Snort mailing list archives
Re: PulledPork not processing
From: JJ Cummings <cummingsj () gmail com>
Date: Sun, 10 Feb 2013 17:48:10 -0700
So, back to my original statement... Those are basically the rule docs.... I am looking at better (read moe fastah) ways to handle that one. As to the seeming loop, that may be a legitimate issue. Note that the updated version of PP is designed to end without doing anything if the hashes did not change (per your observation)... Look at the help output, I added a flag to "force process" even of no new files or IP rep addresses have changed... Please feel free to bug the loop though... I'll gladly review when I'm not sitting in an airport. Sent from the iRoad On Feb 10, 2013, at 16:13, "Michael Steele" <michaels () winsnort com> wrote:
I don’t think so. I’m thinking this gets bypassed using the –T switch, but maybe not. Not sure how long it takes to extract the opensource.gz in UNIX using PP? In Windows it takes about 10 seconds to process the rules in PP, but 30+ minutes to extract the signatures. Best regards, Michael... From: Tony Robinson [mailto:deusexmachina667 () gmail com] Sent: Sunday, February 10, 2013 4:27 PM To: JJ Cummings Cc: Michael Steele; snort-users () lists sourceforge net Subject: Re: [Snort-users] PulledPork not processing meant to reply-all. think i might have just sent this to JJ by accident. Hey... I saw this line in your output above: Distro Def is: FreeBSD-8.1 Wondering if that might having something to do with it? Is there an option to define the distro for PP to windows? On Sun, Feb 10, 2013 at 11:51 AM, JJ Cummings <cummingsj () gmail com> wrote: Michael, Are you talking about the rule docs "the opensource.tgz" file? If so, these are not the rules and only need to be extracted if you are using them for reference. This can sometimes take a while to extract... However, as Joel said the actual rules operation should be quite fast. JJC Sent from the iRoad On Feb 10, 2013, at 9:20, "Joel Esler" <jesler () sourcefire com> wrote: *self contained — Joel Esler Mobile On Sun, Feb 10, 2013 at 10:38 AM, Joel Esler <jesler () sourcefire com> wrote: Wow. That's pretty slow. On Unix it takes about 10 seconds give or take. But no, Pulledpork is sell contained except for a few libraries and is meant to be that way. On Sun, Feb 10, 2013 at 9:57 AM, Michael Steele <michaels () winsnort com> wrote: Problem solved. It appears that some of the Perl packages were corrupted. However; Does anyone have a work around for the installation of the Signatures. I don’t know about UNIX, but on Windows it takes at least 30 minutes for Perl to extract. Is it possible for the pulledpork.pl file to extract with a native OS extraction tool? Best regards, Michael... From: Michael Steele [mailto:michaels () winsnort com] Sent: Saturday, February 09, 2013 1:49 PM To: snort-users () lists sourceforge net Subject: [Snort-users] PulledPork not processing This is the latest pull from the SVN. It appears PulledPork is trying to process the rules twice. In the temp folder I’m only getting a partial transfer of the rules and the MD5 file. C:\Users\Operator>perl d:\winids\pulledpork\pulledpork.pl -c d:\winids\pulledpork\etc\pulledpork.conf -vv -T http://code.google.com/p/pulledpork/ _____ ____ `----,\ ) `--==\\ / PulledPork v0.6.2dev the Cigar Pig <////~ `--==\\/ .-~~~~-.Y|\\_ Copyright (C) 2009-2012 JJ Cummings @_/ / 66\_ cummingsj () gmail com | \ \ _(") \ /-| ||'--' Rules give me wings! \_\ \_\\ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Config File Variable Debug d:\winids\pulledpork\etc\pulledpork.conf snort_path = /usr/local/bin/snort enablesid = d:\winids\pulledpork\etc\enablesid.conf modifysid = d:\winids\pulledpork\etc\modifysid.conf rule_path = d:\winids\snort\rules\snort.rules ignore = deleted.rules,experimental.rules,local.rules rule_url = ARRAY(0x28e1e24) snort_version = 2.9.4.0 sid_msg_version = 1 sid_changelog = d:\winids\snort\log\sid_changes.log sid_msg = d:\winids\snort\etc\sid-msg.map docs = d:\winids\Apache24\htdocs\base\signatures\ ips_policy = security config_path = /usr/local/etc/snort/snort.conf temp_path = d:\winids\pulledpork\temp distro = FreeBSD-8.1 version = 0.6.1 sorule_path = /usr/local/lib/snort_dynamicrules/ disablesid = d:\winids\pulledpork\etc\disablesid.conf dropsid = d:\winids\pulledpork\etc\dropsid.conf local_rules = d:\winids\snort\rules\local.rules 'uname' is not recognized as an internal or external command, operable program or batch file. MISC (CLI and Autovar) Variable Debug: Config Path is: d:\winids\pulledpork\etc\pulledpork.conf Distro Def is: FreeBSD-8.1 Docs Reference Location is: d:\winids\Apache24\htdocs\base\signatures\ security policy specified local.rules path is: d:\winids\snort\rules\local.rules Rules file is: d:\winids\snort\rules\snort.rules Path to disablesid file: d:\winids\pulledpork\etc\disablesid.conf Path to dropsid file: d:\winids\pulledpork\etc\dropsid.conf Path to enablesid file: d:\winids\pulledpork\etc\enablesid.conf Path to modifysid file: d:\winids\pulledpork\etc\modifysid.conf sid changes will be logged to: d:\winids\snort\log\sid_changes.log sid-msg.map Output Path is: d:\winids\snort\etc\sid-msg.map Snort Version is: 2.9.4.0 Snort Config File: /usr/local/etc/snort/snort.conf Snort Path is: /usr/local/bin/snort Text Rules only Flag is Set Extra Verbose Flag is Set Verbose Flag is Set Base URL is: https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|991158d6f0847841cffbe085a91b7c5775ba98cf https://www.snort.org/reg-rules/|opensource.gz|991158d6f0847841cffbe085a91b7c5 775ba98cf Checking latest MD5 for snortrules-snapshot-2940.tar.gz.... Fetching md5sum for: snortrules-snapshot-2940.tar.gz.md5 ** GET https://www.snort.org/reg-rules/snortrules-snapshot-2940.tar.gz.md5/991158d6f0847841cffbe085a91b7c5775ba98cf ==> 200 OK (3s) most recent rules file digest: ae46740e802f023be681d932ef71f407 Rules tarball download of snortrules-snapshot-2940.tar.gz.... Fetching rules file: snortrules-snapshot-2940.tar.gz ** GET https://www.snort.org/reg-rules/snortrules-snapshot-2940.tar.gz/991158d6f0847841cffbe085a91b7c5775ba98cf ==> 302 Found (1s) ** GET https://s3.amazonaws.com/snort-org/www/rules/20121218/snortrules-snapshot-2940.tar.gz?AWSAccessKeyId=AKIAJJSHU7YNPLE5MKOQ&Expires=1360435268&Signature=KaoY%2B0NMB%2B%2FNnYFJTpunKaQhilw%3D ==> 200 OK (1s) storing file at: d:\winids\pulledpork\temp/snortrules-snapshot-2940.tar.gz current local rules file digest: eed12b6d1e99dd34dda723167ab18f8c The MD5 for snortrules-snapshot-2940.tar.gz did not match the latest digest... so I am gonna fetch the latest rules file! Rules tarball download of snortrules-snapshot-2940.tar.gz.... Fetching rules file: snortrules-snapshot-2940.tar.gz ** GET https://www.snort.org/reg-rules/snortrules-snapshot-2940.tar.gz/991158d6f0847841cffbe085a91b7c5775ba98cf ==> 302 Found ** GET https://s3.amazonaws.com/snort-org/www/rules/20121218/snortrules-snapshot-2940.tar.gz?AWSAccessKeyId=AKIAJJSHU7YNPLE5MKOQ&Expires=1360435269&Signature=2H85W57%2F7fbXw%2FEehahpjniVR0Q%3D ==> 0 200 OK storing file at: d:\winids\pulledpork\temp/snortrules-snapshot-2940.tar.gz current local rules file digest: 6fb296525f90c700ff356264397e7977 The MD5 for snortrules-snapshot-2940.tar.gz did not match the latest digest... so I am gonna fetch the latest rules file! Rules tarball download of snortrules-snapshot-2940.tar.gz.... Fetching rules file: snortrules-snapshot-2940.tar.gz ** GET https://www.snort.org/reg-rules/snortrules-snapshot-2940.tar.gz/991158d6f0847841cffbe085a91b7c5775ba98cf ==> 403 Forbidden (1s) A 403 error occurred, please wait for the 15 minute timeout to expire before trying again or specify the -n runtime switch You may also wish to verfiy your oinkcode, tarball name, and other configuration options I can drop the rules, and open source file into the empty temp folder and try to process offline but I’m getting: C:\Users\Operator>perl d:\winids\pulledpork\pulledpork.pl -c d:\winids\pulledpork\etc\pulledpork.conf -n -vv -T http://code.google.com/p/pulledpork/ _____ ____ `----,\ ) `--==\\ / PulledPork v0.6.2dev the Cigar Pig <////~ `--==\\/ .-~~~~-.Y|\\_ Copyright (C) 2009-2012 JJ Cummings @_/ / 66\_ cummingsj () gmail com | \ \ _(") \ /-| ||'--' Rules give me wings! \_\ \_\\ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Config File Variable Debug d:\winids\pulledpork\etc\pulledpork.conf snort_path = /usr/local/bin/snort enablesid = d:\winids\pulledpork\etc\enablesid.conf modifysid = d:\winids\pulledpork\etc\modifysid.conf rule_path = d:\winids\snort\rules\snort.rules ignore = deleted.rules,experimental.rules,local.rules rule_url = ARRAY(0x285929c) snort_version = 2.9.4.0 sid_msg_version = 1 sid_changelog = d:\winids\snort\log\sid_changes.log sid_msg = d:\winids\snort\etc\sid-msg.map docs = d:\winids\Apache24\htdocs\base\signatures\ ips_policy = security config_path = /usr/local/etc/snort/snort.conf temp_path = d:\winids\pulledpork\temp distro = FreeBSD-8.1 version = 0.6.1 sorule_path = /usr/local/lib/snort_dynamicrules/ disablesid = d:\winids\pulledpork\etc\disablesid.conf dropsid = d:\winids\pulledpork\etc\dropsid.conf local_rules = d:\winids\snort\rules\local.rules 'uname' is not recognized as an internal or external command, operable program or batch file. MISC (CLI and Autovar) Variable Debug: Config Path is: d:\winids\pulledpork\etc\pulledpork.conf Distro Def is: FreeBSD-8.1 Docs Reference Location is: d:\winids\Apache24\htdocs\base\signatures\ security policy specified local.rules path is: d:\winids\snort\rules\local.rules No Download Flag is Set Rules file is: d:\winids\snort\rules\snort.rules Path to disablesid file: d:\winids\pulledpork\etc\disablesid.conf Path to dropsid file: d:\winids\pulledpork\etc\dropsid.conf Path to enablesid file: d:\winids\pulledpork\etc\enablesid.conf Path to modifysid file: d:\winids\pulledpork\etc\modifysid.conf sid changes will be logged to: d:\winids\snort\log\sid_changes.log sid-msg.map Output Path is: d:\winids\snort\etc\sid-msg.map Snort Version is: 2.9.4.0 Snort Config File: /usr/local/etc/snort/snort.conf Snort Path is: /usr/local/bin/snort Text Rules only Flag is Set Extra Verbose Flag is Set Verbose Flag is Set Base URL is: https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|991158d6f0847841cffbe085a91b7c5775ba98cf https://www.snort.org/reg-rules/|opensource.gz|991158d6f0847841cffbe085a91b7c5 775ba98cf Prepping rules from snortrules-snapshot-2940.tar.gz for work.... extracting contents of d:\winids\pulledpork\temp/snortrules-snapshot-2940.tar.gz... Ignoring plaintext rules: deleted.rules Ignoring plaintext rules: experimental.rules Ignoring plaintext rules: local.rules Extracted: /tha_rules/VRT-server-other.rules Extracted: /tha_rules/VRT-pua-adware.rules Extracted: /tha_rules/VRT-misc.rules Extracted: /tha_rules/VRT-malware-backdoor.rules Extracted: /tha_rules/VRT-indicator-compromise.rules Extracted: /tha_rules/VRT-file-pdf.rules Extracted: /tha_rules/VRT-content-replace.rules Extracted: /tha_rules/VRT-file-identify.rules Extracted: /tha_rules/VRT-browser-webkit.rules Extracted: /tha_rules/VRT-specific-threats.rules Extracted: /tha_rules/VRT-file-office.rules Extracted: /tha_rules/VRT-rpc.rules Extracted: /tha_rules/VRT-dns.rules Extracted: /tha_rules/VRT-os-other.rules Extracted: /tha_rules/VRT-snmp.rules Extracted: /tha_rules/VRT-policy-other.rules Extracted: /tha_rules/VRT-web-coldfusion.rules Extracted: /tha_rules/VRT-protocol-voip.rules Extracted: /tha_rules/VRT-file-image.rules Extracted: /tha_rules/VRT-chat.rules Extracted: /tha_rules/VRT-voip.rules Extracted: /tha_rules/VRT-os-solaris.rules Extracted: /tha_rules/VRT-pop3.rules Extracted: /tha_rules/VRT-server-mssql.rules Extracted: /tha_rules/VRT-preprocessor.rules Extracted: /tha_rules/VRT-policy-social.rules Extracted: /tha_rules/VRT-protocol-ftp.rules Extracted: /tha_rules/VRT-server-webapp.rules Extracted: /tha_rules/VRT-server-oracle.rules Extracted: /tha_rules/VRT-scada.rules Extracted: /tha_rules/VRT-other-ids.rules Extracted: /tha_rules/VRT-server-apache.rules Extracted: /tha_rules/VRT-sql.rules Extracted: /tha_rules/VRT-icmp.rules Extracted: /tha_rules/VRT-file-multimedia.rules Extracted: /tha_rules/VRT-pua-p2p.rules Extracted: /tha_rules/VRT-info.rules Extracted: /tha_rules/VRT-pua-other.rules Extracted: /tha_r
------------------------------------------------------------------------------ Free Next-Gen Firewall Hardware Offer Buy your Sophos next-gen firewall before the end March 2013 and get the hardware for free! Learn more. http://p.sf.net/sfu/sophos-d2d-feb
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- PulledPork not processing Michael Steele (Feb 09)
- Re: PulledPork not processing Michael Steele (Feb 10)
- Re: PulledPork not processing Joel Esler (Feb 10)
- Re: PulledPork not processing Joel Esler (Feb 10)
- Re: PulledPork not processing JJ Cummings (Feb 10)
- Re: PulledPork not processing Tony Robinson (Feb 10)
- Re: PulledPork not processing Michael Steele (Feb 10)
- Re: PulledPork not processing JJ Cummings (Feb 10)
- Re: PulledPork not processing Joel Esler (Feb 10)
- Re: PulledPork not processing Michael Steele (Feb 10)