Re: pulledpork help

[Jeremy Hoel <jthoel () gmail com>]

Right, so the version it's looking for, in regards to rules is 2.9.3.0.

The pulledpork.pl script pulls the version number if looks for from snort.

You can either get the 2.9.3.0 rules or upgrade your snort to 2.9.3.1


On Fri, Oct 12, 2012 at 6:20 PM, Tony Reusser <treusser () filertel com> wrote:
> [root@briareos snort]# snort -V
>
>    ,,_     -*> Snort! <*-
>   o"  )~   Version 2.9.3 IPv6 GRE (Build 37)
>    ''''    By Martin Roesch & The Snort Team:
> http://www.snort.org/snort/snort-team
>            Copyright (C) 1998-2012 Sourcefire, Inc., et al.
>            Using libpcap version 1.0.0
>            Using PCRE version: 8.31 2012-07-06
>            Using ZLIB version: 1.2.3
>
>
>
>
> -----Original Message-----
> From: Jeremy Hoel [mailto:jthoel () gmail com]
> Sent: Friday, October 12, 2012 12:15 PM
> To: Tony Reusser
> Cc: snort-users () lists sourceforge net
> Subject: Re: [Snort-users] pulledpork help
>
> What does 'snort -V' show?
>
>
> On Fri, Oct 12, 2012 at 6:03 PM, Tony Reusser <treusser () filertel com> wrote:
> > My snort box:
> >
> >
> >
> > CentOS 6.3
> >
> > Snort vers 2.9.3
> >
> > Standard barnyard/pulledpork/mysql/BASE setup
> >
> >
> >
> > I'm fairly new to Snort.  I've had it up and running for a couple of
> > months now.  About a month ago I downloaded the 2930 ruleset and
> > successfully installed it using pulledpork.  I am not a subscriber, so
> > I only get the 'registered user' rulesets 30 days late.  I'm fine with
> > that as this whole thing is a learning process for me anyway.
> >
> >
> >
> > Because of that, I download the rule tarballs manually and place them
> > in my /tmp folder on the snort machine.  I run pulledpork with the /n
> > option to process without downloading.  With the latest rule tarball
> > in /tmp, this should work right?  It seemed to function properly with
> > 2930.  However, now that I've downloaded the 2931 ruleset, I get the
> > following error when I run pulledpork.  Why is it still looking for
> > the 2930 file?  I'm not a PERL guy, but line 1798 just refers to a
> > variable $rule_file.  Where is this actually defined?  And why doesn't it
> reflect the current rule tarball file I have?
> > Any help would be appreciated.
> >
> >
> >
> >                 -Tony Reusser
> >
> >
> >
> >
> >
> > [root@briareos pp]# ./pulledpork.pl -c ./etc/pulledpork.conf -E -n
> >
> >
> >
> >     http://code.google.com/p/pulledpork/
> >
> >       _____ ____
> >
> >      `----,\    )
> >
> >       `--==\\  /    PulledPork v0.6.1 the Smoking Pig <////~
> >
> >        `--==\\/
> >
> >      .-~~~~-.Y|\\_  Copyright (C) 2009-2011 JJ Cummings
> >
> >   @_/        /  66\_  cummingsj () gmail com
> >
> >     |    \   \   _(")
> >
> >      \   /-| ||'--'  Rules give me wings!
> >
> >       \_\  \_\\
> >
> > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> >
> >
> >
> > file /tmp//snortrules-snapshot-2930.tar.gz does not exist!
> >
> > at ./pulledpork.pl line 1798
> >
> >
> >
> >
> >
> > file listing of /tmp:
> >
> > [root@briareos pp]# ls -al /tmp
> >
> > total 23280
> >
> > drwxrwxrwt. 13 root     root         4096 Oct 12 11:39 .
> >
> > dr-xr-xr-x. 26 root     root         4096 Oct 12 11:04 ..
> >
> > -rw-r--r--.  1 root     root      1272869 Oct 12 09:32
> emerging.rules.tar.gz
> > -rw-r--r--.  1 root     root            0 Oct 12 10:53 etpro.rules.tar.gz
> >
> > srwxrwxr-x.  1 notroot  notroot         0 Jul 31 11:46
> > gnome-system-monitor.treusser.2837431554
> >
> > drwxrwxrwt.  2 root     root         4096 Oct 12 11:05 .ICE-unix
> >
> > drwx------.  2 gdm      gdm          4096 Oct 12 11:06 orbit-gdm
> >
> > -rw-rw-r--.  1 notroot  notroot  22487562 Oct 12 11:19
> > snortrules-snapshot-2931.tar.gz
> >
> > -r--r--r--.  1 root     root           11 Oct 12 11:05 .X0-lock
> >
> > drwxrwxrwt.  2 root     root         4096 Oct 12 11:05 .X11-unix
> >
> > -r--r--r--.  1 notroot  notroot        11 Oct 12 11:05 .X1-lock
> >
> > -rw-------.  1 root     root         1671 Oct  3 15:24
> > yum_save_tx-2012-10-03-15-24H0Dg_g.yumtx
> >
> > -rw-------.  1 root     root         3856 Oct  8 08:56
> > yum_save_tx-2012-10-08-08-56ONmnWM.yumtx
> >
> > -rw-------.  1 root     root         1204 Oct 11 11:20
> > yum_save_tx-2012-10-11-11-20aPV3jH.yumtx
> >
> >
> > ----------------------------------------------------------------------
> > -------- Don't let slow site performance ruin your business. Deploy
> > New Relic APM Deploy New Relic app performance management and know
> > exactly what is happening inside your Ruby, Python, PHP, Java, and
> > .NET app Try New Relic at no cost today and get our sweet Data Nerd
> > shirt too!
> > http://p.sf.net/sfu/newrelic-dev2dev
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> > Please visit http://blog.snort.org to stay current on all the latest
> > Snort news!

------------------------------------------------------------------------------
Don't let slow site performance ruin your business. Deploy New Relic APM
Deploy New Relic app performance management and know exactly
what is happening inside your Ruby, Python, PHP, Java, and .NET app
Try New Relic at no cost today and get our sweet Data Nerd shirt too!
http://p.sf.net/sfu/newrelic-dev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!