Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Misses with Pulledpork

From: James Lay via Snort-users <snort-users () lists snort org>
Date: Thu, 05 Sep 2019 11:52:18 -0600
So after digging in, looks like the preprocessor rules are all pulled into the snort.rules file proper, which explains old rules in preproc_rules. The only other item is gen-msg.map isn't updated, isn't in the snort rules tarball, and is only found in the snort source tarball, so going forward that's a file to remember to install on upgrading. Thanks all! 

James

On 2019-09-04 11:00, James Lay via Snort-users wrote:

Here we go!!!!

So ok....after the events of last Friday it was time to revisit
exactly how/what pulledpork updates; test environment, minimal
pulledpork.conf and snort.conf designed just for testing updates (NOT
FOR ACTUAL IDS/IPS USAGE).  I prefer to keep most compiled apps in
/opt so here's the config line for 2.9.14.1:

./configure --prefix=/opt/snort --disable-open-appid
--enable-sourcefire --enable-non-ether-decoders


snort.conf
###################################################################
var CONF_PATH /opt/snort/etc
var RULE_PATH /opt/snort/etc/rules
var LIB_PATH /opt/snort/lib
var PREPROC_RULE_PATH $RULE_PATH/preproc_rules
var WHITE_LIST_PATH $RULE_PATH/iplists
var BLACK_LIST_PATH $RULE_PATH/iplists

dynamicpreprocessor directory /opt/snort/lib/snort_dynamicpreprocessor
dynamicengine /opt/snort/lib/snort_dynamicengine/libsf_engine.so
dynamicdetection directory /opt/snort/lib/snort_dynamicrules

include /opt/snort/etc/classification.config
include /opt/snort/etc/reference.config

output alert_fast: /opt/snort/var/log/snort.fast
include $RULE_PATH/snort.rules
###################################################################

pulledpork.conf:
###################################################################
rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot-.tar.gz|xxxxxxxxxxxxxxxxxxxxxxxxx
rule_url=https://rules.emergingthreatspro.com/|etpro.rules.tar.gz|xxxxxxxxxxxxxxxxx
rule_url=http://labs.snort.org/feeds/ip-filter.blf|IPBLACKLIST|open

ignore=deleted.rules,experimental.rules
temp_path=/tmp
rule_path=/opt/snort/etc/rules/snort.rules
local_rules=/opt/snort/etc/rules/local.rules
sid_msg=/opt/snort/etc/sid-msg.map
sid_msg_version=1
sid_changelog=/opt/var/log/sid_changes.log
sorule_path=/opt/snort/lib/snort_dynamicrules
snort_path=/opt/bin/snort
config_path=/opt/snort/etc/snort.conf
distro=Ubuntu-18-4
black_list=/opt/snort/etc/rules/iplists/black_list.rules
IPRVersion=/opt/snort/etc/rules/iplists

version=0.7.4
###################################################################

Some notes for the above  you MUST have the directories for
sorule_path 100% correct and matching for your stub rules to update.
Also mind the distro= line and make sure it's not wildly off.  If
either of the previous are the case, Pulledpork will silently skip
over so rules when these aren't correct....those of you having so
rules issues double check these....every time I think these aren't the
reason they uh.....are the reason.

Yesterday after a pulledpork update run I did a mass touch of my
entire snort directory, timestamping it for Sep 3rd.  Today I've ran
the below:
/opt/bin/pulledpork.pl -P -l -c /opt/snort/etc/pulledpork/pulledpork.conf 

first up, dynamic rules:
drwxr-xr-x 2 root root 4096 Sep 4 16:46 /opt/snort/lib/snort_dynamicrules 
total 11432
-rwxr-xr-x 1 root root   73960 Aug 29 16:24 browser-chrome.so

stubs were generated, directory timestamp shows that, also pulledpork
run reflects this:
Generating Stub Rules....
        Done

next, sid-msg.map:
-rw-r--r-- 1 root root 13187819 Sep  4 16:46 sid-msg.map

udpated....expected.

next, snort.rules:
-rw-r--r-- 1 root root 56614387 Sep  4 16:46 snort.rules

updated...expected.

next preproc_rules:
drwxr-xr-x 2 root      root     4096 Sep  3 20:42 preproc_rules

-rw------- 1 root root 18748 Sep  3 20:42 decoder.rules
-rw------- 1 root root 36577 Sep  3 20:42 preprocessor.rules
-rw------- 1 root root  1309 Sep  3 20:42 sensitive-data.rules

these are a miss...indeed checking some systems I've had running for
years I see the same files with a timestamp of 2011(!!!).  Either
pulledpork will want to incorporate these in, or we'll have to roll
our own.

lastly, gen-msg.map:
-rw-r--r-- 1 root root    29805 Sep  3 20:42 gen-msg.map

a miss as well, so again...either pulledpork will want to incorporate
this as well, or we'll have to roll our own.

So there we go....unless I've missed something my update process has
been missing a few things for the past...oh.....13 years?  Thank
you....comments and corrections always welcome as I usually end up
screwing something up :)

James
_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

        To unsubscribe, send an email to:
        snort-users-leave () lists snort org
Please visit http://blog.snort.org to stay current on all the latest Snort news! 

Please follow these rules:
https://snort.org/faq/what-is-the-mailing-list-etiquette

_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

        To unsubscribe, send an email to:
        snort-users-leave () lists snort org

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
Previous By Date Next
Previous By Thread Next

Current thread: