Pulled Pork and SO_rules

[Dheeraj Gupta <dheeraj.gupta4 () gmail com>]

Hi,
So I installed pulled pork and used it in offline mode (-n option). The
execution went off perfectly. I got a new generated sid-msg.map file and all
that stuff. Even dynamic rules were (presumably) loaded. Here's PP output-

Prepping rules from snortrules-snapshot-2861.tar.gz for work....
        Done!
Reading rules...
Reading rules...
Reading rules...
Setting Flowbit State....
        Enabled 47 flowbits
        Enabled 25 flowbits
        Done
Writing /etc/snort/rules/snort.rules....
        Done
Writing /etc/snort/rules/so_rules.rules....
        Done
Generating sid-msg.map....
        Done
Writing /etc/snort/sid-msg.map....
        Done
Writing /var/log/sid_changes.log....
        Done
Rule Stats....
        New:-------0
        Deleted:---0
        Enabled Rules:----4901
        Dropped Rules:----0
        Disabled Rules:---5491
        Total Rules:------10392
        Done

(As you can see there is no "Generating Stub Rules" entry)

However, Even now Barnyard (not barnyard2) will log alerts like SnortAlert
[3:13308:0] i.e. it does not find relevant information in sid-msg.map files.
What have I missed?

Here's my pulledpork.conf file (Rulkes and So_Rules part only)
#######
#######  The below section is for rule processing.  This section is
#######  required if you are not specifying the configuration using
#######  runtime switches.  Note that runtime switches do SUPERSEED
#######  any values that you have specified here!
#######

# What path you want the .rules file containing all of the processed
# rules? (this value has changed as of 0.4.0, previously we copied
# all of the rules, now we are creating a single large rules file
# but still keeping a separate file for your so_rules!
rule_path=/etc/snort/rules/snort.rules

# What path you want the .rules files to be written to, this is UNIQUE
# from the rule_path and cannot be used in conjunction, this is to be used
with the
# -k runtime flag, this can be set at runtime using the -K flag or specified
# here.  If specified here, the -k option must also be passed at runtime,
however
# specifying -K <path> at runtime forces the -k option to also be set
out_path=etc/snort/rules/

# If you are running any rules in your local.rules file, we need to
# know about them to properly build a sid-msg.map that will contain your
# local.rules metadata (msg) information.  You can specify other rules
# files that are local to your system here by adding a comma and more
paths...
# remember that the FULL path must be specified for EACH value.
# local_rules=/path/to/these.rules,/path/to/those.rules
local_rules=/etc/snort/rules/local.rules

# Where should I put the sid-msg.map file?
sid_msg=/etc/snort/sid-msg.map

# Where do you want me to put the sid changelog?  This is a changelog
# that pulledpork maintains of all new sids that are imported
sid_changelog=/var/log/sid_changes.log
# this value is optional

#######
#######  The below section is for so_rule processing only.  If you don't
#######  need to use them.. then comment this section out!
#######  Alternately, if you are not using pulledpork to process
#######  so_rules, you can specify -T at runtime to bypass this altogether
#######

# What path you want the .so files to actually go to *i.e. where is it

# defined in your snort.conf, needs a trailing slash
sorule_path=/usr/local/lib/snort_dynamicrules/

# Path to the snort binary, we need this to generate the stub files
snort_path=/usr/local/bin/snort

# We need to know where your snort.conf file lives so that we can
# generate the stub files
config_path=/etc/snort/snort.conf

# This is the file that contains all of the shared object rules that
pulledpork
# has processed, note that this has changed as of 0.4.0 just like the
rules_path!
sostub_path=/etc/snort/rules/so_rules.rules

# Define your distro, this is for the precompiled shared object libs!
# Valid Distro Types=Debian-Lenny, Ubuntu-6.01.1, Ubuntu-8.04
# CentOS-4.6, Centos-4-8, CentOS-5.0, Centos-5-4
# FC-5, FC-9, FC-11, FC-12, RHEL-5.0
# FreeBSD-6.3, FreeBSD-7-2, FreeBSD-7-3, FreeBSD-7.0, FreeBSD-8-0,
FreeBSD-8-1
# OpenSUSE-11-3
distro=Centos-5-4

Regards,
Dheeraj

------------------------------------------------------------------------------
What Every C/C++ and Fortran developer Should Know!
Read this article and learn how Intel has extended the reach of its 
next-generation tools to help Windows* and Linux* C/C++ and Fortran 
developers boost performance applications - including clusters. 
http://p.sf.net/sfu/intel-dev2devmay

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users