Snort mailing list archives
Re: Installing only so_rules with pulledpork
From: JJC <cummingsj () gmail com>
Date: Mon, 3 Oct 2011 08:43:17 -0600
The other piece of that, if you simply don't include the snort.rules that contain the plaintext rules in the snort.conf that will do what you want also. If you want the others disabled though, you would probably want to do a PCRE or a range in disablesid.conf.. something like 1:1-1:22000 for example.. JJC On Mon, Oct 3, 2011 at 8:41 AM, JJC <cummingsj () gmail com> wrote:
Touch the plaintext rules file first.. On Fri, Sep 30, 2011 at 8:21 AM, carlopmart <carlopmart () gmail com> wrote:Hi all, I am trying to use only so_rules on a snort 2.9.1.0. Can I do this with pulledpork?? I am trying with this config: rule_url=http://my.home.server/snortsigs/|vrt.tar.gz|open sorule_path=/data/config/etc/snort-pri/dynamicrules sostub_path=/data/config/etc/snort-pri/rules/all.so_rules distro=RHEL-6-0 But when I try to launch pulledpork, returns me this error: [root@idssrv01 ]# pulledpork.pl -c pulledpork-pri.conf -l http://code.google.com/p/pulledpork/ _____ ____ `----,\ ) `--==\\ / PulledPork v0.6.1 the Smoking Pig <////~ `--==\\/ .-~~~~-.Y|\\_ Copyright (C) 2009-2011 JJ Cummings @_/ / 66\_ cummingsj () gmail com | \ \ _(") \ /-| ||'--' Rules give me wings! \_\ \_\\ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ERROR: You need to specify an output rules file! After this, I have enabled rule_path option, but pulledpork process all normal rules but not so_rules: [root@idssrv01]# pulledpork.pl -c pulledpork-pri.conf -l http://code.google.com/p/pulledpork/ _____ ____ `----,\ ) `--==\\ / PulledPork v0.6.1 the Smoking Pig <////~ `--==\\/ .-~~~~-.Y|\\_ Copyright (C) 2009-2011 JJ Cummings @_/ / 66\_ cummingsj () gmail com | \ \ _(") \ /-| ||'--' Rules give me wings! \_\ \_\\ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Rules tarball download of vrt.tar.gz.... Prepping rules from vrt.tar.gz for work.... Done! Reading rules... Generating Stub Rules.... An error occurred: ERROR: OpenAlertFile() => fopen() alert file /var/log/snort/alert: No such file or directory An error occurred: Fatal Error, Quitting.. Done Reading rules... Reading rules... Setting Flowbit State.... Enabled 49 flowbits Enabled 23 flowbits Done Writing /data/config/etc/snort-pri/rules/all.rules.... Done Writing /data/config/etc/snort-pri/rules/all.so_rules.... Done Then, my question: can I configure only so_rules for pulledpork and disable ALL the others?? How can I do?? Thanks. -- CL Martinez carlopmart {at} gmail {d0t} com ------------------------------------------------------------------------------ All of the data generated in your IT infrastructure is seriously valuable. Why? It contains a definitive record of application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-d2dcopy2 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity and more. Splunk takes this data and makes sense of it. Business sense. IT sense. Common sense. http://p.sf.net/sfu/splunk-d2dcopy1
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: Installing only so_rules with pulledpork JJC (Oct 03)
- Re: Installing only so_rules with pulledpork JJC (Oct 03)