Two questions about Snort Community Rule entry in pulledpork.conf
394 views
Skip to first unread message
Jeff H
Apr 29, 2016, 1:37:43 PM4/29/16
to securit...@googlegroups.com
While running soup today to update my standalone Security Onion sensor I noticed this snippet in the output:
Setting up securityonion-setup (20120912-0ubuntu0securityonion207) ...
/etc/nsm/pulledpork/pulledpork.conf doesn't already have Snort Community ruleset enabled.
Backing up /etc/nsm/pulledpork/pulledpork.conf to /etc/nsm/pulledpork/pulledpork.conf.20160429.
Appending the following to /etc/nsm/pulledpork/pulledpork.conf:
I use the Snort subscriber rules, which I thought the community rules were included in, so i wouldn't need the Snort community rules, is that correct? And if so does it hurt to have the entry for Snort community? Does Pulledpork de-dupe any duplicate rules?
Additionally, when I went to look at my pulledpork.conf I noticed multiple entries for Snort Community:
$ grep -v "#" /etc/nsm/pulledpork/pulledpork.conf
ignore=deleted.rules,experimental.rules,local.rules
temp_path=/tmp
rule_path=/etc/nsm/rules/downloaded.rules
local_rules=/etc/nsm/rules/local.rules
sid_msg=/etc/nsm/rules/sid-msg.map
sid_msg_version=1
sid_changelog=/var/log/nsm/sid_changes.log
sorule_path=/usr/local/lib/snort_dynamicrules/
snort_path=/usr/bin/snort
config_path=/etc/nsm/templates/snort/snort.conf
distro=Ubuntu-12-04
black_list=/usr/local/etc/snort/rules/iplists/default.blacklist
IPRVersion=/usr/local/etc/snort/rules/iplists
snort_control=/usr/local/bin/snort_control
enablesid=/etc/nsm/pulledpork/enablesid.conf
dropsid=/etc/nsm/pulledpork/dropsid.conf
disablesid=/etc/nsm/pulledpork/disablesid.conf
modifysid=/etc/nsm/pulledpork/modifysid.conf
version=0.7.0
sid_msg_version=1
It's listed twice up at the top and four times at the bottom. Is this normal? Do others have this?
Looking at the pulledpork.conf backup files it looks like they started getting added in January of this year with the change in URL from amazonaws.com to snort.org and then one more gets added in each backup:
$ ls -a /etc/nsm/pulledpork/
. disablesid.conf enablesid.conf pulledpork.conf pulledpork.conf.20160208 pulledpork.conf.20160423 pulledpork.conf.bak.20150424
.. dropsid.conf modifysid.conf pulledpork.conf.20160127 pulledpork.conf.20160406 pulledpork.conf.20160429
$ diff /etc/nsm/pulledpork/pulledpork.conf /etc/nsm/pulledpork/pulledpork.conf.20160429
215d214
$ diff /etc/nsm/pulledpork/pulledpork.conf /etc/nsm/pulledpork/pulledpork.conf.20160423
214,215d213
$ diff /etc/nsm/pulledpork/pulledpork.conf /etc/nsm/pulledpork/pulledpork.conf.20160406
213,215d212
$ diff /etc/nsm/pulledpork/pulledpork.conf /etc/nsm/pulledpork/pulledpork.conf.20160208
211,215d210
< sid_msg_version=1
$ diff /etc/nsm/pulledpork/pulledpork.conf /etc/nsm/pulledpork/pulledpork.conf.20160127
22c22
---
> #rule_url=https://s3.amazonaws.com/snort-org/www/rules/community/|community-rules.tar.gz|Community
211,215d210
< sid_msg_version=1
Anyone else seeing the same thing?
Doug Burks
Apr 29, 2016, 2:55:19 PM4/29/16
to securit...@googlegroups.com
Hi Jeff,
Replies inline.
On Fri, Apr 29, 2016 at 1:37 PM, Jeff H <jeff...@gmail.com> wrote:
> I use the Snort subscriber rules, which I thought the community rules were
> included in, so i wouldn't need the Snort community rules, is that correct?
No, I believe you need both the subscriber ruleset and the community ruleset.
For example, here's where new Shellshock rules were added to the
community ruleset:
http://blog.snort.org/2014/09/snort-community-ruleset-out-of-band.html
That prompted us to ensure that the community ruleset was enabled for
all users that are running the VRT ruleset:
http://blog.securityonion.net/2014/09/bash-vulnerability-part-5-shellshock.html
Also notice that the default pulledpork.conf includes both subscriber
and community rulesets enabled:
https://github.com/shirkdog/pulledpork/blob/master/etc/pulledpork.conf
> And if so does it hurt to have the entry for Snort community? Does
> Pulledpork de-dupe any duplicate rules?
>
> Additionally, when I went to look at my pulledpork.conf I noticed multiple
> entries for Snort Community:
Issue 907 for this:
https://github.com/Security-Onion-Solutions/security-onion/issues/907
Replies inline.
On Fri, Apr 29, 2016 at 1:37 PM, Jeff H <jeff...@gmail.com> wrote:
> I use the Snort subscriber rules, which I thought the community rules were
> included in, so i wouldn't need the Snort community rules, is that correct?
For example, here's where new Shellshock rules were added to the
community ruleset:
http://blog.snort.org/2014/09/snort-community-ruleset-out-of-band.html
That prompted us to ensure that the community ruleset was enabled for
all users that are running the VRT ruleset:
http://blog.securityonion.net/2014/09/bash-vulnerability-part-5-shellshock.html
Also notice that the default pulledpork.conf includes both subscriber
and community rulesets enabled:
https://github.com/shirkdog/pulledpork/blob/master/etc/pulledpork.conf
> And if so does it hurt to have the entry for Snort community? Does
> Pulledpork de-dupe any duplicate rules?
>
> Additionally, when I went to look at my pulledpork.conf I noticed multiple
> entries for Snort Community:
> It's listed twice up at the top and four times at the bottom. Is this
> normal? Do others have this?
This appears to be a bug in /usr/bin/sosetup-fix-ppconf. I've created
> normal? Do others have this?
Issue 907 for this:
https://github.com/Security-Onion-Solutions/security-onion/issues/907
Reply all
Reply to author
Forward
0 new messages