Snort mailing list archives

Help with Pulledpork

From: Nicolas Greneche <nicolas.greneche () univ-paris13 fr>
Date: Tue, 22 Apr 2014 14:10:39 +0200
Hi,

I'm a new comer to Snort and I try to configure Pulledpork.

I placed my rules in /usr/local/snortrules.

I created the directory owned by user snort (who runs snort and 
pulledpork). I subscribed to commercial VRT.

I created a test directory /usr/local/snortrules2 to test automatic 
update via pulledpork. This directory is also owned by snort.

Here is my pulledpork.conf :

rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|myoinkcode
rule_url=https://www.snort.org/reg-rules/|opensource.gz|myoinkcode
ignore=deleted.rules,experimental.rules,local.rules
temp_path=/tmp
rule_path=/usr/local/snortrules2/rules/snort.rules
out_path=/usr/local/snortrules2/rules/
local_rules=/usr/local/snortrules2rules/local.rules
sid_msg=/usr/local/snortrules2/sid-msg.map
sid_msg_version=2
sid_changelog=/var/log/snort/sid_changes.log
sorule_path=/usr/local/snort/lib/snort_dynamicrules/
snort_path=/usr/local/snort/bin/snort
config_path=/usr/local/snort/etc/snort.conf
distro=Debian-6-0
snort_control=/usr/local/snort/bin/snort_control
pid_path=/var/run/snort_eth1.pid,/var/run/barnyard2_eth1.pid
version=0.7.0

And when I run it (with debug) :

# su snort -c '/usr/local/pulledpork/pulledpork.pl -Hnvc 
/usr/local/pulledpork/etc/pulledpork.conf'

     http://code.google.com/p/pulledpork/
       _____ ____
      `----,\    )
       `--==\\  /    PulledPork v0.7.0 - Swine Flu!
        `--==\\/
      .-~~~~-.Y|\\_  Copyright (C) 2009-2013 JJ Cummings
   @_/        /  66\_  cummingsj () gmail com
     |    \   \   _(")
      \   /-| ||'--'  Rules give me wings!
       \_\  \_\\
  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Config File Variable Debug /usr/local/pulledpork/etc/pulledpork.conf
        snort_path = /usr/local/snort/bin/snort
        pid_path = /var/run/snort_eth1.pid,/var/run/barnyard2_eth1.pid
        rule_path = /usr/local/snortrules2/rules/snort.rules
        ignore = deleted.rules,experimental.rules,local.rules
        snort_control = /usr/local/snort/bin/snort_control
        rule_url = ARRAY(0x1aa6fd8)
        sid_msg_version = 2
        sid_changelog = /var/log/snort/sid_changes.log
        sid_msg = /usr/local/snortrules2/sid-msg.map
        config_path = /usr/local/snort/etc/snort.conf
        temp_path = /tmp
        distro = Debian-6-0
        sorule_path = /usr/local/snort/lib/snort_dynamicrules/
        version = 0.7.0
        out_path = /usr/local/snortrules2/rules/
        local_rules = /usr/local/snortrules2rules/local.rules
MISC (CLI and Autovar) Variable Debug:
        arch Def is: x86-64
        Config Path is: /usr/local/pulledpork/etc/pulledpork.conf
        Distro Def is: Debian-6-0
        Disabled policy specified
        local.rules path is: /usr/local/snortrules2rules/local.rules
        No Download Flag is Set
        Rules file is: /usr/local/snortrules2/rules/snort.rules
        sid changes will be logged to: /var/log/snort/sid_changes.log
        sid-msg.map Output Path is: /usr/local/snortrules2/sid-msg.map
        SIGHUP Flag is Set
        Snort Version is: 2.9.6.0
        Snort Config File: /usr/local/snort/etc/snort.conf
        Snort Path is: /usr/local/snort/bin/snort
        SO Output Path is: /usr/local/snort/lib/snort_dynamicrules/
        Will process SO rules
        Verbose Flag is Set
        Base URL is: 
https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|myoinkcode 
https://www.snort.org/reg-rules/|opensource.gz|myoinkcode
Prepping rules from snortrules-snapshot-2960.tar.gz for work....
        extracting contents of /tmp/snortrules-snapshot-2960.tar.gz...
        Ignoring plaintext rules: deleted.rules
        Ignoring plaintext rules: experimental.rules
        Ignoring plaintext rules: local.rules
        Extracted: /tha_rules/VRT-server-other.rules
         [...]
Prepping rules from snortrules-snapshot-2960.tar.gz for work....
        extracting contents of /tmp/snortrules-snapshot-2960.tar.gz...
        Ignoring plaintext rules: deleted.rules
        Ignoring plaintext rules: experimental.rules
        Ignoring plaintext rules: local.rules
        Extracted: /tha_rules/VRT-server-other.rules
         [...]
Cleanup....
        removed 119 temporary snort files or directories from /tmp/tha_rules!
Fly Piggy Fly!

And my /usr/local/snortrules2/ remains empty.

Any ideas ?

Regards,

-- 
Nicolas Grenèche

URL : http://blog.etcshadow.fr
Tel : 01 49 40 40 35
Fax : 01 48 22 81 50

------------------------------------------------------------------------------
Start Your Social Network Today - Download eXo Platform
Build your Enterprise Intranet with eXo Platform Software
Java Based Open Source Intranet - Social, Extensible, Cloud Ready
Get Started Now And Turn Your Intranet Into A Collaboration Platform
http://p.sf.net/sfu/ExoPlatform
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:

Help with Pulledpork Nicolas Greneche (Apr 22)
- Re: Help with Pulledpork Kurzawa, Kevin (Apr 22)