Snort mailing list archives
Re: PulledPork and Snort 3.1 on Ubuntu - Errors (issue identified, needs to be fixed by the Snort team)
From: Noah Dietrich <noah_dietrich () 86penny org>
Date: Sat, 20 Feb 2021 09:40:51 +0000
Ok, I've identified the issue with the snort 3.1.0.0 registered ruleset from snort.org that is preventing PulledPork from properly downloading the rulesets. The issue is that the tgz file structure is incorrect for snortrules-snapshot-3100.tar.gz, and needs to be fixed by whomever creates the 3100 tgz file for snort. the tgz file structure should be: the root folder contains the rules, so_rules, ...etc. folders. However, for the 3100 archive, there's an extra folder named '.' at the root of the archive that is the parent of those folders, and PulledPork can't properly parse the folder structure. Here it is demonstrated. First I have three different current tgz files: noah@snort3:~/rulesets$ ls -l total 145592 -rw-rw-rw- 1 noah noah 135684289 feb 20 09:16 *snortrules-snapshot-29170.tar.gz* -rw-rw-rw- 1 noah noah 2953027 feb 20 09:16 *snortrules-snapshot-3000.tar.gz* -rw-rw-rw- 1 noah noah 10440225 feb 20 09:16 *snortrules-snapshot-3100.tar.gz* So let's look at the contents of the tgz file, only looking at the first level of files/folders for the 29170 and 3000 archives (which are correct and work): noah@snort3:~/rulesets$ tar --exclude="*/*" -tf snortrules-snapshot-29170.tar.gz rules/ so_rules/ etc/ preproc_rules/ noah@snort3:~/rulesets$ tar --exclude="*/*" -tf snortrules-snapshot-3000.tar.gz rules/ builtins/ etc/ that looks fine. Next let's look at the 3100 folder with the exact same command as above: noah@snort3:~/rulesets$ tar --exclude="*/*" -tf snortrules-snapshot-3100.tar.gz ./ well that doesn't look the same. let's look one more level deep in the folder structure for that archive: noah@snort3:~/rulesets$ tar --exclude="*/*/*" -tf snortrules-snapshot-3100.tar.gz ./ ./builtins/ ./rules/ ./so_rules/ ./etc/ So those are the folders we're looking for, only they're nested one directory deeper in the tgz file, and the name of the extra root folder in the tgz file is '.'. The fix is for the snort rules team to re-create the 3100 tgz file with proper directory structure. I suspect that since this has been a problem for a few releases now, their workflow is incorrect. I can successfully have pulledpork download the 3000 version of the tgz file with no issues, so it's not an issue between pulledpork and snort 3, it's entirely the tgz file format for 3100. For anyone that needs working rules now, the solution would be to tell pulledpork to use the 3000 version of the rules file, either by specifying* -S 3.0.0.0* on the command line when running PulledPork, or by including *snort_version = 3.0.0.0* in your PulledPork.conf (line 196 or so). Note that the 3000 version does not include pre-compiled rules (.so rules), so you'll either need to ignore the warnings when you run PulledPork (*Something failed in the gen_stubs sub*), or run PulledPork with the *-T* flag. Noah On Fri, Feb 19, 2021 at 8:51 AM Noah Dietrich <noah_dietrich () 86penny org> wrote:
I've received a number of reports of issues with PulledPork not downloading rules correctly for snort 3.1 on Ubuntu, and I'm not sure what the issue is. I'm running PulledPork as follows: /usr/local/bin/pulledpork.pl -c /usr/local/etc/pulledpork/pulledpork.conf -l -P -E -H SIGHUP I get the following errors, and no rules are downloaded: Generating Stub Rules.... Something failed in the gen_stubs sub, please verify your shared object config! Done ... Writing v2 /usr/local/etc/snort/sid-msg.map.... Use of uninitialized value in concatenation (.) or string at /usr/local/bin/pulledpork.pl line 1379. Done ... Rule Stats... New:-------0 Deleted:---1 Enabled Rules:----1 Dropped Rules:----0 Disabled Rules:---0 Total Rules:------1 In order to remove the .so rules from the equation, I add the* -T *flag, which gets rid of the so rules error, but i still have the sig-msg map error, and no rules downloaded. I checked the downloaded tgz file, and i see the rules folder in there with the rules: /./rules /./etc /./builtins /./so_rules so either PP is not getting the rules correctly from the tgz file, or the tgz file's format is incorrect (I'm not sure if there should be an extra parent folder in the tgz file). regarding the.so rules, i'm not sure, but it looks like the pre-compiled rules have changed from two versions of ubuntu to one version, and maybe pp doesn't know how to include that yet (/./so_rules/precompiled/ubuntu_x64) Attached is pulledpork's -vv output and my pulledpork.conf. Hopefully someone can help out here. I'm running PulledPork v0.8.0 - The only positive thing to come out of 2020...well this and take-out liquor! Thanks, Noah
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!
Current thread:
- Re: PulledPork and Snort 3.1 on Ubuntu - Errors (issue identified, needs to be fixed by the Snort team) Noah Dietrich (Feb 20)
- Re: PulledPork and Snort 3.1 on Ubuntu - Errors (issue identified, needs to be fixed by the Snort team) Noah Dietrich (Feb 23)
- Re: PulledPork and Snort 3.1 on Ubuntu - Errors (issue identified, needs to be fixed by the Snort team) Joel Esler (jesler) via Snort-sigs (Feb 23)