Snort mailing list archives
Re: [Snort-users] snort and snort-rules/ET alerts
From: Michael Shirk <shirkdog.bsd () gmail com>
Date: Sat, 3 Dec 2016 13:30:40 -0500
Michael Steele has sent me some other specific Windows issues that should be added to pulledpork, but this one should either be an FAQ like Joel said, or to revisit how the correct Tarball is retrieved. -- Michael Shirk Daemon Security, Inc. http://www.daemon-security.com On Dec 3, 2016 1:18 PM, "Joel Esler (jesler)" <jesler () cisco com> wrote:
Pulledpork does do this automatically, but I am not sure if it does it on the Windows platform. -- Sent from my iPhoneOn Dec 3, 2016, at 12:17 PM, Michael Steele <michaels () winsnort com>wrote:I think the primary objective is to get PP to be all inclusive, and cross platform compatible. I'm sure there is a solution that works under both platforms, but it may take the development team to include a specific output switch to display version only output (x.x.x.x), which would simplify the process. PP seems to be pretty popular, so maybe they would be open to including something like that? However, anything that works will do because there are those that update Snort and forget to change the snort_version in the pulledpork.conf every time there is a version change. -----Original Message----- From: Joel Esler (jesler) [mailto:jesler () cisco com] Sent: Saturday, December 3, 2016 10:48 AM To: wkitty42 () windstream net Cc: Michael Steele <michaels () winsnort com>; Michael Shirk <shirkdog.bsd () gmail com> Subject: Re: [Snort-users] snort and snort-rules/ET alerts That'd be a great faq -- Sent from my iPhoneOn Dec 3, 2016, at 10:32 AM, "wkitty42 () windstream net"<wkitty42 () windstream net> wrote:*OFF LIST*On 12/03/2016 09:06 AM, Michael Steele wrote: There should be some ingenious way for PulledPork to pull the version of Snort using Windows. This may take a collaboration between the Snort development team and the PulledPork programmer.in one of my linux apps that interfaces with snort, we simply do a"snort-V" and redirect the output for parsing... when we parse the output, we specifically look for the line that has "Version" in it and pull theversioninformation from it...===== snip snortvertest.pl ===== #!/usr/bin/perl print "Snort version from 'snort -V' :\n"; open(MY_INPUT,"/usr/bin/snort -V 2>&1 |"); while(<MY_INPUT>) { chomp; if (/Version\s+(.*)/) { ($display_version, $sub1, $sub2, $sub3, $sub4) = split(/ /,$1); $snort_version = "$display_version"; $snort_version =~ s/\.//g; } } close(MY_INPUT); # so far VRT/Talos hasn't used snort subversion numbers larger than # single digits so this should work fine for the foreseeable future. # basically they seem to be numbering as [0-9]\.[0-9]\.[0-9]\.[0-9]... # in the above we set $snort_version the same as what we grabbed as # $display_version... then we simply sed'ed out the dots to get a # raw numerical representation of the version... there must be # trailing zeros added to the version number for the url of the # VRT/Talos rules snapshots... trailing zeros which seem to be left # out when a version update is made and the new version number # generated. # eg: 2.9 != 2.9.0.0 # 2.9.8 != 2.9.8.0 while (length($snort_version) < 4) { $snort_version .= '0'; } print "$display_version => $snort_version\n"; my $VRT_file = "snortrules-snapshot-$snort_version.tar.gz"; my %snortsettings; &readhash("${somepath}/snort/settings", \%snortsettings); my $url = "https://www.snort.org/rules/$VRT_file?oinkcode=$snortsettings{'OINK'} "; print "Request url: $url\n"; ===== snip ===== the output looks something like this... ===== snip ===== Snort version from 'snort -V' : 2.9.8.3 => 2983 Request url: https://www.snort.org/rules/snortrules-snapshot-2983.tar.gz?oinkcode=b lahblahblahblahblahblahblah ===== snip ===== granted, the above is on linux but the snort output should be able to beredirected to a temp text file in winwhatever and parsed with similar code... as we've never messed with snort on winwhatever, we can onlyassumethat the output of the version option is plain text to a terminalscreen...if that is the case, the above piping method or using a temp text file should work...there is a settings file with some options in it... the oinkcode being the most important one... is it saved in the file as OINK=blahblahblahblahblahblahblah we have our own readhash procedure which loads the settings from the file... as you can see, the oinkcode is used directly in the url... since this is a testing script, some assumptions are made and error checks like making sure there is something in the oinkcode field should be done before assuming such ;)
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Re: snort and snort-rules/ET alerts, (continued)
- Re: snort and snort-rules/ET alerts Keith Pachulski (Dec 02)
- Re: snort and snort-rules/ET alerts Michael Shirk (Dec 02)
- Re: snort and snort-rules/ET alerts Keith Pachulski (Dec 02)
- Re: snort and snort-rules/ET alerts James Lay (Dec 02)
- Re: snort and snort-rules/ET alerts Joel Esler (jesler) (Dec 02)
- Re: snort and snort-rules/ET alerts Marcin Dulak (Dec 02)
- Re: snort and snort-rules/ET alerts Marcin Dulak (Dec 02)
- Re: [Snort-users] snort and snort-rules/ET alerts Michael Steele (Dec 03)
- Message not available
- Message not available
- Re: [Snort-users] snort and snort-rules/ET alerts Michael Steele (Dec 03)
- Re: [Snort-users] snort and snort-rules/ET alerts Joel Esler (jesler) (Dec 03)
- Re: [Snort-users] snort and snort-rules/ET alerts Michael Shirk (Dec 03)
- Re: [Snort-users] snort and snort-rules/ET alerts Joel Esler (jesler) (Dec 03)
- Re: [Snort-users] snort and snort-rules/ET alerts Michael Steele (Dec 03)
- Message not available
- Re: [Snort-users] snort and snort-rules/ET alerts Joel Esler (jesler) (Dec 03)
- Message not available
- Re: [Snort-users] snort and snort-rules/ET alerts Joel Esler (jesler) (Dec 04)
- Re: snort and snort-rules/ET alerts Y M (Dec 02)
- Re: snort and snort-rules/ET alerts Y M (Dec 02)