Re: New install of PulledPork - Questions

[JJC]

There are some changes that simply have not been committed to SVN just yet.  That being said PP doesn't download every time but does run (in the event that you may be tuning)  There is a feature that will be committed soon that will stop that also if you want when there is no new file.  The runtime issue that you are extracting the rules documentation (this is the longest process that PP will run)

JJC

On Fri, Aug 17, 2012 at 7:45 AM, MichaelS <zips...@gmail.com> wrote:

I have PulledPork running again, and I'm trying to assimilated it into my guides. It's been several months since I pulled the SVN, and I just pulled it again and the code is the same. Has development stopped on this project, or am I grabbing the wrong code?

 

The reason I'm asking; The SVN states version  0.6.1 and this this pull is 0.6.0. Also, I ran PulledPork yesterday and it processed. I ran it again today, It matched the MD5 codes for the 2 filese, said it wasn't downloading, but it appears to be processing the rules again. I'm not sure why PulledPork is processing the rules again?

 

I did removed several of the # marks from the snort.rules file. Shouldn't PulledPork only be processing the sid.msg.map file if there are no new files to download? It takes about 20 minutes when PulledPork runs each time.

 

This is what I got on the second run.

 

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

Config File Variable Debug d:\winids\pulledpork\etc\pulledpork.conf

        temp_path = c:\windows\temp

        version = 0.6.0

        rule_path = d:\winids\snort\rules\winids.rules

        ignore = deleted.rules,experimental.rules,local.rules

        rule_url = ARRAY(0x2648d4c)

        snort_version = 2.9.3.0

        sid_changelog = d:\winids\snort\log\sid_changes.log

        sid_msg = d:\winids\snort\etc\sid-msg.map

        local_rules = d:\winids\snort\rules\local.rules

        docs = d:\winids\apache24\htdocs\base\signatures\

Use of uninitialized value $Snort_path in -B at d:\winids\pulledpork\pulledpork.

pl line 1565.

'uname' is not recognized as an internal or external command,

operable program or batch file.

MISC (CLI and Autovar) Variable Debug:

        Config Path is: d:\winids\pulledpork\etc\pulledpork.conf

        Docs Reference Location is: d:\winids\apache24\htdocs\base\signatures\

        Disabled policy specified

        local.rules path is: d:\winids\snort\rules\local.rules

        Rules file is: d:\winids\snort\rules\winids.rules

        sid changes will be logged to: d:\winids\snort\log\sid_changes.log

        sid-msg.map Output Path is: d:\winids\snort\etc\sid-msg.map

        Snort Version is: 2.9.3.0

        Text Rules only Flag is Set

        Verbose Flag is Set

        Base URL is: https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz

|991158d6f0847841cffbe085a91b7c5775ba98cf https://www.snort.org/reg-rules/|opens

ource.gz|991158d6f0847841cffbe085a91b7c5775ba98cf

Checking latest MD5 for snortrules-snapshot-2930.tar.gz....

        Fetching md5sum for: snortrules-snapshot-2930.tar.gz.md5

** GET https://www.snort.org/reg-rules/snortrules-snapshot-2930.tar.gz.md5/99115

8d6f0847841cffbe085a91b7c5775ba98cf ==> 200 OK (2s)

        most recent rules file digest: ff1d9500ebff89f1f6062e9a994a4a2c

        current local rules file  digest: ff1d9500ebff89f1f6062e9a994a4a2c

        The MD5 for snortrules-snapshot-2930.tar.gz matched ff1d9500ebff89f1f606

2e9a994a4a2c

        so I'm not gonna download the rules file again suckas!

Prepping rules from snortrules-snapshot-2930.tar.gz for work....

        extracting contents of c:\windows\temp/snortrules-snapshot-2930.tar.gz..

.

        Ignoring plaintext rules: deleted.rules

        Ignoring plaintext rules: experimental.rules

        Ignoring plaintext rules: local.rules

        Extracted: /tha_rules/VRT-misc.rules

        Extracted: /tha_rules/VRT-indicator-compromise.rules

        Extracted: /tha_rules/VRT-file-pdf.rules

        Extracted: /tha_rules/VRT-content-replace.rules

        Extracted: /tha_rules/VRT-file-identify.rules

        Extracted: /tha_rules/VRT-specific-threats.rules

        Extracted: /tha_rules/VRT-file-office.rules

        Extracted: /tha_rules/VRT-rpc.rules

        Extracted: /tha_rules/VRT-dns.rules

        Extracted: /tha_rules/VRT-snmp.rules

        Extracted: /tha_rules/VRT-policy-other.rules

        Extracted: /tha_rules/VRT-web-coldfusion.rules

        Extracted: /tha_rules/VRT-chat.rules

        Extracted: /tha_rules/VRT-voip.rules

        Extracted: /tha_rules/VRT-pop3.rules

        Extracted: /tha_rules/VRT-preprocessor.rules

        Extracted: /tha_rules/VRT-policy-social.rules

        Extracted: /tha_rules/VRT-scada.rules

        Extracted: /tha_rules/VRT-other-ids.rules

        Extracted: /tha_rules/VRT-sql.rules

        Extracted: /tha_rules/VRT-icmp.rules

        Extracted: /tha_rules/VRT-pua-p2p.rules

        Extracted: /tha_rules/VRT-info.rules

        Extracted: /tha_rules/VRT-server-mail.rules

        Extracted: /tha_rules/VRT-netbios.rules

        Extracted: /tha_rules/VRT-smtp.rules

        Extracted: /tha_rules/VRT-sensitive-data.rules

        Extracted: /tha_rules/VRT-web-iis.rules

        Extracted: /tha_rules/VRT-botnet-cnc.rules

        Extracted: /tha_rules/VRT-pua-toolbars.rules

        Extracted: /tha_rules/VRT-mysql.rules

        Extracted: /tha_rules/VRT-virus.rules

        Extracted: /tha_rules/VRT-web-misc.rules

        Extracted: /tha_rules/VRT-tftp.rules

        Extracted: /tha_rules/VRT-blacklist.rules

        Extracted: /tha_rules/VRT-shellcode.rules

        Extracted: /tha_rules/VRT-spyware-put.rules

        Extracted: /tha_rules/VRT-exploit.rules

        Extracted: /tha_rules/VRT-ddos.rules

        Extracted: /tha_rules/VRT-attack-responses.rules

        Extracted: /tha_rules/VRT-telnet.rules

        Extracted: /tha_rules/VRT-icmp-info.rules

        Extracted: /tha_rules/VRT-indicator-obfuscation.rules

        Extracted: /tha_rules/VRT-x11.rules

        Extracted: /tha_rules/VRT-p2p.rules

        Extracted: /tha_rules/VRT-scan.rules

        Extracted: /tha_rules/VRT-ftp.rules

        Extracted: /tha_rules/VRT-web-php.rules

        Extracted: /tha_rules/VRT-web-activex.rules

        Extracted: /tha_rules/VRT-decoder.rules

        Extracted: /tha_rules/VRT-web-frontpage.rules

        Extracted: /tha_rules/VRT-rservices.rules

        Extracted: /tha_rules/VRT-file-other.rules

        Extracted: /tha_rules/VRT-backdoor.rules

        Extracted: /tha_rules/VRT-multimedia.rules

        Extracted: /tha_rules/VRT-web-client.rules

        Extracted: /tha_rules/VRT-policy.rules

        Extracted: /tha_rules/VRT-imap.rules

        Extracted: /tha_rules/VRT-web-attacks.rules

        Extracted: /tha_rules/VRT-nntp.rules

        Extracted: /tha_rules/VRT-dos.rules

        Extracted: /tha_rules/VRT-finger.rules

        Extracted: /tha_rules/VRT-phishing-spam.rules

No such file in archive: 'doc/signatures/rules/VRT-License.txt' at d:\winids\pulledpork\pulledpork.pl line 289

Could not find an entry for 'doc/signatures/rules/VRT-License.txt' at d:\winids\pulledpork\pulledpork.pl line 289

        Extracted: /tha_rules/VRT-oracle.rules

        Extracted: /tha_rules/VRT-policy-multimedia.rules

        Extracted: /tha_rules/VRT-pop2.rules

        Extracted: /tha_rules/VRT-bad-traffic.rules

        Extracted: /tha_rules/VRT-web-cgi.rules

Checking latest MD5 for opensource.gz....

        Fetching md5sum for: opensource.gz.md5

** GET https://www.snort.org/reg-rules/opensource.gz.md5/991158d6f0847841cffbe08

5a91b7c5775ba98cf ==> 200 OK (1s)

        most recent rules file digest: 09e69d53d4dac50ab24551f6e224b492

        current local rules file  digest: 09e69d53d4dac50ab24551f6e224b492

        The MD5 for opensource.gz matched 09e69d53d4dac50ab24551f6e224b492

        so I'm not gonna download the rules file again suckas!

Prepping rules from opensource.gz for work....

        extracting contents of c:\windows\temp/opensource.gz...

        Ignoring plaintext rules: deleted.rules

        Ignoring plaintext rules: experimental.rules

        Ignoring plaintext rules: local.rules

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

 

After configuring  and running PulledPork it grabbed the latest rules and placed all the rules into the snort/rules/snort.rules file. It also placed all the disabled (#) rules in there as well.

 

How does PulledPork deal with these (#) rules. On a brand new pull, say I uncomment several of the '# alert' rules; What happens to these rules the next time  a rule update is performed by PulledPork?

 

There are 3 .rule files in the preproc_rules folder, and it appears they are assimilated into the snort.rules file on the initial run. Is this the best way to handle these preproc_rules? The Snort original install includes the snort\preproc_rules folder and there are 3 .rules files inside that folder. Should this folder be removed and allow PulledPork to assimilated those 3 .rules files into the main snort.rules file when it runs, or should they be moved out of the preproc_rules folder to the main snort\rules folder, and place the 3 names into the ignore= line of the pulledpork.conf? I'm unsure if the rules in the preproc_rules folder changes between Snort versions?

 

Kindest regards,

Michael.. 

--
You received this message because you are subscribed to the Google Groups "pulledpork users" group.
To view this discussion on the web visit https://groups.google.com/d/msg/pulledpork-users/-/i6jA9iOYjHoJ.
To post to this group, send email to pulledpo...@googlegroups.com.
To unsubscribe from this group, send email to pulledpork-use...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/pulledpork-users?hl=en.

[Michael Steele]

I understand the processing time. I see that it is bypassing the download. Everytime PP runs it's going to do a full prooces, minus the downloads if the MD5 matches.

 

So, if there are any changes to the snort.rules files, then PP needs to run again?

 

It appears to even be processing the signature files again, even with no new download, and this process could save time by not processing, unless an new download has happened, and i am sure there could be some more time saving features added if there has been no new downloads. It's almost a lunch break while it processes.

 

Not sure if you seen this at the bottom, but I'm not understanding how PP operates.

 

After configuring and running PulledPork it grabbed the latest rules and placed all the rules into the snort/rules/snort.rules file. It also placed all the disabled (#) rules in there as well.

How does PulledPork deal with these (#) rules. On a brand new pull, say I uncomment several of the '# alert' rules; What happens to these rules the next time a new rule download is performed?

 

The rules it downloads have the rules in it that are # alert, and I've removed the # and activated the rule.

[JJC]

Yes PP should read the original files, the idea is that you use the varios disablesid.conf enablesid.conf, modifysid.conf etc... to enable, disable, modify etc etc...   As such we want to be sure that we are using an original rule before we alter it.  To reduce the time, have a second pulledpork.conf file that does NOT include your docs tarball.

Pulledpork places them in there for reference, it uses them to determine what is new/deleted/changed when you download a new rules tarball.. thus the resulting report output.  You should NOT be uncommenting rules in the snort.rules file.. this functionality is in the various functions of pulledpork (enablesid, disablesid etc...)  

You should leave the preproc_rules where pulledpork is putting them.. the WHOLE purpose of pulledpork is to make snort rules management more simple.. as such you don't have to include all kinds of .rules files in your snort.conf.. you have a single place to go where you can specify what sids to automatically enable, disable, drop, modify....  you can specify a default base ruleset (security, connectivity, balanced)...

JJC