Re: [Snort-users] snort and snort-rules/ET alerts

["Michael Steele" <michaels () winsnort com>]

I think the primary objective is to get PP to be all inclusive, and cross
platform compatible.

I'm sure there is a solution that works under both platforms, but it may
take the development team to include a specific output switch to display
version only output (x.x.x.x), which would simplify the process.

PP seems to be pretty popular, so maybe they would be open to including
something like that?

However, anything that works will do because there are those that update
Snort and forget to change the snort_version in the pulledpork.conf every
time there is a version change.

-----Original Message-----
From: Joel Esler (jesler) [mailto:jesler () cisco com] 
Sent: Saturday, December 3, 2016 10:48 AM
To: wkitty42 () windstream net
Cc: Michael Steele <michaels () winsnort com>; Michael Shirk
<shirkdog.bsd () gmail com>
Subject: Re: [Snort-users] snort and snort-rules/ET alerts

That'd be a great faq 

--
Sent from my iPhone

> On Dec 3, 2016, at 10:32 AM, "wkitty42 () windstream net"
<wkitty42 () windstream net> wrote:
> *OFF LIST*
>
>
> > On 12/03/2016 09:06 AM, Michael Steele wrote:
> > There should be some ingenious way for PulledPork to pull the version 
> > of Snort using Windows. This may take a collaboration between the 
> > Snort development team and the PulledPork programmer.
>
>
> in one of my linux apps that interfaces with snort, we simply do a "snort
-V" and redirect the output for parsing... when we parse the output, we
specifically look for the line that has "Version" in it and pull the version
information from it...
> ===== snip snortvertest.pl =====
> #!/usr/bin/perl
>
> print "Snort version from 'snort -V' :\n"; 
> open(MY_INPUT,"/usr/bin/snort -V 2>&1 |");
> while(<MY_INPUT>) {
>    chomp;
>    if (/Version\s+(.*)/) {
>        ($display_version, $sub1, $sub2, $sub3, $sub4) = split(/ /,$1);
>        $snort_version = "$display_version";
>        $snort_version =~ s/\.//g;
>    }
> }
> close(MY_INPUT);
>
> # so far VRT/Talos hasn't used snort subversion numbers larger than # 
> single digits so this should work fine for the foreseeable future.
> # basically they seem to be numbering as [0-9]\.[0-9]\.[0-9]\.[0-9]...
> # in the above we set $snort_version the same as what we grabbed as # 
> $display_version... then we simply sed'ed out the dots to get a # raw 
> numerical representation of the version... there must be # trailing 
> zeros added to the version number for the url of the # VRT/Talos rules 
> snapshots... trailing zeros which seem to be left # out when a version 
> update is made and the new version number # generated.
> # eg: 2.9   != 2.9.0.0
> #     2.9.8 != 2.9.8.0
> while (length($snort_version) < 4) {
>    $snort_version .= '0';
> }
>
> print "$display_version => $snort_version\n";
>
> my $VRT_file = "snortrules-snapshot-$snort_version.tar.gz";
>
> my %snortsettings;
> &readhash("${somepath}/snort/settings", \%snortsettings); my $url = 
> "https://www.snort.org/rules/$VRT_file?oinkcode=$snortsettings{'OINK'}
> ";
>
> print "Request url: $url\n";
> ===== snip =====
>
>
> the output looks something like this...
>
> ===== snip =====
> Snort version from 'snort -V' :
> 2.9.8.3 => 2983
> Request url: 
> https://www.snort.org/rules/snortrules-snapshot-2983.tar.gz?oinkcode=b
> lahblahblahblahblahblahblah
> ===== snip =====
>
>
> granted, the above is on linux but the snort output should be able to be
redirected to a temp text file in winwhatever and parsed with similar
code... as we've never messed with snort on winwhatever, we can only assume
that the output of the version option is plain text to a terminal screen...
if that is the case, the above piping method or using a temp text file
should work...
> there is a settings file with some options in it... the oinkcode being 
> the most important one... is it saved in the file as
>
> OINK=blahblahblahblahblahblahblah
>
> we have our own readhash procedure which loads the settings from the 
> file... as you can see, the oinkcode is used directly in the url... 
> since this is a testing script, some assumptions are made and error 
> checks like making sure there is something in the oinkcode field 
> should be done before assuming such ;)


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel

Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!