Re: Installing only so_rules with pulledpork

[JJC <cummingsj () gmail com>]

The other piece of that, if you simply don't include the snort.rules that
contain the plaintext rules in the snort.conf that will do what you want
also.  If you want the others disabled though, you would probably want to do
a PCRE or a range in disablesid.conf.. something like 1:1-1:22000 for
example..

JJC

On Mon, Oct 3, 2011 at 8:41 AM, JJC <cummingsj () gmail com> wrote:

> Touch the plaintext rules file first..
>
>
> On Fri, Sep 30, 2011 at 8:21 AM, carlopmart <carlopmart () gmail com> wrote:
>
> > Hi all,
> >
> >  I am trying to use only so_rules on a snort 2.9.1.0. Can I do this
> > with pulledpork??
> >
> >  I am trying with this config:
> >
> > rule_url=http://my.home.server/snortsigs/|vrt.tar.gz|open
> > sorule_path=/data/config/etc/snort-pri/dynamicrules
> > sostub_path=/data/config/etc/snort-pri/rules/all.so_rules
> > distro=RHEL-6-0
> >
> >  But when I try to launch pulledpork, returns me this error:
> >
> > [root@idssrv01 ]# pulledpork.pl -c pulledpork-pri.conf -l
> >
> >     http://code.google.com/p/pulledpork/
> >       _____ ____
> >      `----,\    )
> >       `--==\\  /    PulledPork v0.6.1 the Smoking Pig <////~
> >        `--==\\/
> >      .-~~~~-.Y|\\_  Copyright (C) 2009-2011 JJ Cummings
> >   @_/        /  66\_  cummingsj () gmail com
> >     |    \   \   _(")
> >      \   /-| ||'--'  Rules give me wings!
> >       \_\  \_\\
> >  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> >
> >
> > ERROR: You need to specify an output rules file!
> >
> >  After this, I have enabled rule_path option, but pulledpork process
> > all normal rules but not so_rules:
> >
> > [root@idssrv01]# pulledpork.pl -c pulledpork-pri.conf -l
> >
> >     http://code.google.com/p/pulledpork/
> >       _____ ____
> >      `----,\    )
> >       `--==\\  /    PulledPork v0.6.1 the Smoking Pig <////~
> >        `--==\\/
> >      .-~~~~-.Y|\\_  Copyright (C) 2009-2011 JJ Cummings
> >   @_/        /  66\_  cummingsj () gmail com
> >     |    \   \   _(")
> >      \   /-| ||'--'  Rules give me wings!
> >       \_\  \_\\
> >  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> >
> > Rules tarball download of vrt.tar.gz....
> > Prepping rules from vrt.tar.gz for work....
> >        Done!
> > Reading rules...
> > Generating Stub Rules....
> >        An error occurred: ERROR: OpenAlertFile() => fopen() alert file
> > /var/log/snort/alert: No such file or directory
> >
> >        An error occurred: Fatal Error, Quitting..
> >
> >        Done
> > Reading rules...
> > Reading rules...
> > Setting Flowbit State....
> >        Enabled 49 flowbits
> >        Enabled 23 flowbits
> >        Done
> > Writing /data/config/etc/snort-pri/rules/all.rules....
> >        Done
> > Writing /data/config/etc/snort-pri/rules/all.so_rules....
> >        Done
> >
> >  Then, my question: can I configure only so_rules for pulledpork and
> > disable ALL the others?? How can I do??
> >
> > Thanks.
> > --
> > CL Martinez
> > carlopmart {at} gmail {d0t} com
> >
> >
> > ------------------------------------------------------------------------------
> > All of the data generated in your IT infrastructure is seriously valuable.
> > Why? It contains a definitive record of application performance, security
> > threats, fraudulent activity, and more. Splunk takes this data and makes
> > sense of it. IT sense. And common sense.
> > http://p.sf.net/sfu/splunk-d2dcopy2
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> > Please visit http://blog.snort.org to stay current on all the latest
> > Snort news!
------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure contains a
definitive record of customers, application performance, security
threats, fraudulent activity and more. Splunk takes this data and makes
sense of it. Business sense. IT sense. Common sense.
http://p.sf.net/sfu/splunk-d2dcopy1

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!