Snort mailing list archives
Re: I'm getting close, I smell more bacon
From: JJC <cummingsj () gmail com>
Date: Fri, 14 Sep 2012 09:22:50 -0600
Absolutely... so pretty straightforward.. everything that you specified at runtime can be specified in the pulledpork.conf file that can then be called (as you have done) using the -c <path to pulledpork.conf> runtime flag.. You have a few errors: 1. If you are planning on using SO rules, you must specify an arch 2. You have specified the path to an existing directory as the exact same path that you want to write your snort rules to. You will need to add an additional /filename and specify said filename in your snort.conf as the rules file... 3. Was there a guide that you used to get to this point or? JJC On Fri, Sep 14, 2012 at 9:10 AM, Joel Esler <jesler () sourcefire com> wrote:
JJ, can you help out here? On Sep 14, 2012, at 3:34 AM, PR <oly562 () gmail com> wrote:ok, i commented out ET rules. bah, i will deal with that later. 1. i ran ./pulledpork.pl -s /etc/snort/so_rules -p /usr/local/bin/snort -C /etc/snort.conf -i /etc/snort/disablesid.conf -b /etc/snort/dropsid.conf -e /etc/snort/enablesid.conf -M /etc/snort/modifysid.conf -e /etc/snort/enablesid.conf -c /etc/snort/pulledpork.conf -o /etc/snort/rules/ 2. I got: Use of uninitialized value $arch in regexp compilation at ./pulledpork.pl line 271. Done! Reading rules... Generating Stub Rules.... Something failed in the gen_stubs sub, please verify your shared object config! Done Reading rules... Reading rules... Processing /etc/snort/enablesid.conf.... Modified 0 rules Done Processing /etc/snort/dropsid.conf.... Modified 0 rules Done Processing /etc/snort/disablesid.conf.... Modified 0 rules Done Modifying Sids.... Done! Setting Flowbit State.... Enabled 11 flowbits Enabled 1 flowbits Done Writing /etc/snort/rules.... Unable to write /etc/snort/rules - Is a directory at ./pulledpork.pl line 1083. main::rule_write('HASH(0x8f682ac)', '/etc/snort/rules', 1, undef) called at ./pulledpork.pl line 1870 3. also, do i need to define all that stuff in cmdline, couldn't i just uncomment the /etc/snort/disablesid.confs in pulledpork.conf? just wondering. Thanks!!! any input is really appreciated. i'm learning more and more every day. Pretty soon i will be asking about rule creation lol------------------------------------------------------------------------------ Got visibility? Most devs has no idea what their production app looks like. Find out how fast your code is with AppDynamics Lite. http://ad.doubleclick.net/clk;262219671;13503038;y? http://info.appdynamics.com/FreeJavaPerformanceDownload.html _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ Got visibility? Most devs has no idea what their production app looks like. Find out how fast your code is with AppDynamics Lite. http://ad.doubleclick.net/clk;262219671;13503038;y? http://info.appdynamics.com/FreeJavaPerformanceDownload.html
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- I'm getting close, I smell more bacon PR (Sep 15)
- Re: I'm getting close, I smell more bacon Joel Esler (Sep 14)
- Re: I'm getting close, I smell more bacon JJC (Sep 14)
- Re: I'm getting close, I smell more bacon PR (Sep 15)
- Re: I'm getting close, I smell more bacon JJC (Sep 14)
- Re: I'm getting close, I smell more bacon Joel Esler (Sep 14)