904.tar.gz....
         They Match
         Done!
Prepping rules from snortrules-snapshot-2904.tar.gz for work....
         Done!
Checking latest MD5 for opensource.gz....
         They Match
         Done!
Prepping rules from opensource.gz for work....
         Done!
Checking latest MD5 for emerging.rules.tar.gz....
         They Match
         Done!
Prepping rules from emerging.rules.tar.gz for work....
         Done!
Reading rules...
Generating Stub Rules....
         An error occurred: Warning: No dynamic libraries found in 
directory /opt/bcs/packages/snort/lib/snort_dynamicrules!

         Done
Reading rules...
Reading rules...
Reading rules...
Processing /nids/pulledpork/etc/enablesid.conf....
         Modified 0 rules
         Done
Processing /nids/pulledpork/etc/dropsid.conf....
         Modified 0 rules
         Done
Processing /nids/pulledpork/etc/disablesid.conf....
         Modified 0 rules
         Done
Modifying Sids....
         Done!
Setting Flowbit State....
         Enabled 55 flowbits
         Enabled 31 flowbits
         Done
Writing /nids/snort/rules/snort.rules....
         Done
Writing /nids/snort/rules/so_rules.rules....
         Done
Generating sid-msg.map....

======= HANGS HERE INDEFINITELY UNTIL YOU HIT ENTER =======

         Done
Writing /nids/snort/etc/sid-msg.map....
         Done
Writing /nids/pulledpork/log/sid_changes.log....
         Done
Rule Stats....
         New:-------0
         Deleted:---0
         Enabled Rules:----13221
         Dropped Rules:----0
         Disabled Rules:---13745
         Total Rules:------26966
         Done
Please review /nids/pulledpork/log/sid_changes.log for additional details
Fly Piggy Fly!


pulledpork.conf:
==============================================================================
# Config file for pulledpork
rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|<REDACTED>
rule_url=https://www.snort.org/reg-rules/|opensource.gz|<REDACTED>
rule_url=https://rules.emergingthreats.net/|emerging.rules.tar.gz|open-nogpl

ignore=<REDACTED>

temp_path=/nids/pulledpork/tmp
rule_path=/nids/snort/rules/snort.rules
local_rules=/nids/snort/rules/local.rules
sid_msg=/nids/snort/etc/sid-msg.map
sid_changelog=/nids/pulledpork/log/sid_changes.log
sorule_path=/opt/bcs/packages/snort/lib/snort_dynamicrules/
snort_path=/opt/bcs/bin/snort
config_path=/nids/snort/etc/snort_00.conf
sostub_path=/nids/snort/rules/so_rules.rules
distro=CentOS-5.4
snort_version=2.9.0.4

enablesid=/nids/pulledpork/etc/enablesid.conf
dropsid=/nids/pulledpork/etc/dropsid.conf
disablesid=/nids/pulledpork/etc/disablesid.conf
modifysid=/nids/pulledpork/etc/modifysid.conf

version=0.6.0
==============================================================================

$ snort --version

    ,,_     -*> Snort! <*-
   o"  )~   Version 2.9.0.5 IPv6 GRE (Build 135)
    ''''    By Martin Roesch & The Snort Team: 
http://www.snort.org/snort/snort-team
            Copyright (C) 1998-2011 Sourcefire, Inc., et al.
            Using libpcap version 1.1.1
            Using PCRE version: 8.02 2010-03-19
            Using ZLIB version: 1.2.3

$ more /etc/redhat-release
CentOS release 5.5 (Final)

$ ls -laFh /opt/bcs/packages/snort/lib/snort_dynamicrules/
total 8.0K
drwxr-xr-x 2 root root 4.0K May  4 11:46 ./
drwxr-xr-x 6 root root 4.0K May  3 17:37 ../


---SNIP---
elsif ($Sorules
&& $filename =~
             /^so_rules\/precompiled\/($Distro)\/($arch)\/($Snort)\/.*\.so/
&& -d $Sorules
&& !$Textonly )
         {
             $singlefile =~
               s/^so_rules\/precompiled\/($Distro)\/($arch)\/($Snort)\///;
             $tar->extract_file( $filename, $Sorules . $singlefile );
             print "\tExtracted: $Sorules$singlefile\n"
               if ( $Verbose && !$Quiet );
         }
---SNIP---

Best I can tell is that we should be pulling from 
so_rules/precompiled/CentOS-5.4/x86-64/2.9.0.4 because the following are 
defined in the pulledpork.conf. Here is the -v output:

MISC (CLI and Autovar) Variable Debug:
         arch Def is: x86-64
         Config Path is: /nids/pulledpork/etc/pulledpork.conf
         Distro Def is: CentOS-5.4
         Disabled policy specified
         local.rules path is: /nids/snort/rules/local.rules
         Rules file is: /nids/snort/rules/snort.rules
         Path to disablesid file: /nids/pulledpork/etc/disablesid.conf
         Path to dropsid file: /nids/pulledpork/etc/dropsid.conf
         Path to enablesid file: /nids/pulledpork/etc/enablesid.conf
         Path to modifysid file: /nids/pulledpork/etc/modifysid.conf
         sid changes will be logged to: /nids/pulledpork/log/sid_changes.log
         sid-msg.map Output Path is: /nids/snort/etc/sid-msg.map
         Snort Version is: 2.9.0.4
         Snort Config File: /nids/snort/etc/snort_00.conf
         Snort Path is: /opt/bcs/bin/snort
         SO Output Path is: /opt/bcs/packages/snort/lib/snort_dynamicrules/
         SO Stub File is: /nids/snort/rules/so_rules.rules


Something else is that the version stuff in 0.6.1 doesn't match up. The 
config file that comes with pulledpork still says 0.6.0 and if you 
update it to the current version of 0.6.1, this happens:

$ pulledpork.pl -v -c /nids/pulledpork/etc/pulledpork.conf

     http://code.google.com/p/pulledpork/
       _____ ____
      `----,\    )
       `--==\\  /    PulledPork v0.6.1 the Smoking Pig <////~
        `--==\\/
      .-~~~~-.Y|\\_  Copyright (C) 2009-2011 JJ Cummings
   @_/        /  66\_  cummingsj () gmail com
     |    \   \   _(")
      \   /-| ||'--'  Rules give me wings!
       \_\  \_\\
  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

---SNIP----
         version = 0.6.1
---SNIP----

You are not using the current version of pulledpork.conf!
Please use the version that shipped with PulledPork v0.6.1 the Smoking 
Pig <////~!



Fix is to just change this stuff:

 From pulledpork.pl:
my $VERSION = "PulledPork v0.6.1 the Smoking Pig <////~";
To:
my $VERSION = "0.6.1";


 From pulledpork.pl
       if $Config_info{'version'} ne "0.6.0";
To:
       if $Config_info{'version'} ne $VERSION;

 From pulledpork.pl:
--- SNIP ---
sub pulledpork {
...
       `--==\\\\  /     $VERSION
...
}
--- SNIP---

To:
       `--==\\\\  /     PulledPork: $VERSION


-- Eoin



------------------------------------------------------------------------------
WhatsUp Gold - Download Free Network Management Software
The most intuitive, comprehensive, and cost-effective network 
management toolset available today.  Delivers lowest initial 
acquisition cost and overall TCO of any competing solution.
http://p.sf.net/sfu/whatsupgold-sd
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: