Updating Snort Signatures Offline in Security Onion
2,241 views
Skip to first unread message
Jeffrey Hilgers
Feb 7, 2015, 2:12:17 PM2/7/15
to securit...@googlegroups.com
Hello,
I have a standalone Security Onion system running that does not have internet access. I need to update the Snort signatures and I have not been able to find any articles on the internet that explain how to do this very easily.
I have my own subscription to obtain Sourcefire's signatures when they are released. So lets say I have downloaded the "community-rules.tar.gz" and "snortrules-snapshot-2970.tar.gz" rule packages manually from Snort.org already.
So far I have completed the following:
1. Copied both rule packages to the Desktop of Security Onion
2. Ran both Phase I and Phase II of the Security Onion setup (I am up and running)
3. I went to the /etc/nsm/securityonion.conf file and changed the LOCAL_NIDS_RULE_TUNING=no to LOCAL_NIDS_RULE_TUNING=yes.
At this point where do I copy these packages to before I run the rule-update command for PulledPork to process them? Am I missing any other steps that I need to complete first too?
I am needing assistance at this point.
Thank you in advance
I have a standalone Security Onion system running that does not have internet access. I need to update the Snort signatures and I have not been able to find any articles on the internet that explain how to do this very easily.
I have my own subscription to obtain Sourcefire's signatures when they are released. So lets say I have downloaded the "community-rules.tar.gz" and "snortrules-snapshot-2970.tar.gz" rule packages manually from Snort.org already.
So far I have completed the following:
1. Copied both rule packages to the Desktop of Security Onion
2. Ran both Phase I and Phase II of the Security Onion setup (I am up and running)
3. I went to the /etc/nsm/securityonion.conf file and changed the LOCAL_NIDS_RULE_TUNING=no to LOCAL_NIDS_RULE_TUNING=yes.
At this point where do I copy these packages to before I run the rule-update command for PulledPork to process them? Am I missing any other steps that I need to complete first too?
I am needing assistance at this point.
Thank you in advance
Doug Burks
Feb 8, 2015, 9:18:44 AM2/8/15
to securit...@googlegroups.com
Hi Jeff,
When you set LOCAL_NIDS_RULE_TUNING=yes, that tells rule-update to use
the static set of EmergingThreats signatures in /opt/emergingthreats/.
Instead, you may want to try the following:
- LOCAL_NIDS_RULE_TUNING=no
- put your "community-rules.tar.gz" and
"snortrules-snapshot-2970.tar.gz" on an internal web server
- edit /etc/nsm/pulledpork/pulledpork.conf and define two rule_url
variables, one for each of your tarballs
- then run "sudo rule-update" and see if it works
> --
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.
--
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com
When you set LOCAL_NIDS_RULE_TUNING=yes, that tells rule-update to use
the static set of EmergingThreats signatures in /opt/emergingthreats/.
Instead, you may want to try the following:
- LOCAL_NIDS_RULE_TUNING=no
- put your "community-rules.tar.gz" and
"snortrules-snapshot-2970.tar.gz" on an internal web server
- edit /etc/nsm/pulledpork/pulledpork.conf and define two rule_url
variables, one for each of your tarballs
- then run "sudo rule-update" and see if it works
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.
--
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com
Jeffrey H
Feb 8, 2015, 3:44:41 PM2/8/15
to securit...@googlegroups.com
Doug,
Is there anyway to do it without having an internal server? There isn't an internal web server that can be used where I have this instance of Security Onion running.
Is there anyway to do it without having an internal server? There isn't an internal web server that can be used where I have this instance of Security Onion running.
Message has been deleted
Doug Burks
Feb 8, 2015, 3:52:45 PM2/8/15
to securit...@googlegroups.com
Yes, Security Onion includes the Apache web server, so you could place
your files in /var/www/ and then configure pulledpork.conf to pull
from https://localhost/YourSnortTarball.tar.gz.
On Sun, Feb 8, 2015 at 3:46 PM, Jeffrey H <jeff.w....@gmail.com> wrote:
> Doug,
> Thinking more on the web server idea, is there a way to point pulledpork to pull it from the Security Onion localhost someway in a specific file location?
your files in /var/www/ and then configure pulledpork.conf to pull
from https://localhost/YourSnortTarball.tar.gz.
On Sun, Feb 8, 2015 at 3:46 PM, Jeffrey H <jeff.w....@gmail.com> wrote:
> Doug,
> Thinking more on the web server idea, is there a way to point pulledpork to pull it from the Security Onion localhost someway in a specific file location?
Jeffrey H
Feb 8, 2015, 4:03:28 PM2/8/15
to securit...@googlegroups.com
Doug,
I just got a reply back from the Snort team also and they mentioned the following:
"While I am not particularly familiar with the internals of Security Onion, but I believe there is a specific script that you run to update the rules. This script most probably calls PulledPork. Trace that file to eventually find the poulledpork.conf file. Once you locate pulledpork.conf, check default directory from which PulledPork reads the rules (temp_path variable) , as well as which rules are being downloaded (rule_url variable). Make sure the rule_url variables are pointing to the URLs of the rules you want to download. Finally, check what allowed command line switches does the script that accept to verify you can use for offline updates. If you need to call PulledPork directly, you need to include -n and -P to the command line to make sure you are able to process rules offline."
With this being said I wonder if I could just use the (temp_path variable) and point it to a single folder; would that work?
I just got a reply back from the Snort team also and they mentioned the following:
"While I am not particularly familiar with the internals of Security Onion, but I believe there is a specific script that you run to update the rules. This script most probably calls PulledPork. Trace that file to eventually find the poulledpork.conf file. Once you locate pulledpork.conf, check default directory from which PulledPork reads the rules (temp_path variable) , as well as which rules are being downloaded (rule_url variable). Make sure the rule_url variables are pointing to the URLs of the rules you want to download. Finally, check what allowed command line switches does the script that accept to verify you can use for offline updates. If you need to call PulledPork directly, you need to include -n and -P to the command line to make sure you are able to process rules offline."
With this being said I wonder if I could just use the (temp_path variable) and point it to a single folder; would that work?
Jeffrey H
Feb 8, 2015, 4:04:45 PM2/8/15
to securit...@googlegroups.com
Awesome, I will try this first, thank you!
Message has been deleted
Doug Burks
Feb 8, 2015, 9:04:56 PM2/8/15
to securit...@googlegroups.com
Yes, you can EITHER:
- set LOCAL_NIDS_RULE_TUNING=yes
- put files in /tmp/
- get annoying "Use of uninitialized value" errors
OR:
- set LOCAL_NIDS_RULE_TUNING=no
- put files in /var/www/
On Sun, Feb 8, 2015 at 6:39 PM, Jeffrey H <jeff.w....@gmail.com> wrote:
> Okay the results are kind of weird but here is what I have done.
>
> 1. I dumped the two rule files at the localhosts website location: /var/www
>
> 2. Changed the pulledpork.conf file to have only these two entries for the download location:
>
> rule_url=https://localhost/rules|community-rules.tar.gz|open
> rule_url=https://localhost/rules|snortrules-snapshot-2970.tar.gz|open
>
> The funny thing is, if I don't put these two files in the /tmp location on the system, it won't do anything and simple say that the first file it is looking for (community-rules.tar.gz) is not in the /tmp directory. I also found that I don't even have to put the files in the web server directory, only in the /tmp.
>
> After doing this and running rule-update, I see the following:
>
> Backing up current local_rules.xml file.
> Cleaning up local_rules.xml backup files older than 30 days.
> Backing up current downloaded.rules file before it gets overwritten.
> Cleaning up downloaded.rules backup files older than 30 days.
> Backing up current local.rules file before it gets overwritten.
> Cleaning up local.rules backup files older than 30 days.
> LOCAL_NIDS_RULE_TUNING is enabled.
> This will cause PulledPork to use the existing rules in /opt/emergingthreats/
> instead of downloading new rules from the Internet.
> If you want PulledPork to download new rules from the Internet,
> set the following in /etc/nsm/securityonion.conf:
> LOCAL_NIDS_RULE_TUNING=no
> Running PulledPork.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 270.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 270.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 270.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> http://code.google.com/p/pulledpork/
> _____ ____
> `----,\ )
> `--==\\ / PulledPork v0.7.0 - Swine Flu!
> `--==\\/
> .-~~~~-.Y|\\_ Copyright (C) 2009-2013 JJ Cummings
> @_/ / 66\_ cumm...@gmail.com
> | \ \ _(")
> \ /-| ||'--' Rules give me wings!
> \_\ \_\\
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> Prepping rules from community-rules.tar.gz for work....
> Done!
> Prepping rules from snortrules-snapshot-2970.tar.gz for work....
> Done!
> Reading rules...
> Generating Stub Rules....
> Done
> Reading rules...
> Reading rules...
> Modifying Sids....
> Done!
> Processing /etc/nsm/pulledpork/enablesid.conf....
> Modified 0 rules
> Done
> Processing /etc/nsm/pulledpork/dropsid.conf....
> Modified 0 rules
> Done
> Processing /etc/nsm/pulledpork/disablesid.conf....
> Modified 6 rules
> Done
> Setting Flowbit State....
> Enabled 65 flowbits
> Done
> Writing /etc/nsm/rules/downloaded.rules....
> Done
> Generating sid-msg.map....
> Done
> Writing v1 /etc/nsm/rules/sid-msg.map....
> Done
> Writing /var/log/nsm/sid_changes.log....
> Done
> Rule Stats...
> New:-------23512
> Deleted:---18629
> Enabled Rules:----6846
> Dropped Rules:----0
> Disabled Rules:---16668
> Total Rules:------23514
> No IP Blacklist Changes
> Done
> Please review /var/log/nsm/sid_changes.log for additional details
> Fly Piggy Fly!
>
> Updating Snorby's sig_reference table
>
> Running in Continuous mode
>
> --== Initializing Barnyard2 ==--
> Initializing Input Plugins!
> Initializing Output Plugins!
> Parsing config file "/etc/nsm/barnyard2-snorby/barnyard2.conf"
>
>
> +[ Signature Suppress list ]+
> ----------------------------
> +[No entry in Signature Suppress List]+
> ----------------------------
> +[ Signature Suppress list ]+
>
> WARNING: Ignoring bad line in SID file: 'v1'
> Barnyard2 spooler: Event cache size set to [2048]
> Log directory = /etc/nsm/barnyard2-snorby
> INFO database: Defaulting Reconnect/Transaction Error limit to 10
> INFO database: Defaulting Reconnect sleep time to 5 second
> [SignatureReferencePullDataStore()]: No Reference found in database ...
> database: compiled support for (mysql)
> database: configured to use mysql
> database: schema version = 107
> database: host = 127.0.0.1
> database: user = root
> database: database name = snorby
> database: sensor name = SOS:NULL
> database: sensor id = 2
> database: sensor cid = 6
> database: data encoding = hex
> database: detail level = full
> database: ignore_bpf = no
> database: using the "alert" facility
>
> --== Initialization Complete ==--
>
> ______ -*> Barnyard2 <*-
> / ,,_ \ Version 2.1.13 (Build 333) TCL
> |o" )~| By Ian Firns (SecurixLive): http://www.securixlive.com/
> + '''' + (C) Copyright 2008-2013 Ian Firns <fir...@securixlive.com>
>
> ERROR: Unable to open directory '' (No such file or directory)
> ERROR: Unable to find the next spool file!
> ===============================================================================
> Record Totals:
> Records: 0
> Events: 0 (0.000%)
> Packets: 0 (0.000%)
> Unknown: 0 (0.000%)
> Suppressed: 0 (0.000%)
> ===============================================================================
> Packet breakdown by protocol (includes rebuilt packets):
> ETH: 0 (0.000%)
> ETHdisc: 0 (0.000%)
> VLAN: 0 (0.000%)
> IPV6: 0 (0.000%)
> IP6 EXT: 0 (0.000%)
> IP6opts: 0 (0.000%)
> IP6disc: 0 (0.000%)
> IP4: 0 (0.000%)
> IP4disc: 0 (0.000%)
> TCP 6: 0 (0.000%)
> UDP 6: 0 (0.000%)
> ICMP6: 0 (0.000%)
> ICMP-IP: 0 (0.000%)
> TCP: 0 (0.000%)
> UDP: 0 (0.000%)
> ICMP: 0 (0.000%)
> TCPdisc: 0 (0.000%)
> UDPdisc: 0 (0.000%)
> ICMPdis: 0 (0.000%)
> FRAG: 0 (0.000%)
> FRAG 6: 0 (0.000%)
> ARP: 0 (0.000%)
> EAPOL: 0 (0.000%)
> ETHLOOP: 0 (0.000%)
> IPX: 0 (0.000%)
> OTHER: 0 (0.000%)
> DISCARD: 0 (0.000%)
> InvChkSum: 0 (0.000%)
> S5 G 1: 0 (0.000%)
> S5 G 2: 0 (0.000%)
> Total: 0
> ===============================================================================
> Restarting Barnyard2.
> Restarting: SOS-eth1
> * stopping: barnyard2-1 (spooler, unified2 format) [ OK ]
> * starting: barnyard2-1 (spooler, unified2 format) [ OK ]
> Restarting IDS Engine.
> Restarting: SOS-eth1
> * starting: snort-1 (alert data) [ OK ]
> root@SOS:/etc/nsm/pulledpork#
>
> So it looks like it updated rules successfully, but what are all the "Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263." entries at the start mean?
- set LOCAL_NIDS_RULE_TUNING=yes
- put files in /tmp/
- get annoying "Use of uninitialized value" errors
OR:
- set LOCAL_NIDS_RULE_TUNING=no
- put files in /var/www/
On Sun, Feb 8, 2015 at 6:39 PM, Jeffrey H <jeff.w....@gmail.com> wrote:
> Okay the results are kind of weird but here is what I have done.
>
> 1. I dumped the two rule files at the localhosts website location: /var/www
>
> 2. Changed the pulledpork.conf file to have only these two entries for the download location:
>
> rule_url=https://localhost/rules|community-rules.tar.gz|open
> rule_url=https://localhost/rules|snortrules-snapshot-2970.tar.gz|open
>
> The funny thing is, if I don't put these two files in the /tmp location on the system, it won't do anything and simple say that the first file it is looking for (community-rules.tar.gz) is not in the /tmp directory. I also found that I don't even have to put the files in the web server directory, only in the /tmp.
>
> After doing this and running rule-update, I see the following:
>
> Backing up current local_rules.xml file.
> Cleaning up local_rules.xml backup files older than 30 days.
> Backing up current downloaded.rules file before it gets overwritten.
> Cleaning up downloaded.rules backup files older than 30 days.
> Backing up current local.rules file before it gets overwritten.
> Cleaning up local.rules backup files older than 30 days.
> LOCAL_NIDS_RULE_TUNING is enabled.
> This will cause PulledPork to use the existing rules in /opt/emergingthreats/
> instead of downloading new rules from the Internet.
> If you want PulledPork to download new rules from the Internet,
> set the following in /etc/nsm/securityonion.conf:
> LOCAL_NIDS_RULE_TUNING=no
> Running PulledPork.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 270.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 270.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 270.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263.
> http://code.google.com/p/pulledpork/
> _____ ____
> `----,\ )
> `--==\\ / PulledPork v0.7.0 - Swine Flu!
> `--==\\/
> .-~~~~-.Y|\\_ Copyright (C) 2009-2013 JJ Cummings
> @_/ / 66\_ cumm...@gmail.com
> | \ \ _(")
> \ /-| ||'--' Rules give me wings!
> \_\ \_\\
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> Prepping rules from community-rules.tar.gz for work....
> Done!
> Prepping rules from snortrules-snapshot-2970.tar.gz for work....
> Done!
> Reading rules...
> Generating Stub Rules....
> Done
> Reading rules...
> Reading rules...
> Modifying Sids....
> Done!
> Processing /etc/nsm/pulledpork/enablesid.conf....
> Modified 0 rules
> Done
> Processing /etc/nsm/pulledpork/dropsid.conf....
> Modified 0 rules
> Done
> Processing /etc/nsm/pulledpork/disablesid.conf....
> Modified 6 rules
> Done
> Setting Flowbit State....
> Enabled 65 flowbits
> Done
> Writing /etc/nsm/rules/downloaded.rules....
> Done
> Generating sid-msg.map....
> Done
> Writing v1 /etc/nsm/rules/sid-msg.map....
> Done
> Writing /var/log/nsm/sid_changes.log....
> Done
> Rule Stats...
> New:-------23512
> Deleted:---18629
> Enabled Rules:----6846
> Dropped Rules:----0
> Disabled Rules:---16668
> Total Rules:------23514
> No IP Blacklist Changes
> Done
> Please review /var/log/nsm/sid_changes.log for additional details
> Fly Piggy Fly!
>
> Updating Snorby's sig_reference table
>
> Running in Continuous mode
>
> --== Initializing Barnyard2 ==--
> Initializing Input Plugins!
> Initializing Output Plugins!
> Parsing config file "/etc/nsm/barnyard2-snorby/barnyard2.conf"
>
>
> +[ Signature Suppress list ]+
> ----------------------------
> +[No entry in Signature Suppress List]+
> ----------------------------
> +[ Signature Suppress list ]+
>
> WARNING: Ignoring bad line in SID file: 'v1'
> Barnyard2 spooler: Event cache size set to [2048]
> Log directory = /etc/nsm/barnyard2-snorby
> INFO database: Defaulting Reconnect/Transaction Error limit to 10
> INFO database: Defaulting Reconnect sleep time to 5 second
> [SignatureReferencePullDataStore()]: No Reference found in database ...
> database: compiled support for (mysql)
> database: configured to use mysql
> database: schema version = 107
> database: host = 127.0.0.1
> database: user = root
> database: database name = snorby
> database: sensor name = SOS:NULL
> database: sensor id = 2
> database: sensor cid = 6
> database: data encoding = hex
> database: detail level = full
> database: ignore_bpf = no
> database: using the "alert" facility
>
> --== Initialization Complete ==--
>
> ______ -*> Barnyard2 <*-
> / ,,_ \ Version 2.1.13 (Build 333) TCL
> |o" )~| By Ian Firns (SecurixLive): http://www.securixlive.com/
> + '''' + (C) Copyright 2008-2013 Ian Firns <fir...@securixlive.com>
>
> ERROR: Unable to open directory '' (No such file or directory)
> ERROR: Unable to find the next spool file!
> ===============================================================================
> Record Totals:
> Records: 0
> Events: 0 (0.000%)
> Packets: 0 (0.000%)
> Unknown: 0 (0.000%)
> Suppressed: 0 (0.000%)
> ===============================================================================
> Packet breakdown by protocol (includes rebuilt packets):
> ETH: 0 (0.000%)
> ETHdisc: 0 (0.000%)
> VLAN: 0 (0.000%)
> IPV6: 0 (0.000%)
> IP6 EXT: 0 (0.000%)
> IP6opts: 0 (0.000%)
> IP6disc: 0 (0.000%)
> IP4: 0 (0.000%)
> IP4disc: 0 (0.000%)
> TCP 6: 0 (0.000%)
> UDP 6: 0 (0.000%)
> ICMP6: 0 (0.000%)
> ICMP-IP: 0 (0.000%)
> TCP: 0 (0.000%)
> UDP: 0 (0.000%)
> ICMP: 0 (0.000%)
> TCPdisc: 0 (0.000%)
> UDPdisc: 0 (0.000%)
> ICMPdis: 0 (0.000%)
> FRAG: 0 (0.000%)
> FRAG 6: 0 (0.000%)
> ARP: 0 (0.000%)
> EAPOL: 0 (0.000%)
> ETHLOOP: 0 (0.000%)
> IPX: 0 (0.000%)
> OTHER: 0 (0.000%)
> DISCARD: 0 (0.000%)
> InvChkSum: 0 (0.000%)
> S5 G 1: 0 (0.000%)
> S5 G 2: 0 (0.000%)
> Total: 0
> ===============================================================================
> Restarting Barnyard2.
> Restarting: SOS-eth1
> * stopping: barnyard2-1 (spooler, unified2 format) [ OK ]
> * starting: barnyard2-1 (spooler, unified2 format) [ OK ]
> Restarting IDS Engine.
> Restarting: SOS-eth1
> * starting: snort-1 (alert data) [ OK ]
> root@SOS:/etc/nsm/pulledpork#
>
> So it looks like it updated rules successfully, but what are all the "Use of uninitialized value $prefix in concatenation (.) or string at /usr/bin/pulledpork.pl line 263." entries at the start mean?
Reply all
Reply to author
Forward
0 new messages