Re: A few pulledpork questions

[Y M <snort () outlook com>]

I will try to help at the best I can

> To: snort-users () lists sourceforge net
> Date: Tue, 13 Aug 2013 11:08:18 -0600
> From: jlay () slave-tothe-box net
> Subject: [Snort-users] A few pulledpork questions
>
> Hey all,
>
> First...seeing this when I run PP:
>
> Generating Stub Rules....
>          An error occurred: WARNING: threshold.conf(26) threshold 
> (standalone) is deprecated; use event_filter instead.
>
> which is:
> threshold gen_id 138, sig_id 1000, type limit, track by_src, count 1, 
> seconds 60
>
>  From the readme.thresholding:
> THRESHOLD EXAMPLES:
> ------------------
> # Rule Threshold - Limit to logging 1 event per 60 seconds
> threshold gen_id 1, sig_id 1851, type limit, track by_src, count 1, 
> seconds 60
>
> Why is the error occurring?  What can I do to troubleshot this?

"Threshold" keyword is/will be deprecated. If you read the line right above the table in section "2.4.2.1 Format" at 
http://manual.snort.org/node19.html, it says that threshold will be deprecated. Use event_filter instead. The table 
gives good usage explanation.

> Second...
>
> I've made a special snort.conf that has ALL rules, so I can get all the 
> rules, but then enable/disable the ones I want within different configs. 
> I have this in the config:
>
> var PREPROC_RULE_PATH /opt/etc/snort/preproc_rules
> include $PREPROC_RULE_PATH/preprocessor.rules
> include $PREPROC_RULE_PATH/decoder.rules
>
> Yet these rules have never updated
> in the preproc_rules dir:
> -rw------- 1  18748 2011-09-07 14:47 decoder.rules
> -rw------- 1  36577 2011-09-07 14:47 preprocessor.rules
> -rw------- 1   1309 2011-09-07 14:47 sensitive-data.rules
>
> in latest snort rules:
> -rw-r--r-- 1  19685 2013-08-07 13:34 decoder.rules
> -rw-r--r-- 1  41474 2013-08-07 13:34 preprocessor.rules
> -rw-r--r-- 1   1309 2013-08-07 13:34 sensitive-data.rules
>
> Why?  What can I do to troubleshoot this?
These should be in the generated snort.conf after running pulledpork. Someone correct me please if I am missing 
something here.
> Third...
>
> I'm running:
>
> PulledPork v0.6.1 the Smoking Pig <////~
>
> Yet, if I comment out in pulledpork.conf:
> version=0.6.0
> or change it to
> version=0.6.1
> I get
>
> You are not using the current version of pulledpork.conf!
> Please use the version that shipped with PulledPork v0.6.1 the Smoking 
> Pig <////~!
>
> Why must my pulledpork.conf have 0.6.0 as the version?
No clue. Haven't tried to miss with that :)
> Finally...
>
> I see
>
> Use of uninitialized value within %hcategory in numeric eq (==) at 
> /opt/bin/pulledpork.pl line 1055.
>
> What can I do to troubleshoot this?  Thank you for any help you can 
> bring...sorry it's a long email.
Again, no clue why, I have never seen it in our environment but I'm feeling that I have seen before, not sure where.
> James
>
> ------------------------------------------------------------------------------
> Get 100% visibility into Java/.NET code with AppDynamics Lite!
> It's a free troubleshooting tool designed for production.
> Get down to code-level detail for bottlenecks, with <2% overhead. 
> Download for free and get started troubleshooting in minutes. 
> http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------
Get 100% visibility into Java/.NET code with AppDynamics Lite!
It's a free troubleshooting tool designed for production.
Get down to code-level detail for bottlenecks, with <2% overhead. 
Download for free and get started troubleshooting in minutes. 
http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!