Snort mailing list archives
Re: PullePork SO Rules Management?
From: JJC <cummingsj () gmail com>
Date: Wed, 4 May 2011 11:30:32 -0600
Part of your problem is your OS definition, it should be Centos-5-4 and not CentOS-5-4, that may be causing all of it, please let me know what the results are after modifying that. Note the path in the rules tarball: /so_rules/precompiled/Centos-5-4/x86-64/ 2.9.0.4/ When you have to hit ENTER to finish the sid-msg.map, does the sid-msg.map still generate? JJC On Wed, May 4, 2011 at 10:36 AM, JJC <cummingsj () gmail com> wrote:
I'll look into the so rule stuff... as to the 0.6.0 vs 0.6.1.. the config file is still for 0.6.x as 0.6.1 was a bugfix release and that did not affect the config file. On Wed, May 4, 2011 at 10:32 AM, Eoin Miller < eoin.miller () trojanedbinaries com> wrote:On 5/4/2011 3:43 PM, JJC wrote:It updates the actual .so rules and then generates updated stubs to stick in the so_rules.rules file. Hmm, looks like if you have to specify a different version inside of thepulledpork.conf file it doesn't extract/move the *.so rules into the snort_dynamicrules folder? We are using 2.9.0.5 but since there is no 2.9.0.5 tarball for registered users, I think that may be causing the issue. Also, when this error occurs pulledpork hangs at the generating sid-msg.map portion forever until you hit enter, then it will continue on. When we are running this command, there are no *.so files in the snort_dynamicrules/ directory. If I manually place them there and then run pulled pork, everything works as expected. $ pulledpork.pl -c /nids/pulledpork/etc/pulledpork.conf http://code.google.com/p/pulledpork/ _____ ____ `----,\ ) `--==\\ / PulledPork v0.6.1 the Smoking Pig <////~ `--==\\/ .-~~~~-.Y|\\_ Copyright (C) 2009-2011 JJ Cummings @_/ / 66\_ cummingsj () gmail com | \ \ _(") \ /-| ||'--' Rules give me wings! \_\ \_\\ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Checking latest MD5 for snortrules-snapshot-2904.tar.gz.... They Match Done! Prepping rules from snortrules-snapshot-2904.tar.gz for work.... Done! Checking latest MD5 for opensource.gz.... They Match Done! Prepping rules from opensource.gz for work.... Done! Checking latest MD5 for emerging.rules.tar.gz.... They Match Done! Prepping rules from emerging.rules.tar.gz for work.... Done! Reading rules... Generating Stub Rules.... An error occurred: Warning: No dynamic libraries found in directory /opt/bcs/packages/snort/lib/snort_dynamicrules! Done Reading rules... Reading rules... Reading rules... Processing /nids/pulledpork/etc/enablesid.conf.... Modified 0 rules Done Processing /nids/pulledpork/etc/dropsid.conf.... Modified 0 rules Done Processing /nids/pulledpork/etc/disablesid.conf.... Modified 0 rules Done Modifying Sids.... Done! Setting Flowbit State.... Enabled 55 flowbits Enabled 31 flowbits Done Writing /nids/snort/rules/snort.rules.... Done Writing /nids/snort/rules/so_rules.rules.... Done Generating sid-msg.map.... ======= HANGS HERE INDEFINITELY UNTIL YOU HIT ENTER ======= Done Writing /nids/snort/etc/sid-msg.map.... Done Writing /nids/pulledpork/log/sid_changes.log.... Done Rule Stats.... New:-------0 Deleted:---0 Enabled Rules:----13221 Dropped Rules:----0 Disabled Rules:---13745 Total Rules:------26966 Done Please review /nids/pulledpork/log/sid_changes.log for additional details Fly Piggy Fly! pulledpork.conf: ============================================================================== # Config file for pulledpork rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz| <REDACTED> rule_url=https://www.snort.org/reg-rules/|opensource.gz|<REDACTED> rule_url= https://rules.emergingthreats.net/|emerging.rules.tar.gz|open-nogpl ignore=<REDACTED> temp_path=/nids/pulledpork/tmp rule_path=/nids/snort/rules/snort.rules local_rules=/nids/snort/rules/local.rules sid_msg=/nids/snort/etc/sid-msg.map sid_changelog=/nids/pulledpork/log/sid_changes.log sorule_path=/opt/bcs/packages/snort/lib/snort_dynamicrules/ snort_path=/opt/bcs/bin/snort config_path=/nids/snort/etc/snort_00.conf sostub_path=/nids/snort/rules/so_rules.rules distro=CentOS-5.4 snort_version=2.9.0.4 enablesid=/nids/pulledpork/etc/enablesid.conf dropsid=/nids/pulledpork/etc/dropsid.conf disablesid=/nids/pulledpork/etc/disablesid.conf modifysid=/nids/pulledpork/etc/modifysid.conf version=0.6.0 ============================================================================== $ snort --version ,,_ -*> Snort! <*- o" )~ Version 2.9.0.5 IPv6 GRE (Build 135) '''' By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team Copyright (C) 1998-2011 Sourcefire, Inc., et al. Using libpcap version 1.1.1 Using PCRE version: 8.02 2010-03-19 Using ZLIB version: 1.2.3 $ more /etc/redhat-release CentOS release 5.5 (Final) $ ls -laFh /opt/bcs/packages/snort/lib/snort_dynamicrules/ total 8.0K drwxr-xr-x 2 root root 4.0K May 4 11:46 ./ drwxr-xr-x 6 root root 4.0K May 3 17:37 ../ ---SNIP--- elsif ($Sorules && $filename =~ /^so_rules\/precompiled\/($Distro)\/($arch)\/($Snort)\/.*\.so/ && -d $Sorules && !$Textonly ) { $singlefile =~ s/^so_rules\/precompiled\/($Distro)\/($arch)\/($Snort)\///; $tar->extract_file( $filename, $Sorules . $singlefile ); print "\tExtracted: $Sorules$singlefile\n" if ( $Verbose && !$Quiet ); } ---SNIP--- Best I can tell is that we should be pulling from so_rules/precompiled/CentOS-5.4/x86-64/2.9.0.4 because the following are defined in the pulledpork.conf. Here is the -v output: MISC (CLI and Autovar) Variable Debug: arch Def is: x86-64 Config Path is: /nids/pulledpork/etc/pulledpork.conf Distro Def is: CentOS-5.4 Disabled policy specified local.rules path is: /nids/snort/rules/local.rules Rules file is: /nids/snort/rules/snort.rules Path to disablesid file: /nids/pulledpork/etc/disablesid.conf Path to dropsid file: /nids/pulledpork/etc/dropsid.conf Path to enablesid file: /nids/pulledpork/etc/enablesid.conf Path to modifysid file: /nids/pulledpork/etc/modifysid.conf sid changes will be logged to: /nids/pulledpork/log/sid_changes.log sid-msg.map Output Path is: /nids/snort/etc/sid-msg.map Snort Version is: 2.9.0.4 Snort Config File: /nids/snort/etc/snort_00.conf Snort Path is: /opt/bcs/bin/snort SO Output Path is: /opt/bcs/packages/snort/lib/snort_dynamicrules/ SO Stub File is: /nids/snort/rules/so_rules.rules Something else is that the version stuff in 0.6.1 doesn't match up. The config file that comes with pulledpork still says 0.6.0 and if you update it to the current version of 0.6.1, this happens: $ pulledpork.pl -v -c /nids/pulledpork/etc/pulledpork.conf http://code.google.com/p/pulledpork/ _____ ____ `----,\ ) `--==\\ / PulledPork v0.6.1 the Smoking Pig <////~ `--==\\/ .-~~~~-.Y|\\_ Copyright (C) 2009-2011 JJ Cummings @_/ / 66\_ cummingsj () gmail com | \ \ _(") \ /-| ||'--' Rules give me wings! \_\ \_\\ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ---SNIP---- version = 0.6.1 ---SNIP---- You are not using the current version of pulledpork.conf! Please use the version that shipped with PulledPork v0.6.1 the Smoking Pig <////~! Fix is to just change this stuff: From pulledpork.pl: my $VERSION = "PulledPork v0.6.1 the Smoking Pig <////~"; To: my $VERSION = "0.6.1"; From pulledpork.pl if $Config_info{'version'} ne "0.6.0"; To: if $Config_info{'version'} ne $VERSION; From pulledpork.pl: --- SNIP --- sub pulledpork { ... `--==\\\\ / $VERSION ... } --- SNIP--- To: `--==\\\\ / PulledPork: $VERSION -- Eoin
------------------------------------------------------------------------------ WhatsUp Gold - Download Free Network Management Software The most intuitive, comprehensive, and cost-effective network management toolset available today. Delivers lowest initial acquisition cost and overall TCO of any competing solution. http://p.sf.net/sfu/whatsupgold-sd
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- PullePork SO Rules Management? Eoin Miller (May 04)
- Re: PullePork SO Rules Management? JJC (May 04)
- Re: PullePork SO Rules Management? Eoin Miller (May 04)
- Re: PullePork SO Rules Management? JJC (May 04)
- Re: PullePork SO Rules Management? JJC (May 04)
- Re: PullePork SO Rules Management? Eoin Miller (May 04)
- Re: PullePork SO Rules Management? JJC (May 04)
- Re: PullePork SO Rules Management? Eoin Miller (May 04)
- PulledPork - disablesid.conf categories and SO rule stubs Eoin Miller (May 04)
- Re: PulledPork - disablesid.conf categories and SO rule stubs Joel Esler (May 04)
- Re: PulledPork - disablesid.conf categories and SO rule stubs JJC (May 04)
- Re: PulledPork - disablesid.conf categories and SO rule stubs Eoin Miller (May 05)
- Re: PulledPork - disablesid.conf categories and SO rule stubs Joel Esler (May 05)
- Re: PullePork SO Rules Management? Eoin Miller (May 04)
- Re: PullePork SO Rules Management? JJC (May 04)