Re: Pulledpork not seeming to update certain rulesets

[JJC]

The filenames are changing, that said if you see it in the tarball you should be seeing it update... run with -vv and you should see it extract and write the file, if it cannot it should throw a pretty verbose error.

On Friday, October 26, 2012 2:05:05 PM UTC-6, DigiAngel wrote:

Topic says it..I seem to be having some issues with pp updating rule sets.  In my rules dir:

-rw-r--r-- 1 root root   27900 2012-10-23 08:00 VRT-shellcode.rules

yet in the tarball downloaded and extracted today:

-rw-r--r-- 1 root root    1273 2012-10-25 10:38 shellcode.rules

Is there something I can do on my end to troubleshoot this?  Thank you.

James

[JJC]

Yep, I just validated, that file is now empty (no rules) and as such PP will not update it, as it has nothing to update.

JJC

[DigiAngel]

Hi Jj,

So here's what I got...I'll look at just the VRT-shellcode.rules file:

mv /tmp/ET-emerging-rbn.rules /opt/etc/snort/rules/
mv /tmp/ET-emerging-botcc.rules /opt/etc/snort/rules/
mv /tmp/ET-emerging-compromised.rules /opt/etc/snort/rules/

Extracted: /tha_rules/VRT-shellcode.rules


At no time is that file created, however, I still have my old one in place:

-rw-r--r-- 1 root root 27900 2012-10-23 08:00 VRT-shellcode.rules

The startup line is:

/opt/bin/pulledpork.pl -c /opt/etc/snort/pulledpork/pulledpork.conf -l -T -k

At some point in time pp stopped updating that file...I have no idea why.  Hope that helps.

James

[JJ Cummings]

Like I said, that file is now defunct... VRT-indicator-shellcode replaced it!

Sent from the iRoad

--
You received this message because you are subscribed to the Google Groups "pulledpork users" group.
To view this discussion on the web visit https://groups.google.com/d/msg/pulledpork-users/-/CKq4IpOhxzsJ.
To post to this group, send email to pulledpo...@googlegroups.com.
To unsubscribe from this group, send email to pulledpork-use...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/pulledpork-users?hl=en.

[DigiAngel]

HI JJ,

In light of Joel's comments about not deleting these out yet on the snort-sig list, my question is, why isn't pp updating certain rules?  I'm not sure how it all works to be sure...does pp "sync" a ruleset?  That' doesn't seem to have happened for me at least.  There are a few files that differ wildly from current snort rulesets:

Currently in my rules dir:
-rw-r--r-- 1 root root    1581 2012-04-24 08:00 VRT-attack-responses.rules
-rw-r--r-- 1 root root    3137 2012-10-25 08:00 VRT-bad-traffic.rules
-rw-r--r-- 1 root root    2936 2012-10-23 08:00 VRT-finger.rules
-rw-r--r-- 1 root root   17136 2012-10-25 08:00 VRT-ftp.rules
-rw-r--r-- 1 root root   16100 2012-10-23 08:00 VRT-icmp-info.rules
-rw-r--r-- 1 root root    5481 2012-10-23 08:00 VRT-icmp.rules
-rw-r--r-- 1 root root   19203 2012-10-23 08:00 VRT-imap.rules
-rw-r--r-- 1 root root   22128 2012-10-30 08:00 VRT-misc.rules
-rw-r--r-- 1 root root    4051 2012-04-12 08:01 VRT-multimedia.rules
-rw-r--r-- 1 root root   16520 2012-10-25 08:00 VRT-mysql.rules
-rw-r--r-- 1 root root  212840 2012-10-25 08:00 VRT-oracle.rules
-rw-r--r-- 1 root root    5280 2012-04-12 08:01 VRT-p2p.rules
-rw-r--r-- 1 root root   62266 2012-10-25 08:00 VRT-phishing-spam.rules
-rw-r--r-- 1 root root   13576 2012-09-05 08:01 VRT-policy.rules
-rw-r--r-- 1 root root    6936 2012-10-23 08:00 VRT-pop3.rules
-rw-r--r-- 1 root root    3126 2012-10-23 08:00 VRT-rservices.rules
-rw-r--r-- 1 root root   13996 2012-10-30 08:00 VRT-smtp.rules
-rw-r--r-- 1 root root    1511 2012-09-07 15:30 VRT-virus.rules
-rw-r--r-- 1 root root   91511 2012-10-23 08:00 VRT-voip.rules
-rw-r--r-- 1 root root 1122321 2012-10-30 08:00 VRT-web-activex.rules
-rw-r--r-- 1 root root     537 2012-10-25 08:00 VRT-web-attacks.rules
-rw-r--r-- 1 root root  122804 2012-10-25 08:00 VRT-web-cgi.rules
-rw-r--r-- 1 root root   13903 2012-10-25 08:00 VRT-web-coldfusion.rules
-rw-r--r-- 1 root root   66693 2012-10-25 08:00 VRT-web-iis.rules
-rw-r--r-- 1 root root   91495 2012-10-30 08:00 VRT-web-php.rules



Snortrules tarball:
-rw-r--r-- 1 root root    1175 2012-10-30 10:05 attack-responses.rules
-rw-r--r-- 1 root root    1214 2012-10-30 10:05 bad-traffic.rules
-rw-r--r-- 1 root root     986 2012-10-30 10:05 finger.rules
-rw-r--r-- 1 root root    1147 2012-10-30 10:05 ftp.rules
-rw-r--r-- 1 root root    1259 2012-10-30 10:05 icmp-info.rules
-rw-r--r-- 1 root root    1197 2012-10-30 10:05 icmp.rules
-rw-r--r-- 1 root root    1098 2012-10-30 10:05 imap.rules
-rw-r--r-- 1 root root    1743 2012-10-30 10:05 misc.rules
-rw-r--r-- 1 root root    1140 2012-10-30 10:05 multimedia.rules
-rw-r--r-- 1 root root    1192 2012-10-30 10:05 mysql.rules
-rw-r--r-- 1 root root    1603 2012-10-30 10:05 oracle.rules
-rw-r--r-- 1 root root    1072 2012-10-30 10:05 p2p.rules
-rw-r--r-- 1 root root     979 2012-10-30 10:05 phishing-spam.rules
-rw-r--r-- 1 root root    1268 2012-10-30 10:05 policy.rules
-rw-r--r-- 1 root root    1049 2012-10-30 10:05 pop3.rules
-rw-r--r-- 1 root root     993 2012-10-30 10:05 rservices.rules
-rw-r--r-- 1 root root     989 2012-10-30 10:05 smtp.rules
-rw-r--r-- 1 root root     979 2012-10-30 10:05 voip.rules
-rw-r--r-- 1 root root     999 2012-10-30 10:05 web-activex.rules
-rw-r--r-- 1 root root    1390 2012-10-30 10:05 web-attacks.rules
-rw-r--r-- 1 root root    1520 2012-10-30 10:05 web-cgi.rules
-rw-r--r-- 1 root root    1008 2012-10-30 10:05 web-coldfusion.rules
-rw-r--r-- 1 root root     998 2012-10-30 10:05 web-iis.rules
-rw-r--r-- 1 root root    1002 2012-10-30 10:05 web-php.rules

This list seems pretty close to the list of rules that will be deleted down the road, but again, I'm just wondering why they aren't getting updated. PP.conf below:

rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot-2931.tar.gz|code
rule_url=https://rules.emergingthreats.net/|emerging.rules.tar.gz|open-nogpl


ignore=deleted.rules,experimental.rules,local.rules
temp_path=/tmp
out_path=/opt/etc/snort/rules/
rule_path=/opt/etc/snort/rules/snort.rules
local_rules=/opt/etc/snort/rules/VRT-testing.rules
sid_msg=/opt/etc/snort/sid-msg.map
sid_changelog=/opt/var/log/sid_changes.log
sorule_path=/opt/lib/snort_dynamicrules/
snort_path=/opt/bin/snort
config_path=/opt/etc/snort/pos.conf
sostub_path=/opt/etc/snort/rules/so_rules.rules

modifysid=/opt/etc/snort/pulledpork/modifysid.conf
dropsid=/opt/etc/snort/pulledpork/dropsid.conf
disablesid=/opt/etc/snort/pulledpork/disablesid.conf

Thank you.

James

[JJC]

This is what's in the current shellcode.rules file.. no rules:

$ less shellcode.rules 

# Copyright 2001-2012 Sourcefire Inc. All Rights Reserved.

#

# This file may contain proprietary rules that were created, tested and

# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as

# rules that were created by Sourcefire and other third parties and

# distributed under the GNU General Public License (the "GPL Rules").  The

# VRT Certified Rules contained in this file are the property of

# Sourcefire, Inc. Copyright 2012 Sourcefire, Inc. All Rights Reserved.

# The GPL Rules created by Sourcefire, Inc. are the property of

# Sourcefire, Inc. Copyright 2002-2012 Sourcefire, Inc. All Rights

# Reserved.  All other GPL Rules are owned and copyrighted by their

# respective owners (please see www.snort.org/contributors for a list of

# owners and their respective copyrights).  In order to determine what

# rules are VRT Certified Rules or GPL Rules, please refer to the VRT

# Certified Rules License Agreement.

#

#-----------------

# SHELLCODE RULES

#-----------------

# These signatures are based on shellcode that is common ammong multiple

# publicly available exploits.

#

# Because these signatures check ALL traffic for shellcode, these signatures

# are disabled by default.  There is a LARGE performance hit by enabling

# these signatures.

#

To view this discussion on the web visit https://groups.google.com/d/msg/pulledpork-users/-/aGTcATWTlrkJ.

[James Lay]

Hehe…maybe I'm not explaining myself :)

So yes…currently shellcode.rules is empty…and that's my question; why is the official snortrules shellcode.rules empty, and the shellcode.rules that is currently in my rules dir NOT empty?  Why after running pp are they not the same?  Is that making sense?  Thanks a bunch JJ.

James

[JJC]

Ah, now I see.. yes so essentially what's happening is that PP is not touching the shellcode.rules file because it doesn't have anything to do (in terms of new rules etc).. essentially when writing out the unique filenames if there are no rules in a file then PP ignores it and moves on.. this is one of the drawbacks to doing it that way rather than a single large rules file, if that makes any sense..

JJC

[DigiAngel]

Thanks JJ..I'll manually copy them over for now.  Maybe we could add this as a feature request...."hardcore" sync or something that will still sync empty rulesets or rulesets with everything commented out :)

James