Re: Is there something about pulledpork 0.7.0 I'm not getting?

[Y M <snort () outlook com>]

Hi Tony,
Did you try adding the -P to the PulledPork command? I am guessing that since the second run of PulledPork does not 
download "new" rules, it does not process the existing download from the first run. The -P will ensure to force 
processing the existing tarball.
Thanks.YM

Date: Sun, 26 Jan 2014 02:31:19 -0500
From: deusexmachina667 () gmail com
To: snort-users () lists sourceforge net
Subject: [Snort-users] Is there something about pulledpork 0.7.0 I'm not        getting?

So I'll admit, I'm a little bit late to the party. I hadn't realized
that pulled pork was updated. nearly four months ago. Better late than
never, I guess.
 
In any case, as a part of a side project of mine that I've talked
about on here before, I'm trying to integrate the newest version of
pulled pork into my scripts and I'm running into a strange issue.
 
I have a script that calls pulledpork twice. The first time it calls
pulledpork with the -g or "grab only" option to just pull down the
rule files, and that's it. My script then unpacks the tarball and
copies everything out of "etc" from the snortrules-snapshot file
downloaded to where snort is installed and expects to find it. My
script then runs pulledpork again with the -S option, the -c option
(to my pulledpork.conf file), the -T option (text rules only) and the
-n option, telling it that all the files it should need to do its job
should be on the box already; don't try to download any files from the
net.
 
The problem I'm running into, is that running pulledpork.pl the second
time around appears to do absolutely nothing. running pulledpork in
extra verbose mode seems to indicate that it unpacks the rules, then
deletes them; doesn't create a snort.rules file, so_rules.rules file,
sid-msg.map file, or configure rules for a certain rule policy set
(e.g. "Security over Connectivity").
 
Alternatively, if I run pulledpork without the -n option, everything
just works the way I'm expecting it to -- snort.rules gets made,
sid-msg.map gets created, and all is well with the universe.
 
I've attached a copy of the pulledpork.conf I've used. It's stripped
down, but it works.
 
It almost feels like if you use the grab-only option, or if there is a
snortrules-snapshot file in the working directory for pulledpork (/tmp
in my case) that pulledpork does nothing.
 
I've attached the output from the following command:
 
perl pulledpork.pl -c /usr/src/pulledpork-*/etc/pulledpork.conf -S
2.9.5.6 -T -vv
 
"Run pulledpork, use my config file I provided. Download rules for
Snort 2.9.5.6, process text rules only, print all debug information."
 
..as the file "output1.txt" -- I figured attachments would probably be
better than spewing output all over the mailing list, using the exact
pulledpork config above. Everything works as expected. Tarballs are
pulled down, rules are processed, all is well with the world.
 
I also ran the following command:
 
perl pulledpork.pl -c /usr/src/pulledpork-*/etc/pulledpork.conf -S
2.9.5.6 -g -vv
 
"Run pulledpork, use my config file I provided. Download rules for
Snort 2.9.5.6. Don't do any further processing. Print all debug info."
 
..as the file "output2.txt" -- This command seems to run as expected,
but according to verbose mode, extracts all the rules, then removes
the files It still results in the tarballs being downloaded in left in
/tmp to work with.
 
perl pulledpork.pl -c /usr/src/pulledpork-*/etc/pulledpork.conf -S
2.9.5.6 -T -n -vv
 
"Run pulledpork, use the config file I provided. Don't download
anything, but process rules for Snort 2.9.5.6, text rules only. Print
all debug info."
 
..as the file "output3.txt" -- This command doesn't seem to work at
all. It appears to extract the rule tarball twice then just bails out,
without processing any of the rules. So pulledpork knows the tarball
is in the working directory, extracts it, but does no rule processing
with it.
 
 
 
So... my work-around for now is to just download and process the rules
up front, in one go, with the first command I ran. The rule tarball is
still there for me to do my thing with after pulledpork processes the
rules how I want it to.
 
That's fine for me, but what about offline users who can't download
the rule tarball from the internet, and have to sneakernet the tarball
to the system they're running snort on (e.g. airgapped networks)?
Would this be considered a bug, or working as intended?
 
Thank you for your insight in advance.
 
-- 
when does reality end? when does fantasy begin?

------------------------------------------------------------------------------
CenturyLink Cloud: The Leader in Enterprise Cloud Services.
Learn Why More Businesses Are Choosing CenturyLink Cloud For
Critical Workloads, Development Environments & Everything In Between.
Get a Quote or Start a Free Trial Today.
http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!                                        

------------------------------------------------------------------------------
CenturyLink Cloud: The Leader in Enterprise Cloud Services.
Learn Why More Businesses Are Choosing CenturyLink Cloud For
Critical Workloads, Development Environments & Everything In Between.
Get a Quote or Start a Free Trial Today.
http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!