Snort mailing list archives

Previous By Date Next
Previous By Thread Next

A few pulledpork questions

From: James Lay <jlay () slave-tothe-box net>
Date: Tue, 13 Aug 2013 11:08:18 -0600
Hey all,

First...seeing this when I run PP:

Generating Stub Rules....
         An error occurred: WARNING: threshold.conf(26) threshold 
(standalone) is deprecated; use event_filter instead.

which is:
threshold gen_id 138, sig_id 1000, type limit, track by_src, count 1, 
seconds 60

 From the readme.thresholding:
THRESHOLD EXAMPLES:
------------------
# Rule Threshold - Limit to logging 1 event per 60 seconds
threshold gen_id 1, sig_id 1851, type limit, track by_src, count 1, 
seconds 60

Why is the error occurring?  What can I do to troubleshot this?



Second...

I've made a special snort.conf that has ALL rules, so I can get all the 
rules, but then enable/disable the ones I want within different configs. 
I have this in the config:

var PREPROC_RULE_PATH /opt/etc/snort/preproc_rules
include $PREPROC_RULE_PATH/preprocessor.rules
include $PREPROC_RULE_PATH/decoder.rules

Yet these rules have never updated
in the preproc_rules dir:
-rw------- 1  18748 2011-09-07 14:47 decoder.rules
-rw------- 1  36577 2011-09-07 14:47 preprocessor.rules
-rw------- 1   1309 2011-09-07 14:47 sensitive-data.rules

in latest snort rules:
-rw-r--r-- 1  19685 2013-08-07 13:34 decoder.rules
-rw-r--r-- 1  41474 2013-08-07 13:34 preprocessor.rules
-rw-r--r-- 1   1309 2013-08-07 13:34 sensitive-data.rules

Why?  What can I do to troubleshoot this?



Third...

I'm running:

PulledPork v0.6.1 the Smoking Pig <////~

Yet, if I comment out in pulledpork.conf:
version=0.6.0
or change it to
version=0.6.1
I get

You are not using the current version of pulledpork.conf!
Please use the version that shipped with PulledPork v0.6.1 the Smoking 
Pig <////~!

Why must my pulledpork.conf have 0.6.0 as the version?



Finally...

I see

Use of uninitialized value within %hcategory in numeric eq (==) at 
/opt/bin/pulledpork.pl line 1055.

What can I do to troubleshoot this?  Thank you for any help you can 
bring...sorry it's a long email.

James

------------------------------------------------------------------------------
Get 100% visibility into Java/.NET code with AppDynamics Lite!
It's a free troubleshooting tool designed for production.
Get down to code-level detail for bottlenecks, with <2% overhead. 
Download for free and get started troubleshooting in minutes. 
http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: