Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: typical errors when trying pulledpork

From: PR <oly562 () gmail com>
Date: Fri, 07 Sep 2012 13:17:26 -0700
i guess i should wait 15 mins? i dont think i can grab another since i
dont pay for rules... what do you think? should i just go for it?



On Fri, 2012-09-07 at 13:15 -0700, PR wrote:

next error... i mv'd this file, guess i should put it back...

./pulledpork.pl -c /usr/local/etc/pulledpork-0.6.1/etc/pulledpork.conf
-I Security

    http://code.google.com/p/pulledpork/
      _____ ____
     `----,\    )
      `--==\\  /    PulledPork v0.6.1 the Smoking Pig <////~
       `--==\\/
     .-~~~~-.Y|\\_  Copyright (C) 2009-2011 JJ Cummings
  @_/        /  66\_  cummingsj () gmail com
    |    \   \   _(")
     \   /-| ||'--'  Rules give me wings!
      \_\  \_\\
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Checking latest MD5 for snortrules-snapshot-2920.tar.gz....
Rules tarball download of snortrules-snapshot-2920.tar.gz....
      They Match
      Done!
Prepping rules from snortrules-snapshot-2920.tar.gz for work....
      Done!
Reading rules...
Generating Stub Rules....
      An error occurred: ERROR: Unable to open rules file
"/usr/local/etc/snort/database.conf": No such file or directory.

      An error occurred: Fatal Error, Quitting..


more to follow....

On Fri, 2012-09-07 at 12:30 -0700, PR wrote:

opps, i figured out my mistake lolol...

ok but now i run into the same prob as before. versioning!


here is what i get when i do the cmd properly at tail of stdout:

The specified Snort binary does not exist!
Please correct the value or specify the FULL rules tarball name in the
pulledpork.conf!
 at ./pulledpork.pl line 1736.

i will goto pulledpork.pl line 1736 now. brb.......



ok, i thought, no i swear it says on snort.org page, pulledpork will
automajically decide which version to download/upgrade rules too.


-*> Snort! <*-
  o"  )~   Version 2.9.2 IPv6 GRE (Build 78) 
   ''''    By Martin Roesch & The Snort Team:

so...... let me guess 2.9.2 isnt "supported" here is what i think, i
think it's too hard for anyone to simply update rules unless you always
update your snort program to the same version, thats just ludacrious!

yes im running acidbase, yes it was loaded with apt-get install
snort-mysql snort acidbase, so what... 

i can move files and confs to point in right direction, not the issue,
its the updating of the snort program and ONLY allowing automation to
those who either 
1. pay
2. pay to have you guys install
3. pay to stay current
4. pay pay pay, rather than providing a script that keeps the snort
program updated no matter what version you have in reason like 2.9.x
5. How about fixing that perl script on the server side to allows us to
download the files automajically as it claims

i used snort since the begging, it always was easy to update so forth, 
but now, it's getting silly. 

ok, there im done ranting, however, i still need FREE input, like
community input.

if not, as usual i will just figure it out, may take a while but i'll
get it, i have before, and can do again. im complaining becuz its not
simple anymore. or as simple as it can be to download some rules
automatically.

sighs.... you can comment if you like, but i know each of you have been
here before at some point in your snorting career... 



On Fri, 2012-09-07 at 12:13 -0700, PR wrote:

hi all,


1. modified and created dirs for what pulledpork.conf requires as root
user.


2. ran this cmd:

root@myserverhere:/usr/local/etc/pulledpork-0.6.1/etc# ./pulledpork.conf -c 
/usr/local/etc/pulledpork-0.6.1/etc/pulledpork.conf -I Security


3. got this error:

root@myserverhere:/usr/local/etc/pulledpork-0.6.1/etc# ./pulledpork.conf -c 
/usr/local/etc/pulledpork-0.6.1/etc/pulledpork.conf -I Security
./pulledpork.conf: line 21: 6d31c34a34b8e7d8a42751d16b50e3dda634XXXX:
command not found
./pulledpork.conf: line 21: snortrules-snapshot.tar.gz: command not
found


4. here is the conf in entirety:

# more pulledpork.conf 
# Config file for pulledpork
# Be sure to read through the entire configuration file
# If you specify any of these items on the command line, it WILL take 
# precedence over any value that you specify in this file!

#######
#######  The below section defines what your oinkcode is (required
for 
#######  VRT rules), defines a temp path (must be writable) and also 
#######  defines what version of rules that you are getting (for your 
#######  snort version and subscription etc...)
####### 

# The rule_url value replaces the old base_url and rule_file
configuration
# options.  You can now specify one or as many rule_urls as you like,
they 
# must appear as http://what.site.com/|rulesfile.tar.gz|1234567.  You
can specif
y
# each on an individual line, or you can specify them in a , separated
list
# i.e. rule_url=http://x.y.z/|a.tar.gz|123,http://z.y.z/|b.tar.gz|456
# note that the url, rule file, and oinkcode itself are separated by a
pipe |
# i.e. url|tarball|123456789, 
#rule_url=https://www.snort.org/reg-rules/|
snortrules-snapshot.tar.gz|<oinkcode>



##*** ( here is line 21 )***

rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|
6d31c34a34b
8e7d8a42751d16b50e3dda634XXXX

# get the rule docs!
#rule_url=https://www.snort.org/reg-rules/|opensource.gz|
6d31c34a34b8e7d8a42751d
16b50e3dda634XXXX



#rule_url=https://rules.emergingthreats.net/|emerging.rules.tar.gz|
open
# THE FOLLOWING URL is for etpro downloads, note the tarball name
change!
# and the et oinkcode requirement!
#rule_url=https://rules.emergingthreats.net/|etpro.rules.tar.gz|<et
oinkcode>
# NOTE above that the VRT snortrules-snapshot does not contain the
version
# portion of the tarball name, this is because PP now automatically
populates
# this value for you, if, however you put the version information in,
PP will
# NOT populate this value but will use your value!

# Specify rule categories to ignore from the tarball in a comma
separated list
# with no spaces.  There are four ways to do this:
# 1) Specify the category name with no suffix at all to ignore the
category
#    regardless of what rule-type it is, ie: netbios
# 2) Specify the category name with a '.rules' suffix to ignore only
gid 1
#    rulefiles located in the /rules directory of the tarball, ie:
policy.rules
# 3) Specify the category name with a '.preproc' suffix to ignore only
#    preprocessor rules located in the /preproc_rules directory of the
tarball,
#    ie: sensitive-data.preproc
# 4) Specify the category name with a '.so' suffix to ignore only
shared-object
#    rules located in the /so_rules directory of the tarball, ie:
netbios.so
# The example below ignores dos rules wherever they may appear,
sensitive-
# data preprocessor rules, p2p so-rules (while including gid 1 p2p
rules),
# and netbios gid-1 rules (while including netbios so-rules):
# ignore = dos,sensitive-data.preproc,p2p.so,netbios.rules
# These defaults are reasonable for the VRT ruleset with Snort
2.9.0.x.
ignore=deleted.rules,experimental.rules,local.rules
# IMPORTANT, if you are NOT yet using 2.8.6 then you MUST comment out
the
# previous ignore line and uncomment the following!
#
ignore=deleted,experimental,local,decoder,preprocessor,sensitive-data

# Define your Oinkcode - DEPRICATED, SEE RULE_URL
# oinkcode=replacethiswithyouroinkcode

# What is our temp path, be sure this path has a bit of space for
rule 
# extraction and manipulation, no trailing slash
temp_path=/tmp

#######
#######  The below section is for rule processing.  This section is 
#######  required if you are not specifying the configuration using
#######  runtime switches.  Note that runtime switches do SUPERSEED 
#######  any values that you have specified here!
#######

# What path you want the .rules file containing all of the processed 
# rules? (this value has changed as of 0.4.0, previously we copied 
# all of the rules, now we are creating a single large rules file
# but still keeping a separate file for your so_rules!
rule_path=/usr/local/etc/snort/rules/snort.rules

# What path you want the .rules files to be written to, this is UNIQUE
# from the rule_path and cannot be used in conjunction, this is to be
used with 
the
# -k runtime flag, this can be set at runtime using the -K flag or
specified
# here.  If specified here, the -k option must also be passed at
runtime, however
# specifying -K <path> at runtime forces the -k option to also be set


###(created all the dirs and pointed to currently snort.conf )

# out_path=/usr/local/etc/snort/rules/

# If you are running any rules in your local.rules file, we need to
# know about them to properly build a sid-msg.map that will contain
your
# local.rules metadata (msg) information.  You can specify other rules
# files that are local to your system here by adding a comma and more
paths...
# remember that the FULL path must be specified for EACH value.
# local_rules=/path/to/these.rules,/path/to/those.rules
###(yadda)

local_rules=/usr/local/etc/snort/rules/local.rules

# Where should I put the sid-msg.map file?
sid_msg=/usr/local/etc/snort/sid-msg.map

# Where do you want me to put the sid changelog?  This is a changelog 
# that pulledpork maintains of all new sids that are imported
sid_changelog=/var/log/sid_changes.log
# this value is optional

#######
#######  The below section is for so_rule processing only.  If you
don't
#######  need to use them.. then comment this section out!
#######  Alternately, if you are not using pulledpork to process 
#######  so_rules, you can specify -T at runtime to bypass this
altogether
#######

# What path you want the .so files to actually go to *i.e. where is it
# defined in your snort.conf, needs a trailing slash
sorule_path=/usr/local/lib/snort_dynamicrules/

# Path to the snort binary, we need this to generate the stub files
#snort_path=/usr/local/bin/snort

(modified current path)

snort_path=/usr/sbin/snort

# We need to know where your snort.conf file lives so that we can
# generate the stub files

config_path=/usr/local/etc/snort/snort.conf

# This is the file that contains all of the shared object rules that
pulledpork
# has processed, note that this has changed as of 0.4.0 just like the
rules_path
!
sostub_path=/usr/local/etc/snort/rules/so_rules.rules

# Define your distro, this is for the precompiled shared object libs!
# Valid Distro Types=Debian-Lenny, Ubuntu-6.01.1, Ubuntu-8.04
# CentOS-4.6, Centos-4-8, CentOS-5.0, Centos-5-4
# FC-5, FC-9, FC-11, FC-12, RHEL-5.0
# FreeBSD-6.3, FreeBSD-7-2, FreeBSD-7-3, FreeBSD-7.0, FreeBSD-8-0,
FreeBSD-8-1
# OpenSUSE-11-3
distro=FreeBSD-8.0

#######  This next section is optional, but probably pretty useful to
you.
#######  Please read thoroughly!

# What do you want to backup and archive?  This is a comma separated
list
# of file or directory values.  If a directory is specified, PP will
recurse
# through said directory and all subdirectories to archive all files.
# The following example backs up all snort config files, rules,
pulledpork
# config files, and snort shared object binary rules.
#
backup=/usr/local/etc/snort,/usr/local/etc/pulledpork,/usr/local/lib/snort_dyn
amicrules/

# what path and filename should we use for the backup tarball?
# note that an epoch time value and the .tgz extension is
automatically added
# to the backup_file name on completeion i.e. the written file is:
# pp_backup.1295886020.tgz
# backup_file=/tmp/pp_backup

# Where do you want the signature docs to be copied, if this is
commented 
# out then they will not be copied / extracted.  Note that extracting
them 
# will add considerable runtime to pulledpork.
# docs=/path/to/base/www

# The following option, state_order, allows you to more finely control
the order
# that pulledpork performs the modify operations, specifically the
enablesid
# disablesid and dropsid functions.  An example use case here would be
to
# disable an entire category and later enable only a rule or two out
of it.
# the valid values are disable, drop, and enable.
# state_order=disable,drop,enable


# Define the path to the pid files of any running process that you
want to
# HUP after PP has completed its run.
#
pid_path=/var/run/snort.pid,/var/run/barnyard.pid,/var/run/barnyard2.pid
# and so on...
# pid_path=/var/run/snort_eth0.pid

# This defines the version of snort that you are using, for use ONLY
if the 
# proper snort binary is not on the system that you are fetching the
rules with
# Defining this value will set the Textonly flag, and thus will NOT
allow
# you to use shared object rules.  This value MUST contain all 4 minor
version
# numbers. ET rules are now also dependant on this, verify supported
ET versions
# prior to simply throwing rubbish in this variable kthx!
# snort_version=2.9.0.0

# Here you can specify what rule modification files to run
automatically.
# simply uncomment and specify the apt path.
# enablesid=/usr/local/etc/snort/enablesid.conf
# dropsid=/usr/local/etc/snort/dropsid.conf
# disablesid=/usr/local/etc/snort/disablesid.conf
# modifysid=/usr/local/etc/snort/modifysid.conf

# What is the base ruleset that you want to use, please uncomment to
use
# and see the README.RULESETS for a description of the options.  
# Note that setting this value will disable all ET rulesets if you
are 
# Running such rulesets
# ips_policy=security

####### Remember, a number of these values are optional.. if you
don't 
####### need to process so_rules, simply comment out the so_rule
section
####### you can also specify -T at runtime to process only GID 1
rules.

version=0.6.0


5. your thoughts? your suggestions?

thanks, pete



------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: