Snort mailing list archives

Re: PullePork SO Rules Management?

From: JJC <cummingsj () gmail com>
Date: Wed, 4 May 2011 11:30:32 -0600

Part of your problem is your OS definition, it should be Centos-5-4 and not
CentOS-5-4, that may be causing all of it, please let me know what the
results are after modifying that.

Note the path in the rules tarball: /so_rules/precompiled/Centos-5-4/x86-64/
2.9.0.4/

When you have to hit ENTER to finish the sid-msg.map, does the sid-msg.map
still generate?

JJC

On Wed, May 4, 2011 at 10:36 AM, JJC <cummingsj () gmail com> wrote:

I'll look into the so rule stuff... as to the 0.6.0 vs 0.6.1.. the config
file is still for 0.6.x as 0.6.1 was a bugfix release and that did not
affect the config file.


On Wed, May 4, 2011 at 10:32 AM, Eoin Miller <
eoin.miller () trojanedbinaries com> wrote:

On 5/4/2011 3:43 PM, JJC wrote:

It updates the actual .so rules and then generates updated stubs to stick
in the so_rules.rules file.

 Hmm, looks like if you have to specify a different version inside of the

pulledpork.conf file it doesn't extract/move the *.so rules into the
snort_dynamicrules folder? We are using 2.9.0.5 but since there is no
2.9.0.5 tarball for registered users, I think that may be causing the issue.
Also, when this error occurs pulledpork hangs at the generating sid-msg.map
portion forever until you hit enter, then it will continue on. When we are
running this command, there are no *.so files in the snort_dynamicrules/
directory. If I manually place them there and then run pulled pork,
everything works as expected.

$ pulledpork.pl -c /nids/pulledpork/etc/pulledpork.conf

   http://code.google.com/p/pulledpork/
     _____ ____
    `----,\    )
     `--==\\  /    PulledPork v0.6.1 the Smoking Pig <////~
      `--==\\/
    .-~~~~-.Y|\\_  Copyright (C) 2009-2011 JJ Cummings
 @_/        /  66\_  cummingsj () gmail com
   |    \   \   _(")
    \   /-| ||'--'  Rules give me wings!
     \_\  \_\\
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Checking latest MD5 for snortrules-snapshot-2904.tar.gz....
       They Match
       Done!
Prepping rules from snortrules-snapshot-2904.tar.gz for work....
       Done!
Checking latest MD5 for opensource.gz....
       They Match
       Done!
Prepping rules from opensource.gz for work....
       Done!
Checking latest MD5 for emerging.rules.tar.gz....
       They Match
       Done!
Prepping rules from emerging.rules.tar.gz for work....
       Done!
Reading rules...
Generating Stub Rules....
       An error occurred: Warning: No dynamic libraries found in directory
/opt/bcs/packages/snort/lib/snort_dynamicrules!

       Done
Reading rules...
Reading rules...
Reading rules...
Processing /nids/pulledpork/etc/enablesid.conf....
       Modified 0 rules
       Done
Processing /nids/pulledpork/etc/dropsid.conf....
       Modified 0 rules
       Done
Processing /nids/pulledpork/etc/disablesid.conf....
       Modified 0 rules
       Done
Modifying Sids....
       Done!
Setting Flowbit State....
       Enabled 55 flowbits
       Enabled 31 flowbits
       Done
Writing /nids/snort/rules/snort.rules....
       Done
Writing /nids/snort/rules/so_rules.rules....
       Done
Generating sid-msg.map....

======= HANGS HERE INDEFINITELY UNTIL YOU HIT ENTER =======

       Done
Writing /nids/snort/etc/sid-msg.map....
       Done
Writing /nids/pulledpork/log/sid_changes.log....
       Done
Rule Stats....
       New:-------0
       Deleted:---0
       Enabled Rules:----13221
       Dropped Rules:----0
       Disabled Rules:---13745
       Total Rules:------26966
       Done
Please review /nids/pulledpork/log/sid_changes.log for additional details
Fly Piggy Fly!


pulledpork.conf:

==============================================================================
# Config file for pulledpork
rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|
<REDACTED>
rule_url=https://www.snort.org/reg-rules/|opensource.gz|<REDACTED>
rule_url=
https://rules.emergingthreats.net/|emerging.rules.tar.gz|open-nogpl

ignore=<REDACTED>

temp_path=/nids/pulledpork/tmp
rule_path=/nids/snort/rules/snort.rules
local_rules=/nids/snort/rules/local.rules
sid_msg=/nids/snort/etc/sid-msg.map
sid_changelog=/nids/pulledpork/log/sid_changes.log
sorule_path=/opt/bcs/packages/snort/lib/snort_dynamicrules/
snort_path=/opt/bcs/bin/snort
config_path=/nids/snort/etc/snort_00.conf
sostub_path=/nids/snort/rules/so_rules.rules
distro=CentOS-5.4
snort_version=2.9.0.4

enablesid=/nids/pulledpork/etc/enablesid.conf
dropsid=/nids/pulledpork/etc/dropsid.conf
disablesid=/nids/pulledpork/etc/disablesid.conf
modifysid=/nids/pulledpork/etc/modifysid.conf

version=0.6.0

==============================================================================

$ snort --version

  ,,_     -*> Snort! <*-
 o"  )~   Version 2.9.0.5 IPv6 GRE (Build 135)
  ''''    By Martin Roesch & The Snort Team:
http://www.snort.org/snort/snort-team
          Copyright (C) 1998-2011 Sourcefire, Inc., et al.
          Using libpcap version 1.1.1
          Using PCRE version: 8.02 2010-03-19
          Using ZLIB version: 1.2.3

$ more /etc/redhat-release
CentOS release 5.5 (Final)

$ ls -laFh /opt/bcs/packages/snort/lib/snort_dynamicrules/
total 8.0K
drwxr-xr-x 2 root root 4.0K May  4 11:46 ./
drwxr-xr-x 6 root root 4.0K May  3 17:37 ../


---SNIP---
elsif ($Sorules
&& $filename =~
           /^so_rules\/precompiled\/($Distro)\/($arch)\/($Snort)\/.*\.so/
&& -d $Sorules
&& !$Textonly )
       {
           $singlefile =~
             s/^so_rules\/precompiled\/($Distro)\/($arch)\/($Snort)\///;
           $tar->extract_file( $filename, $Sorules . $singlefile );
           print "\tExtracted: $Sorules$singlefile\n"
             if ( $Verbose && !$Quiet );
       }
---SNIP---

Best I can tell is that we should be pulling from
so_rules/precompiled/CentOS-5.4/x86-64/2.9.0.4 because the following are
defined in the pulledpork.conf. Here is the -v output:

MISC (CLI and Autovar) Variable Debug:
       arch Def is: x86-64
       Config Path is: /nids/pulledpork/etc/pulledpork.conf
       Distro Def is: CentOS-5.4
       Disabled policy specified
       local.rules path is: /nids/snort/rules/local.rules
       Rules file is: /nids/snort/rules/snort.rules
       Path to disablesid file: /nids/pulledpork/etc/disablesid.conf
       Path to dropsid file: /nids/pulledpork/etc/dropsid.conf
       Path to enablesid file: /nids/pulledpork/etc/enablesid.conf
       Path to modifysid file: /nids/pulledpork/etc/modifysid.conf
       sid changes will be logged to: /nids/pulledpork/log/sid_changes.log
       sid-msg.map Output Path is: /nids/snort/etc/sid-msg.map
       Snort Version is: 2.9.0.4
       Snort Config File: /nids/snort/etc/snort_00.conf
       Snort Path is: /opt/bcs/bin/snort
       SO Output Path is: /opt/bcs/packages/snort/lib/snort_dynamicrules/
       SO Stub File is: /nids/snort/rules/so_rules.rules


Something else is that the version stuff in 0.6.1 doesn't match up. The
config file that comes with pulledpork still says 0.6.0 and if you update it
to the current version of 0.6.1, this happens:

$ pulledpork.pl -v -c /nids/pulledpork/etc/pulledpork.conf

   http://code.google.com/p/pulledpork/
     _____ ____
    `----,\    )
     `--==\\  /    PulledPork v0.6.1 the Smoking Pig <////~
      `--==\\/
    .-~~~~-.Y|\\_  Copyright (C) 2009-2011 JJ Cummings
 @_/        /  66\_  cummingsj () gmail com
   |    \   \   _(")
    \   /-| ||'--'  Rules give me wings!
     \_\  \_\\
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

---SNIP----
       version = 0.6.1
---SNIP----

You are not using the current version of pulledpork.conf!
Please use the version that shipped with PulledPork v0.6.1 the Smoking Pig
<////~!



Fix is to just change this stuff:

From pulledpork.pl:
my $VERSION = "PulledPork v0.6.1 the Smoking Pig <////~";
To:
my $VERSION = "0.6.1";


From pulledpork.pl
     if $Config_info{'version'} ne "0.6.0";
To:
     if $Config_info{'version'} ne $VERSION;

From pulledpork.pl:
--- SNIP ---
sub pulledpork {
...
     `--==\\\\  /     $VERSION
...
}
--- SNIP---

To:
     `--==\\\\  /     PulledPork: $VERSION


-- Eoin

------------------------------------------------------------------------------
WhatsUp Gold - Download Free Network Management Software
The most intuitive, comprehensive, and cost-effective network 
management toolset available today.  Delivers lowest initial 
acquisition cost and overall TCO of any competing solution.
http://p.sf.net/sfu/whatsupgold-sd

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

PullePork SO Rules Management? Eoin Miller (May 04)
- Re: PullePork SO Rules Management? JJC (May 04)
  - Re: PullePork SO Rules Management? Eoin Miller (May 04)
    - Re: PullePork SO Rules Management? JJC (May 04)
    - Re: PullePork SO Rules Management? JJC (May 04)
    - Re: PullePork SO Rules Management? Eoin Miller (May 04)
    - Re: PullePork SO Rules Management? JJC (May 04)
    - Re: PullePork SO Rules Management? Eoin Miller (May 04)
    - PulledPork - disablesid.conf categories and SO rule stubs Eoin Miller (May 04)
    - Re: PulledPork - disablesid.conf categories and SO rule stubs Joel Esler (May 04)
    - Re: PulledPork - disablesid.conf categories and SO rule stubs JJC (May 04)
    - Re: PulledPork - disablesid.conf categories and SO rule stubs Eoin Miller (May 05)
    - Re: PulledPork - disablesid.conf categories and SO rule stubs Joel Esler (May 05)