Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Installing only so_rules with pulledpork

From: carlopmart <carlopmart () gmail com>
Date: Fri, 30 Sep 2011 16:21:06 +0200
Hi all,

  I am trying to use only so_rules on a snort 2.9.1.0. Can I do this 
with pulledpork??

  I am trying with this config:

rule_url=http://my.home.server/snortsigs/|vrt.tar.gz|open
sorule_path=/data/config/etc/snort-pri/dynamicrules
sostub_path=/data/config/etc/snort-pri/rules/all.so_rules
distro=RHEL-6-0

  But when I try to launch pulledpork, returns me this error:

[root@idssrv01 ]# pulledpork.pl -c pulledpork-pri.conf -l

     http://code.google.com/p/pulledpork/
       _____ ____
      `----,\    )
       `--==\\  /    PulledPork v0.6.1 the Smoking Pig <////~
        `--==\\/
      .-~~~~-.Y|\\_  Copyright (C) 2009-2011 JJ Cummings
   @_/        /  66\_  cummingsj () gmail com
     |    \   \   _(")
      \   /-| ||'--'  Rules give me wings!
       \_\  \_\\
  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


ERROR: You need to specify an output rules file!

  After this, I have enabled rule_path option, but pulledpork process 
all normal rules but not so_rules:

[root@idssrv01]# pulledpork.pl -c pulledpork-pri.conf -l

     http://code.google.com/p/pulledpork/
       _____ ____
      `----,\    )
       `--==\\  /    PulledPork v0.6.1 the Smoking Pig <////~
        `--==\\/
      .-~~~~-.Y|\\_  Copyright (C) 2009-2011 JJ Cummings
   @_/        /  66\_  cummingsj () gmail com
     |    \   \   _(")
      \   /-| ||'--'  Rules give me wings!
       \_\  \_\\
  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Rules tarball download of vrt.tar.gz....
Prepping rules from vrt.tar.gz for work....
        Done!
Reading rules...
Generating Stub Rules....
        An error occurred: ERROR: OpenAlertFile() => fopen() alert file 
/var/log/snort/alert: No such file or directory

        An error occurred: Fatal Error, Quitting..

        Done
Reading rules...
Reading rules...
Setting Flowbit State....
        Enabled 49 flowbits
        Enabled 23 flowbits
        Done
Writing /data/config/etc/snort-pri/rules/all.rules....
        Done
Writing /data/config/etc/snort-pri/rules/all.so_rules....
        Done

  Then, my question: can I configure only so_rules for pulledpork and 
disable ALL the others?? How can I do??

Thanks.
-- 
CL Martinez
carlopmart {at} gmail {d0t} com

------------------------------------------------------------------------------
All of the data generated in your IT infrastructure is seriously valuable.
Why? It contains a definitive record of application performance, security
threats, fraudulent activity, and more. Splunk takes this data and makes
sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-d2dcopy2
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: