Re: [Snort-users] snort and snort-rules/ET alerts

[Michael Shirk <shirkdog.bsd () gmail com>]

Michael Steele has sent me some other specific Windows issues that should
be added to pulledpork, but this one should either be an FAQ like Joel
said, or to revisit how the correct Tarball is retrieved.



--
Michael Shirk
Daemon Security, Inc.
http://www.daemon-security.com

On Dec 3, 2016 1:18 PM, "Joel Esler (jesler)" <jesler () cisco com> wrote:

> Pulledpork does do this automatically, but I am not sure if it does it on
> the Windows platform.
>
> --
> Sent from my iPhone
>
> > On Dec 3, 2016, at 12:17 PM, Michael Steele <michaels () winsnort com>
> wrote:
> > I think the primary objective is to get PP to be all inclusive, and cross
> > platform compatible.
> >
> > I'm sure there is a solution that works under both platforms, but it may
> > take the development team to include a specific output switch to display
> > version only output (x.x.x.x), which would simplify the process.
> >
> > PP seems to be pretty popular, so maybe they would be open to including
> > something like that?
> >
> > However, anything that works will do because there are those that update
> > Snort and forget to change the snort_version in the pulledpork.conf every
> > time there is a version change.
> >
> > -----Original Message-----
> > From: Joel Esler (jesler) [mailto:jesler () cisco com]
> > Sent: Saturday, December 3, 2016 10:48 AM
> > To: wkitty42 () windstream net
> > Cc: Michael Steele <michaels () winsnort com>; Michael Shirk
> > <shirkdog.bsd () gmail com>
> > Subject: Re: [Snort-users] snort and snort-rules/ET alerts
> >
> > That'd be a great faq
> >
> > --
> > Sent from my iPhone
> >
> > > On Dec 3, 2016, at 10:32 AM, "wkitty42 () windstream net"
> > <wkitty42 () windstream net> wrote:
> > > *OFF LIST*
> > >
> > >
> > > > On 12/03/2016 09:06 AM, Michael Steele wrote:
> > > > There should be some ingenious way for PulledPork to pull the version
> > > > of Snort using Windows. This may take a collaboration between the
> > > > Snort development team and the PulledPork programmer.
> > >
> > >
> > > in one of my linux apps that interfaces with snort, we simply do a
> "snort
> > -V" and redirect the output for parsing... when we parse the output, we
> > specifically look for the line that has "Version" in it and pull the
> version
> > information from it...
> > > ===== snip snortvertest.pl =====
> > > #!/usr/bin/perl
> > >
> > > print "Snort version from 'snort -V' :\n";
> > > open(MY_INPUT,"/usr/bin/snort -V 2>&1 |");
> > > while(<MY_INPUT>) {
> > >   chomp;
> > >   if (/Version\s+(.*)/) {
> > >       ($display_version, $sub1, $sub2, $sub3, $sub4) = split(/ /,$1);
> > >       $snort_version = "$display_version";
> > >       $snort_version =~ s/\.//g;
> > >   }
> > > }
> > > close(MY_INPUT);
> > >
> > > # so far VRT/Talos hasn't used snort subversion numbers larger than #
> > > single digits so this should work fine for the foreseeable future.
> > > # basically they seem to be numbering as [0-9]\.[0-9]\.[0-9]\.[0-9]...
> > > # in the above we set $snort_version the same as what we grabbed as #
> > > $display_version... then we simply sed'ed out the dots to get a # raw
> > > numerical representation of the version... there must be # trailing
> > > zeros added to the version number for the url of the # VRT/Talos rules
> > > snapshots... trailing zeros which seem to be left # out when a version
> > > update is made and the new version number # generated.
> > > # eg: 2.9   != 2.9.0.0
> > > #     2.9.8 != 2.9.8.0
> > > while (length($snort_version) < 4) {
> > >   $snort_version .= '0';
> > > }
> > >
> > > print "$display_version => $snort_version\n";
> > >
> > > my $VRT_file = "snortrules-snapshot-$snort_version.tar.gz";
> > >
> > > my %snortsettings;
> > > &readhash("${somepath}/snort/settings", \%snortsettings); my $url =
> > > "https://www.snort.org/rules/$VRT_file?oinkcode=$snortsettings{'OINK'}
> > > ";
> > >
> > > print "Request url: $url\n";
> > > ===== snip =====
> > >
> > >
> > > the output looks something like this...
> > >
> > > ===== snip =====
> > > Snort version from 'snort -V' :
> > > 2.9.8.3 => 2983
> > > Request url:
> > > https://www.snort.org/rules/snortrules-snapshot-2983.tar.gz?oinkcode=b
> > > lahblahblahblahblahblahblah
> > > ===== snip =====
> > >
> > >
> > > granted, the above is on linux but the snort output should be able to be
> > redirected to a temp text file in winwhatever and parsed with similar
> > code... as we've never messed with snort on winwhatever, we can only
> assume
> > that the output of the version option is plain text to a terminal
> screen...
> > if that is the case, the above piping method or using a temp text file
> > should work...
> > > there is a settings file with some options in it... the oinkcode being
> > > the most important one... is it saved in the file as
> > >
> > > OINK=blahblahblahblahblahblahblah
> > >
> > > we have our own readhash procedure which loads the settings from the
> > > file... as you can see, the oinkcode is used directly in the url...
> > > since this is a testing script, some assumptions are made and error
> > > checks like making sure there is something in the oinkcode field
> > > should be done before assuming such ;)
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot

_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel

Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!