Snort mailing list archives

Previous By Date Next
Previous By Thread Next

PulledPork 0.7.0 not parsing enablesid, disablesid, modifysid or threshold.conf files when there are no rule updates

From: "Weir, Jason" <jason.weir () nhrs org>
Date: Fri, 29 Aug 2014 19:43:59 +0000
I'm testing PP 0.7.0 and seeing what looks like a bug but want to confirm it's not a config issue on my end.

As I tune the sensor I add entries in each of the config files (enablesid,disablesid,modifysid conf files) and then run 
pulledpork and restart snort

/usr/local/bin/pulledpork.pl -c /usr/local/etc/snort/pulledpork.conf -vv

If there are no rule updates to download (from either VRT or ET) I get this output


    http://code.google.com/p/pulledpork/
      _____ ____
     `----,\    )
      `--==\\  /    PulledPork v0.7.0 - Swine Flu!
       `--==\\/
     .-~~~~-.Y|\\_  Copyright (C) 2009-2013 JJ Cummings
  @_/        /  66\_  cummingsj () gmail com
    |    \   \   _(")
     \   /-| ||'--'  Rules give me wings!
      \_\  \_\\
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Config File Variable Debug /usr/local/etc/snort/pulledpork.conf
        snort_path = /usr/local/bin/snort
        enablesid = /usr/local/etc/snort/enablesid.conf
        modifysid = /usr/local/etc/snort/modifysid.conf
        IPRVersion = /usr/local/etc/snort/rules/iplists
        rule_path = /usr/local/etc/snort/rules/snort.rules
        ignore = deleted.rules,experimental.rules,local.rules
        state_order = disable,drop,enable
        snort_control = /usr/local/bin/snort_control
        rule_url = ARRAY(0x8e1aac8)
        sid_msg_version = 2
        sid_changelog = /var/log/sid_changes.log
        sid_msg = /usr/local/etc/snort/sid-msg.map
        config_path = /usr/local/etc/snort/snort.conf
        temp_path = /tmp
        distro = Debian-6-0
        version = 0.7.0
        sorule_path = /usr/local/lib/snort_dynamicrules/
        disablesid = /usr/local/etc/snort/disablesid.conf
        dropsid = /usr/local/etc/snort/dropsid.conf
        local_rules = /usr/local/etc/snort/rules/local.rules
MISC (CLI and Autovar) Variable Debug:
        arch Def is: i386
        Config Path is: /usr/local/etc/snort/pulledpork.conf
        Distro Def is: Debian-6-0
        Disabled policy specified
        local.rules path is: /usr/local/etc/snort/rules/local.rules
        Rules file is: /usr/local/etc/snort/rules/snort.rules
        Path to disablesid file: /usr/local/etc/snort/disablesid.conf
        Path to dropsid file: /usr/local/etc/snort/dropsid.conf
        Path to enablesid file: /usr/local/etc/snort/enablesid.conf
        Path to modifysid file: /usr/local/etc/snort/modifysid.conf
        sid changes will be logged to: /var/log/sid_changes.log
        sid-msg.map Output Path is: /usr/local/etc/snort/sid-msg.map
        Snort Version is: 2.9.6.2
        Snort Config File: /usr/local/etc/snort/snort.conf
        Snort Path is: /usr/local/bin/snort
        SO Output Path is: /usr/local/lib/snort_dynamicrules/
        Will process SO rules
        Extra Verbose Flag is Set
        Verbose Flag is Set

*********** Removed Download Logging where the checksums matched and there were no new rules to download 
*********************

Cleanup....
        removed 0 temporary snort files or directories from /tmp/tha_rules!
Writing /var/log/sid_changes.log....
        Done

No Rule Changes

No IP Blacklist Changes

Done
Please review /var/log/sid_changes.log for additional details
Fly Piggy Fly!

If I delete all the rules and re-run PP I get the following output


    http://code.google.com/p/pulledpork/
      _____ ____
     `----,\    )
      `--==\\  /    PulledPork v0.7.0 - Swine Flu!
       `--==\\/
     .-~~~~-.Y|\\_  Copyright (C) 2009-2013 JJ Cummings
  @_/        /  66\_  cummingsj () gmail com
    |    \   \   _(")
     \   /-| ||'--'  Rules give me wings!
      \_\  \_\\
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Config File Variable Debug /usr/local/etc/snort/pulledpork.conf
        snort_path = /usr/local/bin/snort
        enablesid = /usr/local/etc/snort/enablesid.conf
        modifysid = /usr/local/etc/snort/modifysid.conf
        IPRVersion = /usr/local/etc/snort/rules/iplists
        rule_path = /usr/local/etc/snort/rules/snort.rules
        ignore = deleted.rules,experimental.rules,local.rules
        state_order = disable,drop,enable
        snort_control = /usr/local/bin/snort_control
        rule_url = ARRAY(0xa41cac8)
        sid_msg_version = 2
        sid_changelog = /var/log/sid_changes.log
        sid_msg = /usr/local/etc/snort/sid-msg.map
        config_path = /usr/local/etc/snort/snort.conf
        temp_path = /tmp
        distro = Debian-6-0
        version = 0.7.0
        sorule_path = /usr/local/lib/snort_dynamicrules/
        disablesid = /usr/local/etc/snort/disablesid.conf
        dropsid = /usr/local/etc/snort/dropsid.conf
        local_rules = /usr/local/etc/snort/rules/local.rules
MISC (CLI and Autovar) Variable Debug:
        arch Def is: i386
        Config Path is: /usr/local/etc/snort/pulledpork.conf
        Distro Def is: Debian-6-0
        Disabled policy specified
        local.rules path is: /usr/local/etc/snort/rules/local.rules
        Rules file is: /usr/local/etc/snort/rules/snort.rules
        Path to disablesid file: /usr/local/etc/snort/disablesid.conf
        Path to dropsid file: /usr/local/etc/snort/dropsid.conf
        Path to enablesid file: /usr/local/etc/snort/enablesid.conf
        Path to modifysid file: /usr/local/etc/snort/modifysid.conf
        sid changes will be logged to: /var/log/sid_changes.log
        sid-msg.map Output Path is: /usr/local/etc/snort/sid-msg.map
        Snort Version is: 2.9.6.2
        Snort Config File: /usr/local/etc/snort/snort.conf
        Snort Path is: /usr/local/bin/snort
        SO Output Path is: /usr/local/lib/snort_dynamicrules/
        Will process SO rules
        Extra Verbose Flag is Set
        Verbose Flag is Set

*********** Removed Download Logging where the checksums didn't match and the rules files were downloaded 
*********************

Prepping rules from opensource.gz for work....
                **************removed extra logging *****************
Prepping rules from snortrules-snapshot-2962.tar.gz for work....
                **************removed extra logging *****************
Prepping rules from emerging.rules.tar.gz for work....
                **************removed extra logging *****************
Prepping rules from community-rules.tar.gz for work....
                **************removed extra logging *****************
Generating Stub Rules....
       Generating shared object stubs via:/usr/local/bin/snort -c /usr/local/etc/snort/snort.conf 
--dump-dynamic-rules=/tmp/tha_rules/so_rules/
        An error occurred: WARNING: ip4 normalizations disabled because not inline.

        An error occurred: WARNING: tcp normalizations disabled because not inline.

        An error occurred: WARNING: icmp4 normalizations disabled because not inline.

        An error occurred: WARNING: ip6 normalizations disabled because not inline.

        An error occurred: WARNING: icmp6 normalizations disabled because not inline.

        Dumping dynamic rules...
                **************removed extra logging *****************
          Finished dumping dynamic rules.
        Done
        Reading rules...
        Reading rules...
Cleanup....
        removed 202 temporary snort files or directories from /tmp/tha_rules!
Modifying Sids....
        Done!
Processing /usr/local/etc/snort/disablesid.conf....
        Disabled 1:xxxxxxx
        Disabled 1:xxxxxxx
        Disabled 1:xxxxxxx
        Disabled 1:xxxxxxx
        Disabled 1:xxxxxxx
        Disabled 1:xxxxxxx
        Disabled 1:xxxxxxx
        Disabled 1:xxxxxxx
        Modified 8 rules
        Done
Processing /usr/local/etc/snort/dropsid.conf....
        Modified 0 rules
        Done
Processing /usr/local/etc/snort/enablesid.conf....
        Modified 0 rules
        Done
Setting Flowbit State....
        Enabled 119 flowbits
        Done
Writing /usr/local/etc/snort/rules/snort.rules....
        Done
Generating sid-msg.map....
        Done
Writing v2 /usr/local/etc/snort/sid-msg.map....
        Done
Writing /var/log/sid_changes.log....
        Done
Rule Stats...
        New:-------344
        Deleted:---16
        Enabled Rules:----21793
       Dropped Rules:----0
        Disabled Rules:---20007
        Total Rules:------41800
No IP Blacklist Changes

Done
Please review /var/log/sid_changes.log for additional details
Fly Piggy Fly!

Next if I go into disablesid.conf and add another entry and re-run pp I get the same output as the first run - the new 
entry in disablesid.conf doesn't get parsed or disabled in the snort.rules file.

Any ideas?

Jason




------------------------------------------------------------------------------
Slashdot TV.  
Video for Nerds.  Stuff that matters.
http://tv.slashdot.org/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: