Snort mailing list archives
Misses with Pulledpork
From: James Lay via Snort-users <snort-users () lists snort org>
Date: Wed, 04 Sep 2019 11:00:15 -0600
Here we go!!!!So ok....after the events of last Friday it was time to revisit exactly how/what pulledpork updates; test environment, minimal pulledpork.conf and snort.conf designed just for testing updates (NOT FOR ACTUAL IDS/IPS USAGE). I prefer to keep most compiled apps in /opt so here's the config line for 2.9.14.1:
./configure --prefix=/opt/snort --disable-open-appid --enable-sourcefire --enable-non-ether-decoders
snort.conf ################################################################### var CONF_PATH /opt/snort/etc var RULE_PATH /opt/snort/etc/rules var LIB_PATH /opt/snort/lib var PREPROC_RULE_PATH $RULE_PATH/preproc_rules var WHITE_LIST_PATH $RULE_PATH/iplists var BLACK_LIST_PATH $RULE_PATH/iplists dynamicpreprocessor directory /opt/snort/lib/snort_dynamicpreprocessor dynamicengine /opt/snort/lib/snort_dynamicengine/libsf_engine.so dynamicdetection directory /opt/snort/lib/snort_dynamicrules include /opt/snort/etc/classification.config include /opt/snort/etc/reference.config output alert_fast: /opt/snort/var/log/snort.fast include $RULE_PATH/snort.rules ################################################################### pulledpork.conf: ################################################################### rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot-.tar.gz|xxxxxxxxxxxxxxxxxxxxxxxxx rule_url=https://rules.emergingthreatspro.com/|etpro.rules.tar.gz|xxxxxxxxxxxxxxxxx rule_url=http://labs.snort.org/feeds/ip-filter.blf|IPBLACKLIST|open ignore=deleted.rules,experimental.rules temp_path=/tmp rule_path=/opt/snort/etc/rules/snort.rules local_rules=/opt/snort/etc/rules/local.rules sid_msg=/opt/snort/etc/sid-msg.map sid_msg_version=1 sid_changelog=/opt/var/log/sid_changes.log sorule_path=/opt/snort/lib/snort_dynamicrules snort_path=/opt/bin/snort config_path=/opt/snort/etc/snort.conf distro=Ubuntu-18-4 black_list=/opt/snort/etc/rules/iplists/black_list.rules IPRVersion=/opt/snort/etc/rules/iplists version=0.7.4 ###################################################################Some notes for the above you MUST have the directories for sorule_path 100% correct and matching for your stub rules to update. Also mind the distro= line and make sure it's not wildly off. If either of the previous are the case, Pulledpork will silently skip over so rules when these aren't correct....those of you having so rules issues double check these....every time I think these aren't the reason they uh.....are the reason.
Yesterday after a pulledpork update run I did a mass touch of my entire snort directory, timestamping it for Sep 3rd. Today I've ran the below: /opt/bin/pulledpork.pl -P -l -c /opt/snort/etc/pulledpork/pulledpork.conf
first up, dynamic rules:drwxr-xr-x 2 root root 4096 Sep 4 16:46 /opt/snort/lib/snort_dynamicrules
total 11432 -rwxr-xr-x 1 root root 73960 Aug 29 16:24 browser-chrome.sostubs were generated, directory timestamp shows that, also pulledpork run reflects this:
Generating Stub Rules....
Done
next, sid-msg.map:
-rw-r--r-- 1 root root 13187819 Sep 4 16:46 sid-msg.map
udpated....expected.
next, snort.rules:
-rw-r--r-- 1 root root 56614387 Sep 4 16:46 snort.rules
updated...expected.
next preproc_rules:
drwxr-xr-x 2 root root 4096 Sep 3 20:42 preproc_rules
-rw------- 1 root root 18748 Sep 3 20:42 decoder.rules
-rw------- 1 root root 36577 Sep 3 20:42 preprocessor.rules
-rw------- 1 root root 1309 Sep 3 20:42 sensitive-data.rules
these are a miss...indeed checking some systems I've had running for
years I see the same files with a timestamp of 2011(!!!). Either
pulledpork will want to incorporate these in, or we'll have to roll our
own.
lastly, gen-msg.map: -rw-r--r-- 1 root root 29805 Sep 3 20:42 gen-msg.mapa miss as well, so again...either pulledpork will want to incorporate this as well, or we'll have to roll our own.
So there we go....unless I've missed something my update process has been missing a few things for the past...oh.....13 years? Thank you....comments and corrections always welcome as I usually end up screwing something up :)
James _______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users To unsubscribe, send an email to: snort-users-leave () lists snort org Please visit http://blog.snort.org to stay current on all the latest Snort news! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
Current thread:
- Misses with Pulledpork James Lay via Snort-users (Sep 04)
- Re: Misses with Pulledpork Joel Esler (jesler) via Snort-users (Sep 04)
- Re: Misses with Pulledpork James Lay via Snort-users (Sep 04)
- Re: Misses with Pulledpork James Lay via Snort-users (Sep 05)
- Re: Misses with Pulledpork Joel Esler (jesler) via Snort-users (Sep 05)
- Re: Misses with Pulledpork Joel Esler (jesler) via Snort-users (Sep 05)
- Re: Misses with Pulledpork James Lay via Snort-users (Sep 05)
- Re: Misses with Pulledpork Joel Esler (jesler) via Snort-users (Sep 05)
- Re: Misses with Pulledpork James Lay via Snort-users (Sep 05)
- Re: Misses with Pulledpork Joel Esler (jesler) via Snort-users (Sep 05)
- Re: Misses with Pulledpork Joel Esler (jesler) via Snort-users (Sep 04)