Robert Lasota | 29 May 15:30 2015
Picon

Odp: Re: Odp: PulledPork stopped updating and starts duplicate

Dnia Piątek, 29 Maja 2015 15:25 Shirkdog <shirkdog <at> gmail.com> napisał(a)

As Snort releases new versions, older signature sets are no longer available.

 

 

But I have option for tule:

rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|371a21b01f5a8443c4ba8362b0b2df85
... so I suppose it should download automatically latest rules, doesn't it ?

 

 

We also need more information to help with your issue. Pulledpork looked like it ran successfully.

 

 

Sorry , I think didn't ryn succesfully, why ? because in below log (during run) it doesn't display section "Rules stats", also it doesn't actualize /var/log/sid_changes.log , why ???

 

 

 

On May 29, 2015 9:23 AM, "Robert Lasota" <wrkilu <at> wp.pl> wrote:

Dnia Piątek, 29 Maja 2015 09:50 Robert Lasota <wrkilu <at> wp.pl> napisał(a)

Hi,


Did somebody meet with such strange case ? I mean, I had working Pulledpork, then I changed someting (but even I don't know what because I turned out later about that), and now duting run it doesn't display what it update/change in rules and laso it start diplicate rules! After every next run I get in rules directory thse same files with rules but with added the same rules as later :(

./pulledpork.pl -P -k -I security -c etc/pulledpork.conf

http://code.google.com/p/pulledpork/
      _____ ____
     `----,\    )
      `--==\\  /    PulledPork v0.7.0 - Swine Flu!
       `--==\\/
     .-~~~~-.Y|\\_  Copyright (C) 2009-2013 JJ Cummings
  <at> _/        /  66\_  cummingsj <at> gmail.com
    |    \   \   _(")
     \   /-| ||'--'  Rules give me wings!
      \_\  \_\\
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Checking latest MD5 for snortrules-snapshot-2962.tar.gz....
        They Match
        Done!
Prepping rules from snortrules-snapshot-2962.tar.gz for work....
        Done!
Reading rules...
Reading rules...
Activating security rulesets....
        Done
Modifying Sids....
        Done!
Processing /tmp/pulledpork-0.7.0/etc/enablesid.conf....
        Modified 0 rules
        Done
Processing /tmp/pulledpork-0.7.0/etc/dropsid.conf....
        Modified 0 rules
        Done
Processing /tmp/pulledpork-0.7.0/etc/disablesid.conf....
        Modified 0 rules
        Done
Setting Flowbit State....
        Enabled 777 flowbits
        Enabled 25 flowbits
        Enabled 4 flowbits
        Enabled 2 flowbits
        Done
Writing rules to unique destination files....
        Writing rules to /tmp/rules/
        Done
Generating sid-msg.map....
        Done
Writing v1 /tmp/sid-msg.map....
        Done
Fly Piggy Fly!
[root <at> FIREGATE pulledpork-0.7.0]

What is going on ?

Robert



I noticed also, it doesn't actualize (during working) /var/log/sid_changes.log, what the hell ?? I've being sitting on it from morning and nothing... still I can't find the reason :(

Robert



------------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!



 


------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Robert Lasota | 29 May 15:21 2015
Picon

Odp: PulledPork stopped updating and starts duplicate

Dnia Piątek, 29 Maja 2015 09:50 Robert Lasota <wrkilu <at> wp.pl> napisał(a)

Hi,


Did somebody meet with such strange case ? I mean, I had working Pulledpork, then I changed someting (but even I don't know what because I turned out later about that), and now duting run it doesn't display what it update/change in rules and laso it start diplicate rules! After every next run I get in rules directory thse same files with rules but with added the same rules as later :(

 

./pulledpork.pl -P -k -I security -c etc/pulledpork.conf

    http://code.google.com/p/pulledpork/
      _____ ____
     `----,\    )
      `--==\\  /    PulledPork v0.7.0 - Swine Flu!
       `--==\\/
     .-~~~~-.Y|\\_  Copyright (C) 2009-2013 JJ Cummings
  <at> _/        /  66\_  cummingsj <at> gmail.com
    |    \   \   _(")
     \   /-| ||'--'  Rules give me wings!
      \_\  \_\\
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Checking latest MD5 for snortrules-snapshot-2962.tar.gz....
        They Match
        Done!
Prepping rules from snortrules-snapshot-2962.tar.gz for work....
        Done!
Reading rules...
Reading rules...
Activating security rulesets....
        Done
Modifying Sids....
        Done!
Processing /tmp/pulledpork-0.7.0/etc/enablesid.conf....
        Modified 0 rules
        Done
Processing /tmp/pulledpork-0.7.0/etc/dropsid.conf....
        Modified 0 rules
        Done
Processing /tmp/pulledpork-0.7.0/etc/disablesid.conf....
        Modified 0 rules
        Done
Setting Flowbit State....
        Enabled 777 flowbits
        Enabled 25 flowbits
        Enabled 4 flowbits
        Enabled 2 flowbits
        Done
Writing rules to unique destination files....
        Writing rules to /tmp/rules/
        Done
Generating sid-msg.map....
        Done
Writing v1 /tmp/sid-msg.map....
        Done
Fly Piggy Fly!
[root <at> FIREGATE pulledpork-0.7.0]

 

What is going on ?

Robert

 



I noticed also, it doesn't actualize (during working) /var/log/sid_changes.log, what the hell ?? I've being sitting on it from morning and nothing... still I can't find the reason :(

 

Robert

 

 

 

 


------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Gonçalo Fonseca | 29 May 13:23 2015
Picon

Problem downloading nor rules

Good morning 

When I try to download snort rules using wget I got the following error: ERROR 403: Forbidden.
I can´t configure the automatic rules updates because I got this error always.

If I do a debug to wget :
I got the attached message.

It seems to me that is asking for the initial paga CAPTCHA.
Why is this happening?
Attachment (error.rtf): text/rtf, 10 KiB


 
Cumprimentos
 
Jorge Gonçalo Fonseca
 
_________________________________________________





Centro de Informática
Jorge Gonçalo Fonseca
Rua do Curral, Casa do Curral   4610-156 Felgueiras
Tlf: 255 314 002  - Fax: 255 314 120
e-mail: jgmf <at> estgf.ipp.pt

 


------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Marcio Guerreiro | 29 May 12:16 2015
Picon

what is the latest IDS management tool ?

Hi everyone

 

I am looking for the latest SNORT IDS management tool to send alerts via email, display graphical interface, etc.

 

I have been reading a lot of books that mention  Snort SAM, Snortfw, guardian, EasyIDS, ELSA, IDScenter, however it seems that those tools are 5 to 10 years old.

 

I would like to know what is the latest and updated management tool that is being used to send email alerts and as management console in the market.

 

Thank you very much in advance.

 

Marcio Guerreiro

 

 

 

 

From: Robert Lasota [mailto:wrkilu <at> wp.pl]
Sent: 29 May 2015 08:51
To: snort-users
Subject: [Snort-users] PulledPork stopped updating and starts duplicate

 

Hi,


Did somebody meet with such strange case ? I mean, I had working Pulledpork, then I changed someting (but even I don't know what because I turned out later about that), and now duting run it doesn't display what it update/change in rules and laso it start diplicate rules! After every next run I get in rules directory thse same files with rules but with added the same rules as later :(

 

./pulledpork.pl -P -k -I security -c etc/pulledpork.conf

    http://code.google.com/p/pulledpork/
      _____ ____
     `----,\    )
      `--==\\  /    PulledPork v0.7.0 - Swine Flu!
       `--==\\/
     .-~~~~-.Y|\\_  Copyright (C) 2009-2013 JJ Cummings
  <at> _/        /  66\_  cummingsj <at> gmail.com
    |    \   \   _(")
     \   /-| ||'--'  Rules give me wings!
      \_\  \_\\
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Checking latest MD5 for snortrules-snapshot-2962.tar.gz....
        They Match
        Done!
Prepping rules from snortrules-snapshot-2962.tar.gz for work....
        Done!
Reading rules...
Reading rules...
Activating security rulesets....
        Done
Modifying Sids....
        Done!
Processing /tmp/pulledpork-0.7.0/etc/enablesid.conf....
        Modified 0 rules
        Done
Processing /tmp/pulledpork-0.7.0/etc/dropsid.conf....
        Modified 0 rules
        Done
Processing /tmp/pulledpork-0.7.0/etc/disablesid.conf....
        Modified 0 rules
        Done
Setting Flowbit State....
        Enabled 777 flowbits
        Enabled 25 flowbits
        Enabled 4 flowbits
        Enabled 2 flowbits
        Done
Writing rules to unique destination files....
        Writing rules to /tmp/rules/
        Done
Generating sid-msg.map....
        Done
Writing v1 /tmp/sid-msg.map....
        Done
Fly Piggy Fly!
[root <at> FIREGATE pulledpork-0.7.0]

 

What is going on ?

Robert

 

 

------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Robert Lasota | 29 May 09:50 2015
Picon

PulledPork stopped updating and starts duplicate

Hi,


Did somebody meet with such strange case ? I mean, I had working Pulledpork, then I changed someting (but even I don't know what because I turned out later about that), and now duting run it doesn't display what it update/change in rules and laso it start diplicate rules! After every next run I get in rules directory thse same files with rules but with added the same rules as later :(

 

./pulledpork.pl -P -k -I security -c etc/pulledpork.conf

    http://code.google.com/p/pulledpork/
      _____ ____
     `----,\    )
      `--==\\  /    PulledPork v0.7.0 - Swine Flu!
       `--==\\/
     .-~~~~-.Y|\\_  Copyright (C) 2009-2013 JJ Cummings
  <at> _/        /  66\_  cummingsj <at> gmail.com
    |    \   \   _(")
     \   /-| ||'--'  Rules give me wings!
      \_\  \_\\
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Checking latest MD5 for snortrules-snapshot-2962.tar.gz....
        They Match
        Done!
Prepping rules from snortrules-snapshot-2962.tar.gz for work....
        Done!
Reading rules...
Reading rules...
Activating security rulesets....
        Done
Modifying Sids....
        Done!
Processing /tmp/pulledpork-0.7.0/etc/enablesid.conf....
        Modified 0 rules
        Done
Processing /tmp/pulledpork-0.7.0/etc/dropsid.conf....
        Modified 0 rules
        Done
Processing /tmp/pulledpork-0.7.0/etc/disablesid.conf....
        Modified 0 rules
        Done
Setting Flowbit State....
        Enabled 777 flowbits
        Enabled 25 flowbits
        Enabled 4 flowbits
        Enabled 2 flowbits
        Done
Writing rules to unique destination files....
        Writing rules to /tmp/rules/
        Done
Generating sid-msg.map....
        Done
Writing v1 /tmp/sid-msg.map....
        Done
Fly Piggy Fly!
[root <at> FIREGATE pulledpork-0.7.0]

 

What is going on ?

Robert

 


------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Robert Lasota | 28 May 13:50 2015
Picon

Pulledpork and changing rules in modifysid.conf

Hi,

We need to change rules but I don't know how to do this by this file because I have difficult case.

 

The goal is: changing in every rule with "alert tcp" to "drop tcp" AND add string "react: msg; "

 

Thanks,

Robert

 

 


------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Pratik Narang | 28 May 13:39 2015
Picon

Estimating Snort's speed in processing pcaps

Dear Snort users,

I was recently feeding some pcaps to Snort, and trying to understand
how fast it does so. The results are bit surprising and I think I need
some help of the experts here...

So, I ran: sudo snort -c /etc/snort/snort.conf
--pcap-dir="/path/to/dump. It had some 4,000 files, each of around 50
MB, totaling to 200 GB. These files were captured using dumpcap on my
University's backbone router, with payloads truncated to 150 bytes.
"capinfos" on one such file is given below:

capinfos trace_00001_20150502000001.pcap
File name:           trace_00001_20150502000001.pcap
File type:           Wireshark/tcpdump/... - libpcap
File encapsulation:  Ethernet
Packet size limit:   file hdr: 150 bytes
Packet size limit:   inferred: 150 bytes
Number of packets:   419649
File size:           51200110 bytes
Data size:           305514817 bytes
Capture duration:    21 seconds
Start time:          Sat May  2 00:00:01 2015
End time:            Sat May  2 00:00:22 2015
Data byte rate:      14640117.49 bytes/sec
Data bit rate:       117120939.92 bits/sec
Average packet size: 728.02 bytes
Average packet rate: 20109.37 packets/sec

What astounded me was that Snort took a little more than one hour to
go through all of the pcaps. That means more than one file every
second - which is amazing!!
What I wish to know here - is this processing speed of Snort "pretty
normal", or am I missing something here?
FWIW, I am running Snort on a server grade machine with 64GB of RAM
and 24 cores.

Cheers!

------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

filipe.palma@scms.pt | 27 May 23:17 2015
Picon

Forbidden

Hi,

i have snort installed in pfsense and i can´t update snort rules. Always i try download rules receive error forbidden.

Is my account blocked?

Thanks.

Filipe


Version 2.9.7.2 GRE (Build 177) FreeBSD
By Martin Roesch & The Snort Team: http://www.snort.org/contact#team
Copyright (C) 2014 Cisco and/or its affiliates. All rights reserved.
Copyright (C) 1998-2013 Sourcefire, Inc., et al.
Using libpcap version 1.6.2
Using PCRE version: 8.35 2014-04-04
Using ZLIB version: 1.2.8

------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Robert Lasota | 26 May 15:52 2015
Picon

Rules managing

Hi,

We want to use rules:  snortrules-snapshot, community-rules and emerging.rules. Now.. we want use also PulledPork to preparing them (or could be Oinkmaster). Moreover I see snort and emerging have categories e.g. imap, smtp, malware, dos and so on. But community doesn't have - just one file.

 

My questions are:

- how to split custom rules into categories (by apps) like snort and emerging there are.. ?

- why so many of rules (in every of those groups) are commented out ? I know about three groups: Connectivity, Balanced, Security but when I use this approach I loose apps categorization approach (I think...)

- how to bring together these two approachs: categorization and apps ? because the best would be if we can first grab rules from Security group, and then grab from it rules just for malware e.g. and voip.

 

Thanks in advance

Robert

 

 

 


------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud 
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Picon

Re: Segregating drop alerts

Dear Anshuman,

The second rule is what I thought you meant by "drop" rule. As far as I 
know, that second rule will *not* make an entry in you alerting or in your 
logfiles; it will be as if the packet had never been seen by Snort.

Do you actually have both rules configured into Snort? I don't know what 
the behavior would be in that case.

Best, -g
-- 
Glenn Forbes Fleming Larratt
Cornell University IT Security Office

> Sorry missed to give an example of rule set to drop.
>
> Here is an example-
>
> This is a default alert rule:
>
> alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"ET SCAN SSH BruteForce Tool with fake PUTTY version";
flow:established,to_server; content:"SSH-2.0-PUTTY"; depth:13; threshold: type limit, track
by_src, count 1, seconds 30; classtype:network-scan; sid:2019876; rev:2;)
>
> Same rule is configured as drop rule using pulledpork dropsid.conf which makes the alert rule to drop rule
>
> drop tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"ET SCAN SSH BruteForce Tool with fake PUTTY version";
flow:established,to_server; content:"SSH-2.0-PUTTY"; depth:13; threshold: type limit, track
by_src, count 1, seconds 30; classtype:network-scan; sid:2019876; rev:2;)
>
> Regards,
> Anshuman
>

------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud 
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Michael Steele | 26 May 13:11 2015

Rule sets omitted from default snort.conf in 2.9.7.3

I’m noticing multiple rule sets omitted from the default snort.conf file in the 2.9.7.3 compile?

 

Is this the way it is supposed to be for default?

 

Thanks…

------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud 
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________
Snort-users mailing list
Snort-users <at> lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Gmane