pulledpork - fetching rules from a "secure" server
661 views
Skip to first unread message
Wayne Veilleux
Nov 18, 2013, 2:57:15 PM11/18/13
to securit...@googlegroups.com
Hi,
We need to fetch snort rules update with pulledpork from an internal "secure" server because corporate policies do not allow internal server directly access Internet sites. I looked at the /etc/nsm/pulledpork/pulledpork.conf config file and do you think it will work if I change rule_url=https://rules.emergingthreatspro.com to rule_url=https://internal-server.mycompany.com ?
/Wayne
Doug Burks
Nov 18, 2013, 3:06:56 PM11/18/13
to securit...@googlegroups.com
Hi Wayne,
In theory, it should work. You may need to play with the path. While
troubleshooting, it may be helpful to run Pulledpork with extra
verbosity:
sudo pulledpork.pl -c /etc/nsm/pulledpork/pulledpork.conf -vvv
> --
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/groups/opt_out.
--
Doug Burks
http://securityonion.net
In theory, it should work. You may need to play with the path. While
troubleshooting, it may be helpful to run Pulledpork with extra
verbosity:
sudo pulledpork.pl -c /etc/nsm/pulledpork/pulledpork.conf -vvv
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/groups/opt_out.
--
Doug Burks
http://securityonion.net
Wayne Veilleux
Nov 18, 2013, 3:18:25 PM11/18/13
to securit...@googlegroups.com
OK, thanks Doug, I'll try it and let you know if it's working.
/Wayne
/Wayne
Wayne Veilleux
Dec 3, 2013, 8:59:34 AM12/3/13
to securit...@googlegroups.com
Hi Doug,
We can't have pulledpork "pull" the rules (ET GPL) from and internal server (where this one is fetching the rules everyday with wget with the "--no-check-certificate" option). We have to do this because of internal corp policies. So, when I do a: sudo pulledpork.pl -c /etc/nsm/pulledpork/pulledpork.conf -vv , here is the log that show the we need the cert of the server (but it is a self-signed cert, so maybe it won't work anyway..). Do you know where we can put the cert on the sensor ? Or modify the pulledpork.pl script to tell pulledpork not checking the cert ? I've looked into pulledpork.conf and there is no way to setup and URI instead of and URL.
Thanks for any help.
http://code.google.com/p/pulledpork/
_____ ____
`----,\ )
`--==\\ / PulledPork v0.6.1 the Smoking Pig <////~
`--==\\/
.-~~~~-.Y|\\_ Copyright (C) 2009-2011 JJ Cummings
@_/ / 66\_ cumm...@gmail.com
| \ \ _(")
\ /-| ||'--' Rules give me wings!
\_\ \_\\
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Config File Variable Debug /etc/nsm/pulledpork/pulledpork.conf
sostub_path = /etc/nsm/rules/so_rules.rules
snort_path = /usr/bin/snort
enablesid = /etc/nsm/pulledpork/enablesid.conf
distro = Ubuntu-12-04
temp_path = /tmp
version = 0.6.0
modifysid = /etc/nsm/pulledpork/modifysid.conf
sorule_path = /usr/local/lib/snort_dynamicrules/
disablesid = /etc/nsm/pulledpork/disablesid.conf
rule_path = /etc/nsm/rules/downloaded.rules
dropsid = /etc/nsm/pulledpork/dropsid.conf
rule_url = ARRAY(0x306c2f0)
sid_changelog = /var/log/sid_changes.log
sid_msg = /etc/nsm/rules/sid-msg.map
config_path = /etc/nsm/templates/snort/snort.conf
MISC (CLI and Autovar) Variable Debug:
arch Def is: x86-64
Config Path is: /etc/nsm/pulledpork/pulledpork.conf
Distro Def is: Ubuntu-12-04
Disabled policy specified
Rules file is: /etc/nsm/rules/downloaded.rules
Path to disablesid file: /etc/nsm/pulledpork/disablesid.conf
Path to dropsid file: /etc/nsm/pulledpork/dropsid.conf
Path to enablesid file: /etc/nsm/pulledpork/enablesid.conf
Path to modifysid file: /etc/nsm/pulledpork/modifysid.conf
sid changes will be logged to: /var/log/sid_changes.log
sid-msg.map Output Path is: /etc/nsm/rules/sid-msg.map
Snort Version is: 2.9.5.5
Snort Config File: /etc/nsm/templates/snort/snort.conf
Snort Path is: /usr/bin/snort
SO Output Path is: /usr/local/lib/snort_dynamicrules/
SO Stub File is: /etc/nsm/rules/so_rules.rules
Extra Verbose Flag is Set
Verbose Flag is Set
Base URL is: https://litpp01adm1.itp.extra/apt-cacher-ng/cache/rules/|emerging.rules.tar.gz|open
Rules tarball download of emerging.rules.tar.gz....
Fetching rules file: emerging.rules.tar.gz
But not verifying MD5
** GET https://litpp01adm1.itp.extra/apt-cacher-ng/cache/rules/emerging.rules.tar.gz ==> 500 Can't connect to litpp01adm1.itp.extra:443 (certificate verify failed)
A 500 error occurred, please verify that you have recently updated your root certificates!
We can't have pulledpork "pull" the rules (ET GPL) from and internal server (where this one is fetching the rules everyday with wget with the "--no-check-certificate" option). We have to do this because of internal corp policies. So, when I do a: sudo pulledpork.pl -c /etc/nsm/pulledpork/pulledpork.conf -vv , here is the log that show the we need the cert of the server (but it is a self-signed cert, so maybe it won't work anyway..). Do you know where we can put the cert on the sensor ? Or modify the pulledpork.pl script to tell pulledpork not checking the cert ? I've looked into pulledpork.conf and there is no way to setup and URI instead of and URL.
Thanks for any help.
http://code.google.com/p/pulledpork/
_____ ____
`----,\ )
`--==\\ / PulledPork v0.6.1 the Smoking Pig <////~
`--==\\/
.-~~~~-.Y|\\_ Copyright (C) 2009-2011 JJ Cummings
@_/ / 66\_ cumm...@gmail.com
| \ \ _(")
\ /-| ||'--' Rules give me wings!
\_\ \_\\
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Config File Variable Debug /etc/nsm/pulledpork/pulledpork.conf
sostub_path = /etc/nsm/rules/so_rules.rules
snort_path = /usr/bin/snort
enablesid = /etc/nsm/pulledpork/enablesid.conf
distro = Ubuntu-12-04
temp_path = /tmp
version = 0.6.0
modifysid = /etc/nsm/pulledpork/modifysid.conf
sorule_path = /usr/local/lib/snort_dynamicrules/
disablesid = /etc/nsm/pulledpork/disablesid.conf
rule_path = /etc/nsm/rules/downloaded.rules
dropsid = /etc/nsm/pulledpork/dropsid.conf
rule_url = ARRAY(0x306c2f0)
sid_changelog = /var/log/sid_changes.log
sid_msg = /etc/nsm/rules/sid-msg.map
config_path = /etc/nsm/templates/snort/snort.conf
MISC (CLI and Autovar) Variable Debug:
arch Def is: x86-64
Config Path is: /etc/nsm/pulledpork/pulledpork.conf
Distro Def is: Ubuntu-12-04
Disabled policy specified
Rules file is: /etc/nsm/rules/downloaded.rules
Path to disablesid file: /etc/nsm/pulledpork/disablesid.conf
Path to dropsid file: /etc/nsm/pulledpork/dropsid.conf
Path to enablesid file: /etc/nsm/pulledpork/enablesid.conf
Path to modifysid file: /etc/nsm/pulledpork/modifysid.conf
sid changes will be logged to: /var/log/sid_changes.log
sid-msg.map Output Path is: /etc/nsm/rules/sid-msg.map
Snort Version is: 2.9.5.5
Snort Config File: /etc/nsm/templates/snort/snort.conf
Snort Path is: /usr/bin/snort
SO Output Path is: /usr/local/lib/snort_dynamicrules/
SO Stub File is: /etc/nsm/rules/so_rules.rules
Extra Verbose Flag is Set
Verbose Flag is Set
Base URL is: https://litpp01adm1.itp.extra/apt-cacher-ng/cache/rules/|emerging.rules.tar.gz|open
Rules tarball download of emerging.rules.tar.gz....
Fetching rules file: emerging.rules.tar.gz
But not verifying MD5
** GET https://litpp01adm1.itp.extra/apt-cacher-ng/cache/rules/emerging.rules.tar.gz ==> 500 Can't connect to litpp01adm1.itp.extra:443 (certificate verify failed)
A 500 error occurred, please verify that you have recently updated your root certificates!
Doug Burks
Dec 3, 2013, 10:25:27 AM12/3/13
to securit...@googlegroups.com
Here are a few options:
- add your untrusted cert to the Ubuntu certificate store
OR
- change your internal URL from HTTPS to HTTP
OR
- create a cron job to scp the tarball to the local box, then
configure PulledPork to process locally
- add your untrusted cert to the Ubuntu certificate store
OR
- change your internal URL from HTTPS to HTTP
OR
- create a cron job to scp the tarball to the local box, then
configure PulledPork to process locally
Wayne Veilleux
Dec 3, 2013, 12:31:53 PM12/3/13
to securit...@googlegroups.com
Thanks Doug for those options. I did the first one, and pulledpork is working properly :) Here is what I did to add the self-signed certificate of our "trusted jump server" to fetch the ET GPL rules with pulledpork.pl:
1. copy the cert to /usr/share/ca-certificates/. (I got the certificate using firefox)
2. sudo dpkg-reconfigure ca-certificates ; and follow the menu to add and trust the new certificate you just add.
3. run sudo pulledpork.pl -c /etc/nsm/pulledpork/pulledpork.conf -vvvv ; to see it is running properly.
/Wayne
1. copy the cert to /usr/share/ca-certificates/. (I got the certificate using firefox)
2. sudo dpkg-reconfigure ca-certificates ; and follow the menu to add and trust the new certificate you just add.
3. run sudo pulledpork.pl -c /etc/nsm/pulledpork/pulledpork.conf -vvvv ; to see it is running properly.
/Wayne
Reply all
Reply to author
Forward
0 new messages