question about 0.70 and flags

[Jeremy Hoel]

So I made a change to my modifysid.conf file and then ran
'pulledpork.pl -n -c /etc/snort/pulledpork.conf' and received the
output..

--- cropped output ---
No Rule Changes

No IP Blacklist Changes

Done
--- output ---

But then when I looked at the rule in question, the modifysid changes
hadn't been applied. It wasn't until I added the -P to the command
line that it made the change.

This seems to be different then in the 0.61 release; where -n would
still do modifysid, without having to put -P.

Or am I mistaken?

[JJ Cummings]

This is expected behavior... -n looks for rule changes in the rule pack... -P forces a process even if the rule pack is the same...

Sent from the iRoad

> --
> You received this message because you are subscribed to the Google Groups "pulledpork users" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to pulledpork-use...@googlegroups.com.
> To post to this group, send email to pulledpo...@googlegroups.com.
> Visit this group at http://groups.google.com/group/pulledpork-users.
> For more options, visit https://groups.google.com/groups/opt_out.

[Michael Steele]

Just to be informed, as it looks like I need two run lines;

1. One for new rule processing and updating
2. One for processing any and all rules changes made in-between new rule
updates

Isn't there one run line that will do it all; Process new rules if
available, and process any and all rule changes regardless if there was no
rule update available?

This is my initial run line that checks and update new rule sets if
available. It appears by this thread, if any changes are made to the rules,
and this line is ran, PP will not process those changes, because there was
no new rule set available.

Initial run line: perl d:\winids\pulledpork\pulledpork.pl -c
d:\winids\pulledpork\etc\pulledpork.conf -T

What switches should I enter into my run line for updating rule changes in
between new rule set updates?

Like this: perl d:\winids\pulledpork\pulledpork.pl -c
d:\winids\pulledpork\etc\pulledpork.conf -n -P -T

Curious; does the below work
perl d:\winids\pulledpork\pulledpork.pl -c
d:\winids\pulledpork\etc\pulledpork.conf -nPT

Best regards,
Michael...

[Jeremy Hoel]

This was my assumption before.  We used to just use 'pulledpork.pl -c /etc/snort/pulledpork-users.conf' and it would always change the rules, even if there was no new rule files to download.  So, that being said, I need to make sure that what I thought was happening is really happening.

[Michael Steele]

So I should be running the below line in my scheduled cron file to check for new rule updates, and I should be executing the same run line to process any new rule modifications, or configuration updates?

 

Also, does PP know if the ‘ips_policy=’ in the pulledpork.conf gets changed when the below line is ran each time?

 

perl –n –P d:\winids\pulledpork\pulledpork.pl –c d:\winids\pulledpork\etc\pulledpork.conf -T

 

Best regards,

Michael...

[JJC]

The reason that the function was changed was to reduce cycles when the base ruleset was unchanged.  Specifically, even if you ran with -n, all rules would be processed if the tarball had changed or not.  In this new way it simply exits normally if -P is not specified and the rules tarball has been unchanged, thus making the run much faster and not needing to use additional system overhead.  The thought is that when you are processing changes that are _NOT_ to a new tarbll you are likely conducting a tuning exercise and thus you are manually running PP anyway.. so you want to specify the -P flag.. make sense?

[Michael Steele]

I can see this so just to confirm. I’m not running PP but I think I might need to adjust my Windows guided install for installing the rules on a new install, and for updating after that.

 

The guided install has the installer running  the below line to install the rules on a new install, and is used in the cron for continuing to check and install new a rule set releases.

 

perl d:\winids\pulledpork\pulledpork.pl –c d:\winids\pulledpork\etc\pulledpork.conf -T

 

The above is where I have left the guided install.

 

I guess I need to  add instructions for the installer to manually update PP after changes made to PP.

 

perl d:\winids\pulledpork\pulledpork.pl –c d:\winids\pulledpork\etc\pulledpork.conf -P -T

 

If I understand; using the -n would be used when changing the ‘ips_policy=’ setting?

 

perl d:\winids\pulledpork\pulledpork.pl –c d:\winids\pulledpork\etc\pulledpork.conf –n -P -T

[JJC]

inline...

On Thu, Sep 5, 2013 at 8:44 AM, Michael Steele <mich...@winsnort.com> wrote:

I can see this so just to confirm. I’m not running PP but I think I might need to adjust my Windows guided install for installing the rules on a new install, and for updating after that.

 

The guided install has the installer running  the below line to install the rules on a new install, and is used in the cron for continuing to check and install new a rule set releases.

 

perl d:\winids\pulledpork\pulledpork.pl –c d:\winids\pulledpork\etc\pulledpork.conf -T

 

The above is where I have left the guided install.

And this is still fine for the cron job.. it will look for a new tarball and download / process if there is a new one.. if not then it simply exits as opposed to running again as it did before.

 

 

I guess I need to  add instructions for the installer to manually update PP after changes made to PP.

 

perl d:\winids\pulledpork\pulledpork.pl –c d:\winids\pulledpork\etc\pulledpork.conf -P -T

 

If I understand; using the -n would be used when changing the ‘ips_policy=’ setting?

-n is only used to not try and download a new tarball.. generally if you are a registered user only and running tuning, or if you are downloading and distributing the tarball via another method.  In the case you noted you would add a -P to force process the change in PP even if the tarball was not changed..