Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: I'm getting close, I smell more bacon

From: PR <oly562 () gmail com>
Date: Fri, 14 Sep 2012 10:11:19 -0700
Hi and thanks JJ, appreciate your time in this matter.

Yes see enclosed is the manual/howto for ubuntu distro. however i did
not specify that.

i will specify more in the pulledpork.conf for disablesids, and such.

as for so rules. im a little confused what they are for.

i am reading the manual 2.9.3 from snort.org now. large manual which is
good.

the most issues i have had is absolute path. in one .conf it states,
full path, and the ./rules was changed back to ../rules as it is located
in /etc/snort - this is where i put everything, so_rules, gen-msg so
forth. perms may be an issue. each howto says a little something diff so
i just start from scratch each time it doesn't work - snort, barnyard2,
or pulledpork fails.

as for this build, it is going smoother, and surely i will save the
working configs once i understand so rules better, and other features.

snort works, barnyard2 works, but pulledpork is the issue right now, and
will be until figure out what i am doing. i used to use oinkmaster, but
now i will use PP per snort.org suggestions.

more to follow, thanks again,, pete

On Fri, 2012-09-14 at 09:22 -0600, JJC wrote:

Absolutely... so pretty straightforward.. everything that you
specified at runtime can be specified in the pulledpork.conf file that
can then be called (as you have done) using the -c <path to
pulledpork.conf> runtime flag.. 


You have a few errors:
     1. If you are planning on using SO rules, you must specify an
        arch
     2. You have specified the path to an existing directory as the
        exact same path that you want to write your snort rules to.
         You will need to add an additional /filename and specify said
        filename in your snort.conf as the rules file...
     3. Was there a guide that you used to get to this point or?
JJC

On Fri, Sep 14, 2012 at 9:10 AM, Joel Esler <jesler () sourcefire com>
wrote:
        JJ, can you help out here?
        
        On Sep 14, 2012, at 3:34 AM, PR <oly562 () gmail com> wrote:
        
        > ok, i commented out ET rules. bah, i will deal with that
        later.
        >
        >
        > 1. i ran
        >
        > ./pulledpork.pl -s /etc/snort/so_rules
        -p /usr/local/bin/snort
        > -C /etc/snort.conf -i /etc/snort/disablesid.conf
        > -b /etc/snort/dropsid.conf -e /etc/snort/enablesid.conf
        > -M /etc/snort/modifysid.conf -e /etc/snort/enablesid.conf
        > -c /etc/snort/pulledpork.conf -o /etc/snort/rules/
        >
        >
        > 2. I got:
        >
        > Use of uninitialized value $arch in regexp compilation
        > at ./pulledpork.pl line 271.
        >       Done!
        > Reading rules...
        > Generating Stub Rules....
        > Something failed in the gen_stubs sub, please verify your
        shared object
        > config!
        >       Done
        > Reading rules...
        > Reading rules...
        > Processing /etc/snort/enablesid.conf....
        >       Modified 0 rules
        >       Done
        > Processing /etc/snort/dropsid.conf....
        >       Modified 0 rules
        >       Done
        > Processing /etc/snort/disablesid.conf....
        >       Modified 0 rules
        >       Done
        > Modifying Sids....
        >       Done!
        > Setting Flowbit State....
        >       Enabled 11 flowbits
        >       Enabled 1 flowbits
        >       Done
        > Writing /etc/snort/rules....
        > Unable to write /etc/snort/rules - Is a directory
        > at ./pulledpork.pl line 1083.
        >       main::rule_write('HASH(0x8f682ac)',
        '/etc/snort/rules', 1, undef)
        > called at ./pulledpork.pl line 1870
        >
        >
        > 3. also, do i need to define all that stuff in cmdline,
        couldn't i just
        > uncomment the /etc/snort/disablesid.confs in
        pulledpork.conf? just
        > wondering.
        >
        >
        > Thanks!!! any input is really appreciated. i'm learning more
        and more
        > every day. Pretty soon i will be asking about rule creation
        lol
        >
        >
        >
        
        
        ------------------------------------------------------------------------------
        Got visibility?
        Most devs has no idea what their production app looks like.
        Find out how fast your code is with AppDynamics Lite.
        http://ad.doubleclick.net/clk;262219671;13503038;y?
        http://info.appdynamics.com/FreeJavaPerformanceDownload.html
        _______________________________________________
        Snort-sigs mailing list
        Snort-sigs () lists sourceforge net
        https://lists.sourceforge.net/lists/listinfo/snort-sigs
        http://www.snort.org
        
        
        Please visit http://blog.snort.org for the latest news about
        Snort!

Attachment: deb_snort_howto.pdf
Description: 

------------------------------------------------------------------------------
How fast is your code?
3 out of 4 devs don\\\'t know how their code performs in production.
Find out how slow your code is with AppDynamics Lite.
http://ad.doubleclick.net/clk;262219672;13503038;z?
http://info.appdynamics.com/FreeJavaPerformanceDownload.html
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: