Shared object rules (so-rules) failing to install on SO 14.04

[ledin...@gmail.com]

I am still running SO 14.04 and noticed that none of the shared object rules were getting installed as desired. After troubleshooting, I found that I needed to change the distro spec in /etc/nsm/pulledpork/pulledpork.conf from "Ubuntu-12.04" to "Ubuntu-14-4".

This has seemed to resolve the issue but I do have a couple questions:

1) Are there any cavetas to doing this?

2) Was "Ubuntu-12.04" the proper platform spec for SO 14.04?

OR

3) Is this required because Snort\Talos removed the Ubuntu 12x precompiled folder from their v2.9.9.0 rule-sets?

[Doug Burks]

Hi ledingtech,

Replies inline.

On Fri, May 11, 2018 at 8:41 PM, <ledin...@gmail.com> wrote:
>
> I am still running SO 14.04 and noticed that none of the shared object rules were getting installed as desired.  After troubleshooting, I found that I needed to change the distro spec in /etc/nsm/pulledpork/pulledpork.conf from "Ubuntu-12.04" to "Ubuntu-14-4".

Nice catch!

> This has seemed to resolve the issue but I do have a couple questions:
>
> 1) Are there any cavetas to doing this?

I don't believe so.

 
> 2) Was "Ubuntu-12.04" the proper platform spec for SO 14.04?
> OR
>
> 3) Is this required because Snort\Talos removed the Ubuntu 12x precompiled folder from their v2.9.9.0 rule-sets?

Yes, I believe "Ubuntu-12.04" was correct until recently, since this was the closest match until 14.04 was added (and 12.04 was removed):
https://blog.snort.org/2018/03/shared-object-rule-os-build-change-is.html

I've created the following issue for rule-update to update the distro variable in pulledpork.conf:
https://github.com/Security-Onion-Solutions/security-onion/issues/1250

Thanks!

--
Doug Burks

[Doug Burks]

The new rule-update is now available which should fix this issue automatically:

https://blog.securityonion.net/2018/05/securityonion-rule-update-20151201.html

--

Doug Burks