Snort mailing list archives
Re: Installing only so_rules with pulledpork
From: JJC <cummingsj () gmail com>
Date: Mon, 3 Oct 2011 08:41:46 -0600
Touch the plaintext rules file first.. On Fri, Sep 30, 2011 at 8:21 AM, carlopmart <carlopmart () gmail com> wrote:
Hi all, I am trying to use only so_rules on a snort 2.9.1.0. Can I do this with pulledpork?? I am trying with this config: rule_url=http://my.home.server/snortsigs/|vrt.tar.gz|open sorule_path=/data/config/etc/snort-pri/dynamicrules sostub_path=/data/config/etc/snort-pri/rules/all.so_rules distro=RHEL-6-0 But when I try to launch pulledpork, returns me this error: [root@idssrv01 ]# pulledpork.pl -c pulledpork-pri.conf -l http://code.google.com/p/pulledpork/ _____ ____ `----,\ ) `--==\\ / PulledPork v0.6.1 the Smoking Pig <////~ `--==\\/ .-~~~~-.Y|\\_ Copyright (C) 2009-2011 JJ Cummings @_/ / 66\_ cummingsj () gmail com | \ \ _(") \ /-| ||'--' Rules give me wings! \_\ \_\\ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ERROR: You need to specify an output rules file! After this, I have enabled rule_path option, but pulledpork process all normal rules but not so_rules: [root@idssrv01]# pulledpork.pl -c pulledpork-pri.conf -l http://code.google.com/p/pulledpork/ _____ ____ `----,\ ) `--==\\ / PulledPork v0.6.1 the Smoking Pig <////~ `--==\\/ .-~~~~-.Y|\\_ Copyright (C) 2009-2011 JJ Cummings @_/ / 66\_ cummingsj () gmail com | \ \ _(") \ /-| ||'--' Rules give me wings! \_\ \_\\ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Rules tarball download of vrt.tar.gz.... Prepping rules from vrt.tar.gz for work.... Done! Reading rules... Generating Stub Rules.... An error occurred: ERROR: OpenAlertFile() => fopen() alert file /var/log/snort/alert: No such file or directory An error occurred: Fatal Error, Quitting.. Done Reading rules... Reading rules... Setting Flowbit State.... Enabled 49 flowbits Enabled 23 flowbits Done Writing /data/config/etc/snort-pri/rules/all.rules.... Done Writing /data/config/etc/snort-pri/rules/all.so_rules.... Done Then, my question: can I configure only so_rules for pulledpork and disable ALL the others?? How can I do?? Thanks. -- CL Martinez carlopmart {at} gmail {d0t} com ------------------------------------------------------------------------------ All of the data generated in your IT infrastructure is seriously valuable. Why? It contains a definitive record of application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-d2dcopy2 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity and more. Splunk takes this data and makes sense of it. Business sense. IT sense. Common sense. http://p.sf.net/sfu/splunk-d2dcopy1
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: Installing only so_rules with pulledpork JJC (Oct 03)
- Re: Installing only so_rules with pulledpork JJC (Oct 03)