Re: Strange events happening after installing PulledPork

["Michael Steele" <michaels () winsnort com>]

Here is a new run. It looks like the file in question is getting created. However there are a couple of errors above 
the creation of the file. The file is getting a new creation date.

 

Barnyard2 .conf:

config sid_file:            d:\winids\snort\etc\sid-msg.map

 

Is there a way to verify the correct file is being written?

 

 

C:\Users\Operator>perl d:\winids\pulledpork\pulledpork.pl -c d:\winids\pulledpork\etc\pulledpork.conf -T -nP

 

    http://code.google.com/p/pulledpork/

      _____ ____

     `----,\    )

      `--==\\  /    PulledPork v0.7.0 - Swine Flu!

       `--==\\/

     .-~~~~-.Y|\\_  Copyright (C) 2009-2013 JJ Cummings

  @_/        /  66\_  cummingsj () gmail com

    |    \   \   _(")

     \   /-| ||'--'  Rules give me wings!

      \_\  \_\\

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

'uname' is not recognized as an internal or external command,

operable program or batch file.

Prepping rules from snortrules-snapshot-2972.tar.gz for work....

No such file in archive: 'doc/signatures/rules/VRT-License.txt' at d:\winids\pulledpork\pulledpork.pl line 292

Could not find an entry for 'doc/signatures/rules/VRT-License.txt' at d:\winids\pulledpork\pulledpork.pl line 292

        Done!

Prepping rules from snortrules-snapshot-2972.tar.gz for work....

No such file in archive: 'doc/signatures/rules/VRT-License.txt' at d:\winids\pulledpork\pulledpork.pl line 292

Could not find an entry for 'doc/signatures/rules/VRT-License.txt' at d:\winids\pulledpork\pulledpork.pl line 292

        Done!

Reading rules...

readline() on closed filehandle DATA at d:\winids\pulledpork\pulledpork.pl line 558.

readline() on closed filehandle DATA at d:\winids\pulledpork\pulledpork.pl line 558.

readline() on closed filehandle DATA at d:\winids\pulledpork\pulledpork.pl line 558.

Activating security rulesets....

        Done

Modifying Sids....

        Done!

Processing d:\winids\pulledpork\etc\enablesid.conf....

        Modified 0 rules

        Done

Processing d:\winids\pulledpork\etc\dropsid.conf....

        Modified 0 rules

        Done

Processing d:\winids\pulledpork\etc\disablesid.conf....

        Modified 0 rules

        Done

Setting Flowbit State....

        Enabled 775 flowbits

        Enabled 25 flowbits

        Enabled 4 flowbits

        Enabled 2 flowbits

        Done

Writing d:\winids\snort\rules\winids.rules....

        Done

Generating sid-msg.map....

        Done

Writing v1 d:\winids\snort\etc\sid-msg.map....

        Done

Writing d:\winids\snort\log\sid_changes.log....

        Done

Rule Stats...

        New:-------24101

        Deleted:---0

        Enabled Rules:----9365

        Dropped Rules:----0

        Disabled Rules:---14736

        Total Rules:------24101

No IP Blacklist Changes

 

Done

Please review d:\winids\snort\log\sid_changes.log for additional details

Fly Piggy Fly!

 

 

From: Joel Esler (jesler) [mailto:jesler () cisco com] 
Sent: Tuesday, April 28, 2015 1:51 PM
To: Michael Steele
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] Strange events happening after installing PulledPork

 

Looks like your barnyard instance (or something) isn’t reading from the correct sic-msg.map file? 

 

 

On Apr 28, 2015, at 12:20 AM, Michael Steele <michaels () winsnort com <mailto:michaels () winsnort com> > wrote:

 

I’m not sure what’s going on. I just setup a new PulledPork instance, and its set to security for the rule set.

 

My previous instance ran a full set of rules for testing and I didn’t see the events below being logged

 

I’m getting hundreds of the events below. I’m only seeing this after setting up PulledPork 0.7.0

 

04/28-00:11:04.389178  [**] [1:1620:6] Snort Alert [1:1620:6] [**]

04/28-00:11:04.758601  [**] [1:1620:6] Snort Alert [1:1620:6] [**]

04/28-00:11:04.781636  [**] [1:1620:6] Snort Alert [1:1620:6] [**] [Classification: Detection of a Non-Standard 
Protocol or Event] [Priority: 2] {UDP} 192.168.0.2:57503 -> 239.255.255.250:1900

04/28-00:11:05.758296  [**] [1:1620:6] Snort Alert [1:1620:6] [**]

04/28-00:11:06.192448  [**] [1:1620:6] Snort Alert [1:1620:6] [**] [Classification: Detection of a Non-Standard 
Protocol or Event] [Priority: 2] {UDP} 192.168.0.2:55549 -> 192.168.0.255:32412

 

Any ideas why I’m getting these with PulledPork?

------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud 
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
 <http://ad.doubleclick.net/ddm/clk/290420510;117567292;y_______________________________________________> 
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y_______________________________________________
Snort-users mailing list
 <mailto:Snort-users () lists sourceforge net> Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
 <https://lists.sourceforge.net/lists/listinfo/snort-users> https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
 <http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users> 
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit  <http://blog.snort.org/> http://blog.snort.org to stay current on all the latest Snort news!

 

------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud 
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!