Re: Problem Updating Rules with PulledPork

["Michael Steele" <michaels () winsnort com>]

Yes, don’t edit the actual rules file/s, as they won’t survive a rules update with PulledPork. Use the conf files 
located in the pulledpork\etc folder to manipulate the rules. They will survive a rule update.

 

Join the pulledpork user group.

 

Best regards,

Michael...

 

WINSNORT.com Management…

--

****************** Established ~ 2001 *******************

*          Visit Us @  <http://www.winsnort.com/> http://www.winsnort.com           *

*      ~~ FREE WinIDS Snort installation guides ~~      *

*               ~~ FREE support forums ~~               *

* Snort: Open Source Network IDS -  <http://www.snort.org/> http://www.snort.org *

*********************************************************

 

From: Benjamin Lincoln [mailto:BLincoln () bannerbank com] 
Sent: Tuesday, September 24, 2013 7:42 PM
To: 'Michael Steele'
Subject: RE: [Snort-users] Problem Updating Rules with PulledPork

 

I got everything working now with your help Thanks. I just had one more question, I am trying to disabled some of the 
rules that I don’t need in the servers-other set. When I use pulled pork to update, it re-enables all the rules. Is 
there a way to set pulled pork to leave the rules disabled when updating?

 

Ben Lincoln

 

From: Michael Steele [ <mailto:michaels () winsnort com> mailto:michaels () winsnort com] 
Sent: Thursday, September 19, 2013 9:03 AM
To: 'JJ Cummings'; Benjamin Lincoln
Cc:  <mailto:snort-users () lists sourceforge net> snort-users () lists sourceforge net
Subject: RE: [Snort-users] Problem Updating Rules with PulledPork

 

I use Strawberry Perl in all my Windows Intrusion Detection System (WinIDS) guided installs, and it appears Strawberry 
Perl adds and removes Perl distribution packages with every new release. The root cause of the OP’s problem is most 
likely a missing Perl distribution package, or an incompatible Perl distribution package.

 

There is NO list of required Perl distribution packages with minimum version numbers available for PulledPork. There 
are around 300 default Perl distribution packages installed for each release of Strawberry Perl. Perl distribution 
packages gets removed, and Perl distribution packages gets updated with each release of Strawberry Perl. As you can see 
this will cause a problem if there is no list of required Perl distribution packages with minimum versions numbers 
posted for PulledPork.

 

For all my Windows Intrusion Detection System (WinIDS) guided installs, Strawberry Perl version 5.14.2.1 (32 and 64bit) 
is installed fresh. The only other additional Perl distribution package required to make PulledPork work is the Perl 
syslog distribution package. If I use any newer version of Strawberry Perl on a fresh installation, PulledPork will 
fail. This is because Strawberry Perl default Perl distribution packages for that version has changed.

 

The solution for out of the box compatibility for Windows users is to use Strawberry Perl 5.14.2.1 along with 
installing the syslog distribution package. I don’t install PulledPork into a the initial Windows Intrusion Detection 
System (WinIDS) guided install. However, there is a Windows Intrusion Detection System (WinIDS) guided install for 
adding PulledPork into an existing Windows Intrusion Detection System (WinIDS), which  has all the links to the 
required files.

 

This is untested: It might be possible to use Strawberry Perl 5.14.2.1 for the initial install, and then update to the 
latest version. It would be a good idea to verify PulledPork is fully working under Strawberry Perl 5.14.2.1 before 
updating.

 

Hops this helps…

 

Best regards,

Michael...

 

WINSNORT.com Management…

--

****************** Established ~ 2001 *******************

*          Visit Us @  <http://www.winsnort.com/> http://www.winsnort.com           *

*      ~~ FREE WinIDS Snort installation guides ~~      *

*               ~~ FREE support forums ~~               *

* Snort: Open Source Network IDS -  <http://www.snort.org/> http://www.snort.org *

*********************************************************

 

From: Michael Steele [mailto:michaels () winsnort com] 
Sent: Wednesday, September 18, 2013 4:52 PM
To: 'JJ Cummings'; 'Benjamin Lincoln'
Cc: 'snort-users () lists sourceforge net'
Subject: RE: [Snort-users] Problem Updating Rules with PulledPork

 

You understand if you are not paying for rule updates that you can only download or try the download once every 15 
minutes. Even if the rule update fails, you must wait 15 minutes.

 

Clear the assigned PulledPork temp folder and give it another try. You can also assign the PulledPork temp to the 
c:\windows\temp folder. Could be a permission problem? 

 

Best regards,

Michael...

 

WINSNORT.com Management…

--

****************** Established ~ 2001 *******************

*          Visit Us @  <http://www.winsnort.com/> http://www.winsnort.com           *

*      ~~ FREE WinIDS Snort installation guides ~~      *

*               ~~ FREE support forums ~~               *

* Snort: Open Source Network IDS -  <http://www.snort.org/> http://www.snort.org *

*********************************************************

 

From: JJ Cummings [mailto:cummingsj () gmail com] 
Sent: Wednesday, September 18, 2013 1:14 PM
To: Benjamin Lincoln
Cc: snort-users () lists sourceforge net <mailto:snort-users () lists sourceforge net> 
Subject: Re: [Snort-users] Problem Updating Rules with PulledPork

 

Something is causing the download to not complete correctly....

Sent from the iRoad


On Sep 18, 2013, at 10:46, Benjamin Lincoln <BLincoln () bannerbank com <mailto:BLincoln () bannerbank com> > wrote:

Hello,

 

I am currently running Snort 2.9.5.5 and Pulled Pork 0.7.0 on Windows 2008R2. When using pulled pork to update the 
rules, it will just keep trying to download new rules over and over again. I see the rule file getting created in the 
tmp directory, and it will grow to 18 kb, but then shrink back down to 8 kb after pulled pork tries to grab the file 
again. Basically, it will just keep saying the MD5 doesn’t match and try to keep re downloading the file. Any Ideas on 
this?

 

 

------------------------------------------------------------------------------
LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99!
1,500+ hours of tutorials including VisualStudio 2012, Windows 8, SharePoint
2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack includes
Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/20/13. 
 <http://pubads.g.doubleclick.net/gampad/clk?id=58041151&iu=/4140/ostg.clktrk> 
http://pubads.g.doubleclick.net/gampad/clk?id=58041151&iu=/4140/ostg.clktrk

_______________________________________________
Snort-users mailing list
 <mailto:Snort-users () lists sourceforge net> Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
 <https://lists.sourceforge.net/lists/listinfo/snort-users> https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
 <http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users> 
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit  <http://blog.snort.org> http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from 
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60133471&iu=/4140/ostg.clktrk

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!