Home page logo
/

snort logo Snort mailing list archives

so_rules are not processed by pulledpork under FreeBSD 9.1
From: "C. L. Martinez" <carlopmart () gmail com>
Date: Thu, 9 May 2013 13:14:14 +0000

Hi all,

 I ma trying to manage all snort rules using pulledpork under FreeBSD.
All works ok, except so_rules: never they are processed.

 Pulledpork output:


    http://code.google.com/p/pulledpork/
      _____ ____
     `----,\    )
      `--==\\  /    PulledPork v0.6.2dev the Cigar Pig <////~
       `--==\\/
     .-~~~~-.Y|\\_  Copyright (C) 2009-2012 JJ Cummings
  @_/        /  66\_  cummingsj () gmail com
    |    \   \   _(")
     \   /-| ||'--'  Rules give me wings!
      \_\  \_\\
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Config File Variable Debug
/data/config/etc/idpsnort01/pulledpork/pulledpork.conf
        snort_path = /usr/local/bin/snort
        enablesid = /data/config/etc/idpsnort01/pulledpork/enablesid.conf
        distro = FreeBSD-9-0
        temp_path = /tmp
        version = 0.6.1
        sorule_path = /data/config/etc/idpsnort01/so_rules/
        rule_path = /data/config/etc/idpsnort01/rules/all.rules
        ignore = deleted.rules,experimental.rules,local.rules
        rule_url = ARRAY(0x80258e5a0)
        sid_msg_version = 1
        sid_changelog = /tmp/sid_changes.log
        out_path = /data/config/etc/idpsnort01/rules/
        sid_msg = /data/config/etc/idpsnort01/sid-msg.map
        ips_policy = security
        config_path = /data/config/etc/idpsnort01/snort.conf
MISC (CLI and Autovar) Variable Debug:
        Process flag specified!
        arch Def is: x86-64
        Config Path is: /data/config/etc/idpsnort01/pulledpork/pulledpork.conf
        Distro Def is: FreeBSD-9-0
        Keep rulefiles flag is Set
        Keep rulefiles path: /data/config/etc/idpsnort01/rules/
        security policy specified
        No Download Flag is Set
        Rules file is: /data/config/etc/idpsnort01/rules/all.rules
        Path to enablesid file:
/data/config/etc/idpsnort01/pulledpork/enablesid.conf
        sid changes will be logged to: /tmp/sid_changes.log
        sid-msg.map Output Path is: /data/config/etc/idpsnort01/sid-msg.map
        Snort Version is: 2.9.4.6
        Snort Config File: /data/config/etc/idpsnort01/snort.conf
        Snort Path is: /usr/local/bin/snort
        SO Output Path is: /data/config/etc/idpsnort01/so_rules/
        Will process SO rules
        Verbose Flag is Set
        Base URL is:
https://www.snort.org/reg-rules/|snortrules-snapshot-2945.tar.gz|69c3abc8e00c849390192c3e07666782df49abda
Prepping rules from snortrules-snapshot-2945.tar.gz for work....
        extracting contents of /tmp/snortrules-snapshot-2945.tar.gz...
        Ignoring plaintext rules: deleted.rules
        Ignoring plaintext rules: experimental.rules
        Ignoring plaintext rules: local.rules
        Extracted: /tha_rules/VRT-server-other.rules
        Extracted: /tha_rules/VRT-pua-adware.rules
        Extracted: /tha_rules/VRT-misc.rules
        Extracted: /tha_rules/VRT-malware-backdoor.rules
        Extracted: /tha_rules/VRT-indicator-compromise.rules
        Extracted: /tha_rules/VRT-file-pdf.rules
        Extracted: /tha_rules/VRT-content-replace.rules
        Extracted: /tha_rules/VRT-file-identify.rules
        Extracted: /tha_rules/VRT-browser-webkit.rules
        Extracted: /tha_rules/VRT-specific-threats.rules
        Extracted: /tha_rules/VRT-file-office.rules
        Extracted: /tha_rules/VRT-rpc.rules
        Extracted: /tha_rules/VRT-dns.rules
        Extracted: /tha_rules/VRT-os-other.rules
        Extracted: /tha_rules/VRT-snmp.rules
        Extracted: /tha_rules/VRT-policy-other.rules
        Extracted: /tha_rules/VRT-web-coldfusion.rules
        Extracted: /tha_rules/VRT-protocol-voip.rules
        Extracted: /tha_rules/VRT-file-image.rules
        Extracted: /tha_rules/VRT-chat.rules
        Extracted: /tha_rules/VRT-voip.rules
        Extracted: /tha_rules/VRT-os-solaris.rules
        Extracted: /tha_rules/VRT-pop3.rules
        Extracted: /tha_rules/VRT-server-mssql.rules
        Extracted: /tha_rules/VRT-preprocessor.rules
        Extracted: /tha_rules/VRT-policy-social.rules
        Extracted: /tha_rules/VRT-protocol-ftp.rules
        Extracted: /tha_rules/VRT-server-webapp.rules
        Extracted: /tha_rules/VRT-server-oracle.rules
        Extracted: /tha_rules/VRT-scada.rules
        Extracted: /tha_rules/VRT-other-ids.rules
        Extracted: /tha_rules/VRT-server-apache.rules
        Extracted: /tha_rules/VRT-sql.rules
        Extracted: /tha_rules/VRT-icmp.rules
        Extracted: /tha_rules/VRT-file-multimedia.rules
        Extracted: /tha_rules/VRT-pua-p2p.rules
        Extracted: /tha_rules/VRT-info.rules
        Extracted: /tha_rules/VRT-pua-other.rules
        Extracted: /tha_rules/VRT-server-mail.rules
        Extracted: /tha_rules/VRT-netbios.rules
        Extracted: /tha_rules/VRT-smtp.rules
        Extracted: /tha_rules/VRT-protocol-icmp.rules
        Extracted: /tha_rules/VRT-sensitive-data.rules
        Extracted: /tha_rules/VRT-indicator-shellcode.rules
        Extracted: /tha_rules/VRT-web-iis.rules
        Extracted: /tha_rules/VRT-protocol-finger.rules
        Extracted: /tha_rules/VRT-botnet-cnc.rules
        Extracted: /tha_rules/VRT-pua-toolbars.rules
        Extracted: /tha_rules/VRT-mysql.rules
        Extracted: /tha_rules/VRT-virus.rules
        Extracted: /tha_rules/VRT-protocol-imap.rules
        Extracted: /tha_rules/VRT-malware-cnc.rules
        Extracted: /tha_rules/VRT-web-misc.rules
        Extracted: /tha_rules/VRT-tftp.rules
        Extracted: /tha_rules/VRT-blacklist.rules
        Extracted: /tha_rules/VRT-shellcode.rules
        Extracted: /tha_rules/VRT-spyware-put.rules
        Extracted: /tha_rules/VRT-exploit.rules
        Extracted: /tha_rules/VRT-protocol-services.rules
        Extracted: /tha_rules/VRT-browser-ie.rules
        Extracted: /tha_rules/VRT-os-windows.rules
        Extracted: /tha_rules/VRT-ddos.rules
        Extracted: /tha_rules/VRT-attack-responses.rules
        Extracted: /tha_rules/VRT-browser-firefox.rules
        Extracted: /tha_rules/VRT-browser-chrome.rules
        Extracted: /tha_rules/VRT-telnet.rules
        Extracted: /tha_rules/VRT-browser-other.rules
        Extracted: /tha_rules/VRT-icmp-info.rules
        Extracted: /tha_rules/VRT-os-linux.rules
        Extracted: /tha_rules/VRT-indicator-obfuscation.rules
        Extracted: /tha_rules/VRT-policy-spam.rules
        Extracted: /tha_rules/VRT-malware-tools.rules
        Extracted: /tha_rules/VRT-x11.rules
        Extracted: /tha_rules/VRT-p2p.rules
        Extracted: /tha_rules/VRT-scan.rules
        Extracted: /tha_rules/VRT-ftp.rules
        Extracted: /tha_rules/VRT-malware-other.rules
        Extracted: /tha_rules/VRT-web-php.rules
        Extracted: /tha_rules/VRT-web-activex.rules
        Extracted: /tha_rules/VRT-decoder.rules
        Extracted: /tha_rules/VRT-web-frontpage.rules
        Extracted: /tha_rules/VRT-rservices.rules
        Extracted: /tha_rules/VRT-file-executable.rules
        Extracted: /tha_rules/VRT-file-other.rules
        Extracted: /tha_rules/VRT-backdoor.rules
        Extracted: /tha_rules/VRT-multimedia.rules
        Extracted: /tha_rules/VRT-web-client.rules
        Extracted: /tha_rules/VRT-exploit-kit.rules
        Extracted: /tha_rules/VRT-protocol-pop.rules
        Extracted: /tha_rules/VRT-browser-plugins.rules
        Extracted: /tha_rules/VRT-policy.rules
        Extracted: /tha_rules/VRT-web-attacks.rules
        Extracted: /tha_rules/VRT-imap.rules
        Extracted: /tha_rules/VRT-file-flash.rules
        Extracted: /tha_rules/VRT-nntp.rules
        Extracted: /tha_rules/VRT-dos.rules
        Extracted: /tha_rules/VRT-finger.rules
        Extracted: /tha_rules/VRT-phishing-spam.rules
        Extracted: /tha_rules/VRT-server-mysql.rules
        Extracted: /tha_rules/VRT-oracle.rules
        Extracted: /tha_rules/VRT-server-iis.rules
        Extracted: /tha_rules/VRT-app-detect.rules
        Extracted: /tha_rules/VRT-policy-multimedia.rules
        Extracted: /tha_rules/VRT-pop2.rules
        Extracted: /tha_rules/VRT-bad-traffic.rules
        Extracted: /tha_rules/VRT-web-cgi.rules
        Reading rules...
        Reading rules...
Cleanup....
        removed 108 temporary snort files or directories from /tmp/tha_rules!
Activating security rulesets....
        Done
Processing /data/config/etc/idpsnort01/pulledpork/enablesid.conf....
        Modified 0 rules
        Done
Setting Flowbit State....
        Enabled 851 flowbits
        Enabled 29 flowbits
        Enabled 4 flowbits
        Enabled 2 flowbits
        Done
Writing rules to unique destination files....
        Writing rules to /data/config/etc/idpsnort01/rules/
        Done
Generating sid-msg.map....
        Done
Writing v1 /data/config/etc/idpsnort01/sid-msg.map....
        Done
Fly Piggy Fly!

And my pulledpork.conf:

#rule_url=http://rules.emergingthreats.net/|emerging.rules.tar.gz|open
#rule_url=https://s3.amazonaws.com/snort-org/www/rules/community/|community-rules.tar.gz|Community

# Ignored rules
ignore=deleted.rules,experimental.rules,local.rules

# What is our temp path, be sure this path has a bit of space for rule
# extraction and manipulation, no trailing slash
temp_path=/tmp

# What path you want the .rules file containing all of the processed
# rules? (this value has changed as of 0.4.0, previously we copied
# all of the rules, now we are creating a single large rules file
# but still keeping a separate file for your so_rules!
rule_path=/data/config/etc/idpsnort01/rules/all.rules

# Output path for download rules
out_path=/data/config/etc/idpsnort01/rules/

# Location for sid-msg.map file
sid_msg=/data/config/etc/idpsnort01/sid-msg.map

# New for by2 and more advanced msg mapping.  Valid options are 1 or 2
# specify version 2 if you are running barnyard2.2+.  Otherwise use 1
sid_msg_version=1

# Defined path for sid changelog file
sid_changelog=/tmp/sid_changes.log

# What path you want the .so files to actually go to *i.e. where is it
# defined in your snort.conf, needs a trailing slash
sorule_path=/data/config/etc/idpsnort01/so_rules/

# Define your distro, this is for the precompiled shared object libs!
distro=FreeBSD-9-0

# Path to the snort binary, we need this to generate the stub files
snort_path=/usr/local/bin/snort

# We need to know where your snort.conf file lives so that we can
# generate the stub files
config_path=/data/config/etc/idpsnort01/snort.conf

# Define the path to the pid files of any running process that you want to
# HUP after PP has completed its run.
#pid_path=/var/run/snort_em5.pid

# If you are using IP Reputation and getting some public lists, you
will probably
# want to tell pulledpork where your blacklist file lives, PP automagically will
# de-dupe any duplicate IPs from different sources.
#black_list=/data/config/etc/idpsnort01/iplists/default.blacklist
#IPRVersion=/data/config/etc/idpsnort01/iplists/

# Define local rules files
#local_rules=/data/config/etc/idpsnort01/rules/apt1.rules


# Here you can specify what rule modification files to run automatically.
# simply uncomment and specify the apt path.
enablesid=/data/config/etc/idpsnort01/pulledpork/enablesid.conf
# dropsid=/usr/local/etc/snort/dropsid.conf
#disablesid=/data/config/etc/idpsnort01/pulledpork/disablesid.conf
# modifysid=/usr/local/etc/snort/modifysid.conf

ips_policy=security



####### Remember, a number of these values are optional.. if you don't
####### need to process so_rules, simply comment out the so_rule section
####### you can also specify -T at runtime to process only GID 1 rules.

version=0.6.1

------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and 
their applications. This 200-page book is written by three acclaimed 
leaders in the field. The early access version is available now. 
Download your free book today! http://p.sf.net/sfu/neotech_d2d_may
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault