pulledpork rule update
310 views
Skip to first unread message
Dave Prince
Sep 28, 2017, 2:10:49 PM9/28/17
to security-onion
attached sostat-redacted...last few weeks it seems the rule-update is not working. Updated and regenerated oinkcode with same result. Any ideas?
ENGINE=suricata, so we'll execute PulledPork with -T -S suricata-4.0.0.
Running PulledPork.
You need to define an oinkcode, please review the rule_url section of the pulledpork config file!
at /usr/bin/pulledpork.pl line 1956.
Wes Lambert
Sep 28, 2017, 2:42:14 PM9/28/17
to securit...@googlegroups.com
Dave,
Please provide your pulledpork.conf file, redacting your oinkcode, as necessary.
Thanks,
Wes
--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onion+unsubscribe@googlegroups.com.
To post to this group, send email to security-onion@googlegroups.com.
Visit this group at https://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.
Dave Prince
Sep 28, 2017, 3:52:05 PM9/28/17
to security-onion
Hi Wes,
Sorry I didn't include this originally.
Thanks,
Dave
On Thursday, September 28, 2017 at 2:42:14 PM UTC-4, Wes wrote:
> Dave,
>
>
> Please provide your pulledpork.conf file, redacting your oinkcode, as necessary.
>
>
> Thanks,
> Wes
>
>
> On Thu, Sep 28, 2017 at 2:10 PM, Dave Prince <david.l...@gmail.com> wrote:
> attached sostat-redacted...last few weeks it seems the rule-update is not working. Updated and regenerated oinkcode with same result. Any ideas?
>
>
>
>
>
> ENGINE=suricata, so we'll execute PulledPork with -T -S suricata-4.0.0.
>
> Running PulledPork.
>
> You need to define an oinkcode, please review the rule_url section of the pulledpork config file!
>
> at /usr/bin/pulledpork.pl line 1956.
>
>
>
> --
>
> Follow Security Onion on Twitter!
>
> https://twitter.com/securityonion
>
> ---
>
> You received this message because you are subscribed to the Google Groups "security-onion" group.
>
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
>
> To post to this group, send email to securit...@googlegroups.com.
Sorry I didn't include this originally.
Thanks,
Dave
On Thursday, September 28, 2017 at 2:42:14 PM UTC-4, Wes wrote:
> Dave,
>
>
> Please provide your pulledpork.conf file, redacting your oinkcode, as necessary.
>
>
> Thanks,
> Wes
>
>
> On Thu, Sep 28, 2017 at 2:10 PM, Dave Prince <david.l...@gmail.com> wrote:
> attached sostat-redacted...last few weeks it seems the rule-update is not working. Updated and regenerated oinkcode with same result. Any ideas?
>
>
>
>
>
> ENGINE=suricata, so we'll execute PulledPork with -T -S suricata-4.0.0.
>
> Running PulledPork.
>
> You need to define an oinkcode, please review the rule_url section of the pulledpork config file!
>
> at /usr/bin/pulledpork.pl line 1956.
>
>
>
> --
>
> Follow Security Onion on Twitter!
>
> https://twitter.com/securityonion
>
> ---
>
> You received this message because you are subscribed to the Google Groups "security-onion" group.
>
>
> To post to this group, send email to securit...@googlegroups.com.
Wes
Sep 28, 2017, 4:14:21 PM9/28/17
to security-onion
Did you change the rule_url in pulledpork.conf?
You should just need to add your oinkcode to the following line (instead of the one you have defined)
rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|<oinkcode>
Also, is there any reason you want to run Snort Subscriber rules in conjunction with Suricata? The ET Open/Pro ruleset(s) are more suited for Suricata, as the Registered/Subscriber ruleset(s) contain SO (Shared Object) rules that Suricata will not load, potentially lessening the effect of the ruleset overall, as well as potentially causing Suricata to not operate correctly.
Thanks,
Wes
Dave Prince
Sep 28, 2017, 4:16:36 PM9/28/17
to security-onion
Hi Wes,
Actually I was just reading one of your old posts about the SO rules with Suricata and have pulled the Snort subscriber rules out of the pulledpork.conf.
Everything is working now...sorry for the bother and for your help.
Thanks,
Dave
Actually I was just reading one of your old posts about the SO rules with Suricata and have pulled the Snort subscriber rules out of the pulledpork.conf.
Everything is working now...sorry for the bother and for your help.
Thanks,
Dave
Reply all
Reply to author
Forward
0 new messages