Snort mailing list archives
Re: Misses with Pulledpork
From: James Lay via Snort-users <snort-users () lists snort org>
Date: Thu, 05 Sep 2019 13:24:30 -0600
Thanks Joel. As a side note I re-enabled gen_id 129, sig_id 20 the TCP 3 way handshake rule, and now no issues. The cause? I suspect that tcp sessions that started before snort was restarted with the new rules, and then generated traffic caused these to fire off...which...makes sense really. Thank you!
James On 2019-09-05 12:39, Joel Esler (jesler) wrote:
Whoops, hit send too fast. Sorry all. We decided that gen-msg.map should only ship with the Snort tarball, as it wasn’t going to change outside of that. Sent from my iPadOn Sep 5, 2019, at 14:38, jesler () cisco com wrote:Absolutely. It rarely changes (don’t remember the last time it changed matter of fact).Sent from my iPadOn Sep 5, 2019, at 13:56, James Lay via Snort-users <snort-users () lists snort org> wrote:So after digging in, looks like the preprocessor rules are all pulled into the snort.rules file proper, which explains old rules in preproc_rules. The only other item is gen-msg.map isn't updated, isn't in the snort rules tarball, and is only found in the snort source tarball, so going forward that's a file to remember to install on upgrading. Thanks all!JamesOn 2019-09-04 11:00, James Lay via Snort-users wrote:Here we go!!!! So ok....after the events of last Friday it was time to revisit exactly how/what pulledpork updates; test environment, minimalpulledpork.conf and snort.conf designed just for testing updates (NOTFOR ACTUAL IDS/IPS USAGE). I prefer to keep most compiled apps in /opt so here's the config line for 2.9.14.1: ./configure --prefix=/opt/snort --disable-open-appid --enable-sourcefire --enable-non-ether-decoders snort.conf ################################################################### var CONF_PATH /opt/snort/etc var RULE_PATH /opt/snort/etc/rules var LIB_PATH /opt/snort/lib var PREPROC_RULE_PATH $RULE_PATH/preproc_rules var WHITE_LIST_PATH $RULE_PATH/iplists var BLACK_LIST_PATH $RULE_PATH/iplistsdynamicpreprocessor directory /opt/snort/lib/snort_dynamicpreprocessordynamicengine /opt/snort/lib/snort_dynamicengine/libsf_engine.so dynamicdetection directory /opt/snort/lib/snort_dynamicrules include /opt/snort/etc/classification.config include /opt/snort/etc/reference.config output alert_fast: /opt/snort/var/log/snort.fast include $RULE_PATH/snort.rules ################################################################### pulledpork.conf: ################################################################### rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot-.tar.gz|xxxxxxxxxxxxxxxxxxxxxxxxx rule_url=https://rules.emergingthreatspro.com/|etpro.rules.tar.gz|xxxxxxxxxxxxxxxxx rule_url=http://labs.snort.org/feeds/ip-filter.blf|IPBLACKLIST|open ignore=deleted.rules,experimental.rules temp_path=/tmp rule_path=/opt/snort/etc/rules/snort.rules local_rules=/opt/snort/etc/rules/local.rules sid_msg=/opt/snort/etc/sid-msg.map sid_msg_version=1 sid_changelog=/opt/var/log/sid_changes.log sorule_path=/opt/snort/lib/snort_dynamicrules snort_path=/opt/bin/snort config_path=/opt/snort/etc/snort.conf distro=Ubuntu-18-4 black_list=/opt/snort/etc/rules/iplists/black_list.rules IPRVersion=/opt/snort/etc/rules/iplists version=0.7.4 ################################################################### Some notes for the above you MUST have the directories for sorule_path 100% correct and matching for your stub rules to update. Also mind the distro= line and make sure it's not wildly off. If either of the previous are the case, Pulledpork will silently skip over so rules when these aren't correct....those of you having sorules issues double check these....every time I think these aren't thereason they uh.....are the reason. Yesterday after a pulledpork update run I did a mass touch of my entire snort directory, timestamping it for Sep 3rd. Today I've ran the below:/opt/bin/pulledpork.pl -P -l -c /opt/snort/etc/pulledpork/pulledpork.conffirst up, dynamic rules:drwxr-xr-x 2 root root 4096 Sep 4 16:46 /opt/snort/lib/snort_dynamicrulestotal 11432 -rwxr-xr-x 1 root root 73960 Aug 29 16:24 browser-chrome.sostubs were generated, directory timestamp shows that, also pulledporkrun reflects this: Generating Stub Rules.... Done next, sid-msg.map: -rw-r--r-- 1 root root 13187819 Sep 4 16:46 sid-msg.map udpated....expected. next, snort.rules: -rw-r--r-- 1 root root 56614387 Sep 4 16:46 snort.rules updated...expected. next preproc_rules: drwxr-xr-x 2 root root 4096 Sep 3 20:42 preproc_rules -rw------- 1 root root 18748 Sep 3 20:42 decoder.rules -rw------- 1 root root 36577 Sep 3 20:42 preprocessor.rules -rw------- 1 root root 1309 Sep 3 20:42 sensitive-data.rules these are a miss...indeed checking some systems I've had running for years I see the same files with a timestamp of 2011(!!!). Either pulledpork will want to incorporate these in, or we'll have to roll our own. lastly, gen-msg.map: -rw-r--r-- 1 root root 29805 Sep 3 20:42 gen-msg.mapa miss as well, so again...either pulledpork will want to incorporatethis as well, or we'll have to roll our own. So there we go....unless I've missed something my update process has been missing a few things for the past...oh.....13 years? Thank you....comments and corrections always welcome as I usually end up screwing something up :) James _______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users To unsubscribe, send an email to: snort-users-leave () lists snort orgPlease visit http://blog.snort.org to stay current on all the latest Snort news!Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette_______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users To unsubscribe, send an email to: snort-users-leave () lists snort orgPlease visit http://blog.snort.org to stay current on all the latest Snort news!Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
_______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users To unsubscribe, send an email to: snort-users-leave () lists snort org Please visit http://blog.snort.org to stay current on all the latest Snort news! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
Current thread:
- Misses with Pulledpork James Lay via Snort-users (Sep 04)
- Re: Misses with Pulledpork Joel Esler (jesler) via Snort-users (Sep 04)
- Re: Misses with Pulledpork James Lay via Snort-users (Sep 04)
- Re: Misses with Pulledpork James Lay via Snort-users (Sep 05)
- Re: Misses with Pulledpork Joel Esler (jesler) via Snort-users (Sep 05)
- Re: Misses with Pulledpork Joel Esler (jesler) via Snort-users (Sep 05)
- Re: Misses with Pulledpork James Lay via Snort-users (Sep 05)
- Re: Misses with Pulledpork Joel Esler (jesler) via Snort-users (Sep 05)
- Re: Misses with Pulledpork James Lay via Snort-users (Sep 05)
- Re: Misses with Pulledpork Joel Esler (jesler) via Snort-users (Sep 05)
- Re: Misses with Pulledpork Joel Esler (jesler) via Snort-users (Sep 04)