Re: Pulledpork doesn't disable some rules

["C. L. Martinez" <carlopmart () gmail com>]

On Fri, Apr 11, 2014 at 5:53 AM, C. L. Martinez <carlopmart () gmail com> wrote:
> Hi all,
>
>  I have a strange problem with pulledpork 0.7.0. Under my
> disablesid.conf file, I have configured only two rules that needs be
> disabled:
>
> # Disable alert "ET MALWARE Simbar Spyware User-Agent Detected"
> 1:2009005
>
> # Disable alert "ET POLICY Vulnerable Java Version 1.6.x Detected"
> 1:2011582
>
> For rule 2009005, pulledpork works as expected, it is disabled when
> pulledpork, but for rule 2011582 it doesn't works. Always left
> enabled.
>
>  Running pulledprok from command line, it seems all works:
>
>  Use of uninitialized value $Snort_path in -B at
> /usr/local/bin/pulledpork.pl line 1630.
>
>     http://code.google.com/p/pulledpork/
>       _____ ____
>      `----,\    )
>       `--==\\  /    PulledPork v0.7.0 - Swine Flu!
>        `--==\\/
>      .-~~~~-.Y|\\_  Copyright (C) 2009-2013 JJ Cummings
>   @_/        /  66\_  cummingsj () gmail com
>     |    \   \   _(")
>      \   /-| ||'--'  Rules give me wings!
>       \_\  \_\\
>  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
> Use of uninitialized value $Snort in pattern match (m//) at
> /usr/local/bin/pulledpork.pl line 1827.
> Use of uninitialized value $Snort in pattern match (m//) at
> /usr/local/bin/pulledpork.pl line 1831.
> Checking latest MD5 for emerging.rules.tar.gz....
> Rules tarball download of emerging.rules.tar.gz....
>         They Match
>         Done!
> Prepping rules from emerging.rules.tar.gz for work....
> Use of uninitialized value $ignore in split at
> /usr/local/bin/pulledpork.pl line 230.
>         Done!
> Reading rules...
> Reading rules...
> Processing /data/config/etc/idpsuricata02/pulledpork/disablesid.conf....
>         Modified 2 rules
>         Done
> Setting Flowbit State....
>         Enabled 39 flowbits
>         Done
> Writing rules to unique destination files....
>         Writing rules to /data/config/etc/idpsuricata02/rules/
>         Done
> Generating sid-msg.map....
>         Done
> Writing v1 /data/config/etc/idpsuricata02/sid-msg.map....
>         Done
> Fly Piggy Fly!
>
> As you can see pulledpork reads my disablesid.conf and tries to
> disable both rules, but this never happens for rule 2011582.
>
> Any idea??
>
> Thanks.

Please, any idea about this??

------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and their
applications. Written by three acclaimed leaders in the field,
this first edition is now available. Download your free book today!
http://p.sf.net/sfu/NeoTech
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!