Snort mailing list archives
Re: Pulled Pork Question
From: "Starner, Mark" <mark.starner () unisys com>
Date: Thu, 11 Jul 2013 13:09:05 -0500
Almost – I have 4 rules files snort.rules emerging-threats.rules company.rules – private rules used on all sensors local.rules – rules just for this sensor This lets me manage which rules are in use without having to regenerate one big file. So I don’t need the consolidated snort.rules, but I could throw that away I guess…. I will try it. I made a pulledpork.conf file: rule_url=https://www.snort.org/sub-rules/|snortrules-snapshot-2946.tar.gz|8e6c29d606b91be14b8a29cc23157051deac3047 #ignore=deleted.rules,experimental.rules,local.rules,sensitive-data temp_path=/tmp rule_path=/tmp/rules sid_msg=/tmp/sid-msg.map snort_path=/usr/bin/snort version=0.6.0 (it seems to need rule_url even though I am not downloading anything) Then ran: pulledpork.pl -n -c ./pulledpork.conf And got: file /tmp//snortrules-snapshot-2946.tar.gz does not exist! So it is still looking for the Snapshot file….. I don’t see an option which allows me to specify a directory to read .rules files from…. What am I missing???? Thanks Mark From: Y M [mailto:snort () outlook com] Sent: Thursday, July 11, 2013 1:24 PM To: Starner, Mark; snort-users () lists sourceforge net Subject: RE: [Snort-users] Pulled Pork Question If you use -n with your PulledPork, it will not download the ruleset from Snort website, instead it will process a local ruleset (default directory is /tmp). This will generate generate the sid-msg.map as well as the snort.rules file, given the configurations setup in your pulledpork.conf file. Is this what you are after? Sent from my Windows Phone _____ From: Starner, Mark <mailto:mark.starner () unisys com> Sent: 7/11/2013 7:57 PM To: snort-users () lists sourceforge net Subject: [Snort-users] Pulled Pork Question Is there a combination of options to Pulled Pork (running 0.6.1 right now) to only generate the sid-msg.map file? Ie I give it a list of rules files, or a directory holding rules files and all it does is generate the sid-msg.map file? My sid-msg.map file is different on each sensor I have, because each sensor may have local rules only on that sensor. So while I use PP to do everything else, I generate the sid-msg.map file on the sensor itself once I push the new rules to it. I have been using the old create_sidmap.pl file from oinkmaster (but it looks like it will be difficult to modify to support sid-msg.map v2. So I would like to use PP to do this, and upgrade to the newer version that supports v2 of the sid-msg.map file. Thanks Mark
Attachment:
smime.p7s
Description:
------------------------------------------------------------------------------ See everything from the browser to the database with AppDynamics Get end-to-end visibility with application monitoring from AppDynamics Isolate bottlenecks and diagnose root cause in seconds. Start your free trial of AppDynamics Pro today! http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Pulled Pork Question Starner, Mark (Jul 11)
- Re: Pulled Pork Question waldo kitty (Jul 11)
- <Possible follow-ups>
- Re: Pulled Pork Question Y M (Jul 11)
- Re: Pulled Pork Question Starner, Mark (Jul 11)
- Re: Pulled Pork Question Y M (Jul 11)
- Re: Pulled Pork Question Y M (Jul 11)
- Re: Pulled Pork Question JJ Cummings (Jul 11)
- Re: Pulled Pork Question Starner, Mark (Jul 11)
- Re: Pulled Pork Question JJ Cummings (Jul 11)
- Re: Pulled Pork Question Starner, Mark (Jul 11)
- Re: Pulled Pork Question JJ Cummings (Jul 11)