Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Pulledpork not generating merged rules file on Windows

From: William Dou <liam.dou () gmail com>
Date: Tue, 30 Jul 2013 16:31:52 -0400
Apologies for the lack of update, things got busy and other projects
sidetracked this one.

So the day after last entry, I decided to try update again, this time
without the -n runtime, even though it gets 403 error every time (and I
always waited longer than 15 min). This time it successfully fetched rule
files, and processed everything, and actually created a merged rule file
(took around 30 minutes, which is normal).

So why didn't the -n runtime work and create merged rules, even when I
fetch the right files with the right md5 and placed it in the temp folder?
Does "-n" just not work that way?


On Wed, Jul 24, 2013 at 12:29 PM, William Dou <liam.dou () gmail com> wrote:


I can't see it being a permissions issue, since I have admin privileges
and the program's ran under admin. Not only that, I imagine permissions
issue would have prevented pulledpork to create "tha_rules" folder under
the temp folder and also extracting the rules there.

As I mentioned, my server seems to be having problem downloading the
actual files (but not the checksum), so I downloaded them manually, from
the address that the console is showing to be attempting to download
(somewhere on snort.org). Then I place them into the temp folder, where
it's trying to download to. I then check their checksum, and then run
pulledpork with the offline modifier of "-n". I can see as it happens that
pulledpork creates a "tha_rules" folder in the temp folder (and a bunch of
rules in side it), but it doesn't create a merged rules file in snort\rules
folder.

Perhaps I've misunderstood how -n runtime is supposed to work?

ps. Please don't spend your time taking any action on this on my behalf
currently (aside from maybe pointing out if I've misunderstood -n runtime).
I wrote this reply yesterday but didn't get around to proofreading and
sending it out. I *may* have positive update coming later today.
pps. And thanks to Michael for all the work and help you've put into this.


On Mon, Jul 22, 2013 at 9:26 PM, Michael Steele <michaels () winsnort com>wrote:


I finally got around to updating the online guided install for the latest
PulledPork 0.7.0, and tested. The configuration he is using works fine
here.
The only difference is; I'm using drive 'D:' and he is using Drive 'C:'.
It
has something to do with is folder permissions, proxy, or ????

Try changing the temp folder location to c:\windows\temp

Are you absolutely SURE the rules tarball is actually been downloaded to
the
temp folder.

If you are trying multiple PP runs for testing, make SURE you clean the
temp
folder before each run.

Just for clairification; In-between rule updates will PP process the
*.msg.map files, even if PP doesn't need to process any new rules
tarballs?

Best regards,
Michael...

WINSNORT.com Management…
--
****************** Established ~ 2001 *******************
*          Visit Us @ http://www.winsnort.com           *
*      ~~ FREE WinIDS Snort installation guides ~~      *
*               ~~ FREE support forums ~~               *
* Snort: Open Source Network IDS - http://www.snort.org *
*********************************************************

-----Original Message-----
From: waldo kitty [mailto:wkitty42 () windstream net]
Sent: Monday, July 22, 2013 3:56 PM
To: snort-users () lists sourceforge net
Subject: Re: [Snort-users] Pulledpork not generating merged rules file on
Windows

On 7/22/2013 15:34, William Rehnquyst wrote:
[trim]

Config File Variable Debug c:\winids\pulledpork\etc\pulledpork.conf
local_rules = c:\winids\snort\rules\local.rules dropsid =
c:\winids\pulledpork\etc\dropsid.conf
sid_msg_version = 1
enablesid = c:\winids\pulledpork\etc\enablesid.conf
ignore = deleted.rules,experimental.rules,local.rules
modifysid = c:\winids\pulledpork\etc\modifysid.conf
docs = c:\winids\inetpub\wwwroot\base\signatures\
config_path = c:\winids\snort\etc\snort.conf disablesid =
c:\winids\pulledpork\etc\disablesid.conf
sorule_path = /usr/local/lib/snort_dynamicrules/
sid_msg = c:\winids\snort\etc\sid-msg.map sid_changelog =
c:\winids\snort\log\sid_changes.log
snort_version = 2.9.4.6
version = 0.7.0
temp_path = c:\winids\pulledpork\temp
rule_url = ARRAY(0x2808a5c)
ips_policy = security
rule_path = c:\winids\snort\rules\winids.rules
distro = FreeBSD-8.1


you are on windows but this says differently... perhaps it is the cause?
PP
may be looking for something from that OS that doesn't exist or is named
differently in winwhatever ;)


snort_path = c:\winids\snort\bin\snort.exe MISC (CLI and Autovar)
Variable Debug:
Config Path is: c:\winids\pulledpork\etc\pulledpork.conf
Distro Def is: FreeBSD-8.1


and here it shows again...


Docs Reference Location is: c:\winids\inetpub\wwwroot\base\signatures\
security policy specified
local.rules path is: c:\winids\snort\rules\local.rules No Download
Flag is Set Rules file is: c:\winids\snort\rules\winids.rules
Path to disablesid file: c:\winids\pulledpork\etc\disablesid.conf
Path to dropsid file: c:\winids\pulledpork\etc\dropsid.conf
Path to enablesid file: c:\winids\pulledpork\etc\enablesid.conf
Path to modifysid file: c:\winids\pulledpork\etc\modifysid.conf

[chomp]



--
NOTE: No off-list assistance is given without prior approval.
       Please keep mailing list traffic on the list unless
       private contact is specifically requested and granted.


----------------------------------------------------------------------------
--
See everything from the browser to the database with AppDynamics
Get end-to-end visibility with application monitoring from AppDynamics
Isolate bottlenecks and diagnose root cause in seconds.
Start your free trial of AppDynamics Pro today!

http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest
Snort
news!




------------------------------------------------------------------------------
See everything from the browser to the database with AppDynamics
Get end-to-end visibility with application monitoring from AppDynamics
Isolate bottlenecks and diagnose root cause in seconds.
Start your free trial of AppDynamics Pro today!

http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest
Snort news!





------------------------------------------------------------------------------
Get your SQL database under version control now!
Version control is standard for application code, but databases havent 
caught up. So what steps can you take to put your SQL databases under 
version control? Why should you start doing it? Read more to find out.
http://pubads.g.doubleclick.net/gampad/clk?id=49501711&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: