I am trying to setup PulledPork to update my Snort rules but I can't get it work like I want to
When I run this command:
I get this
This folder /usr/local/etc/snort/rules/ content doesn't contain what I see if I extract the snapshot in it manually, it should contain files listed in snort.conf like
but they are not there and why I get this VRT- prefix?
I also saw this in pulledpork.conf
This makes me wonder should I use just one big file or all of these little files that can be included separately?
Here's my pulledpork.conf
When I run this command:
perl /usr/local/bin/pulledpork.pl -c /usr/local/etc/pulledpork/pulledpork.conf -C /usr/local/etc/snort/snort.conf -k -K /usr/local/etc/snort/rules/ -s /usr/local/etc/snort/rules/so_rules -o /usr/local/etc/snort/all.rulesI get this
Code:
Rules tarball download of snortrules-snapshot-2962.tar.gz....
IP Blacklist download of http://labs.snort.org/feeds/ip-filter.blf....
Reading IP List...
Prepping rules from snortrules-snapshot-2962.tar.gz for work....
Done!
Reading rules...
Generating Stub Rules....
An error occurred: ERROR: /usr/local/etc/snort/./rules/app-detect.rules(0) Unable to open rules file "/usr/local/etc/snort/./rules/app-detect.rules": No such file or directory.
An error occurred: Fatal Error, Quitting..
Done
Reading rules...
Reading rules...
Blacklist version is unchanged, not updating!
Setting Flowbit State....
Enabled 39 flowbits
Done
Writing rules to unique destination files....
Writing rules to /usr/local/etc/snort/rules/
Done
Generating sid-msg.map....
Done
Writing v1 /usr/local/etc/snort/sid-msg.map....
Done
Fly Piggy Fly!
#:/usr/local/etc/snort/rules > ls
total 23067
drwxr-xr-x 4 root wheel 77B Oct 10 11:43 .
drwxr-xr-x 5 root wheel 18B Oct 10 11:33 ..
-rw-r--r-- 1 root wheel 94K Oct 10 11:47 VRT-app-detect.rules
-rw-r--r-- 1 root wheel 1.8M Oct 10 11:47 VRT-blacklist.rules
-rw-r--r-- 1 root wheel 21K Oct 10 11:47 VRT-browser-chrome.rules
-rw-r--r-- 1 root wheel 153K Oct 10 11:47 VRT-browser-firefox.rules
-rw-r--r-- 1 root wheel 1.0M Oct 10 11:47 VRT-browser-ie.rules
-rw-r--r-- 1 root wheel 23K Oct 10 11:47 VRT-browser-other.rules
-rw-r--r-- 1 root wheel 2.4M Oct 10 11:47 VRT-browser-plugins.rules
-rw-r--r-- 1 root wheel 56K Oct 10 11:47 VRT-browser-webkit.rules
-rw-r--r-- 1 root wheel 14K Oct 10 11:47 VRT-content-replace.rules
-rw-r--r-- 1 root wheel 39K Oct 10 11:47 VRT-decoder.rules
-rw-r--r-- 1 root wheel 2.5K Oct 10 11:47 VRT-dos.rules
-rw-r--r-- 1 root wheel 680K Oct 10 11:47 VRT-exploit-kit.rules
-rw-r--r-- 1 root wheel 44K Oct 10 11:47 VRT-file-executable.rules
-rw-r--r-- 1 root wheel 467K Oct 10 11:47 VRT-file-flash.rules
-rw-r--r-- 1 root wheel 825K Oct 10 11:47 VRT-file-identify.rules
-rw-r--r-- 1 root wheel 159K Oct 10 11:47 VRT-file-image.rules
-rw-r--r-- 1 root wheel 196K Oct 10 11:47 VRT-file-java.rules
-rw-r--r-- 1 root wheel 275K Oct 10 11:47 VRT-file-multimedia.rules
-rw-r--r-- 1 root wheel 802K Oct 10 11:47 VRT-file-office.rules
-rw-r--r-- 1 root wheel 561K Oct 10 11:47 VRT-file-other.rules
-rw-r--r-- 1 root wheel 478K Oct 10 11:47 VRT-file-pdf.rules
-rw-r--r-- 1 root wheel 174K Oct 10 11:47 VRT-indicator-compromise.rules
-rw-r--r-- 1 root wheel 107K Oct 10 11:47 VRT-indicator-obfuscation.rules
-rw-r--r-- 1 root wheel 18K Oct 10 11:47 VRT-indicator-scan.rules
-rw-r--r-- 1 root wheel 167K Oct 10 11:47 VRT-indicator-shellcode.rules
-rw-r--r-- 1 root wheel 543K Oct 10 11:47 VRT-malware-backdoor.rules
-rw-r--r-- 1 root wheel 2.3M Oct 10 11:47 VRT-malware-cnc.rules
-rw-r--r-- 1 root wheel 527K Oct 10 11:47 VRT-malware-other.rules
-rw-r--r-- 1 root wheel 111K Oct 10 11:47 VRT-malware-tools.rules
-rw-r--r-- 1 root wheel 248K Oct 10 11:47 VRT-netbios.rules
-rw-r--r-- 1 root wheel 15K Oct 10 11:47 VRT-os-linux.rules
-rw-r--r-- 1 root wheel 93K Oct 10 11:47 VRT-os-mobile.rules
-rw-r--r-- 1 root wheel 7.1K Oct 10 11:47 VRT-os-other.rules
-rw-r--r-- 1 root wheel 7.1K Oct 10 11:47 VRT-os-solaris.rules
-rw-r--r-- 1 root wheel 600K Oct 10 11:47 VRT-os-windows.rules
-rw-r--r-- 1 root wheel 4.1K Oct 10 11:47 VRT-policy-multimedia.rules
-rw-r--r-- 1 root wheel 52K Oct 10 11:47 VRT-policy-other.rules
-rw-r--r-- 1 root wheel 49K Oct 10 11:47 VRT-policy-social.rules
-rw-r--r-- 1 root wheel 126K Oct 10 11:47 VRT-policy-spam.rules
-rw-r--r-- 1 root wheel 83K Oct 10 11:47 VRT-preprocessor.rules
-rw-r--r-- 1 root wheel 27K Oct 10 11:47 VRT-protocol-dns.rules
-rw-r--r-- 1 root wheel 6.8K Oct 10 11:47 VRT-protocol-finger.rules
-rw-r--r-- 1 root wheel 74K Oct 10 11:47 VRT-protocol-ftp.rules
-rw-r--r-- 1 root wheel 63K Oct 10 11:47 VRT-protocol-icmp.rules
-rw-r--r-- 1 root wheel 38K Oct 10 11:47 VRT-protocol-imap.rules
-rw-r--r-- 1 root wheel 8.9K Oct 10 11:47 VRT-protocol-nntp.rules
-rw-r--r-- 1 root wheel 16K Oct 10 11:47 VRT-protocol-pop.rules
-rw-r--r-- 1 root wheel 182K Oct 10 11:47 VRT-protocol-rpc.rules
-rw-r--r-- 1 root wheel 177K Oct 10 11:47 VRT-protocol-scada.rules
-rw-r--r-- 1 root wheel 10K Oct 10 11:47 VRT-protocol-services.rules
-rw-r--r-- 1 root wheel 23K Oct 10 11:47 VRT-protocol-snmp.rules
-rw-r--r-- 1 root wheel 19K Oct 10 11:47 VRT-protocol-telnet.rules
-rw-r--r-- 1 root wheel 13K Oct 10 11:47 VRT-protocol-tftp.rules
-rw-r--r-- 1 root wheel 188K Oct 10 11:47 VRT-protocol-voip.rules
-rw-r--r-- 1 root wheel 663K Oct 10 11:47 VRT-pua-adware.rules
-rw-r--r-- 1 root wheel 17K Oct 10 11:47 VRT-pua-other.rules
-rw-r--r-- 1 root wheel 14K Oct 10 11:47 VRT-pua-p2p.rules
-rw-r--r-- 1 root wheel 177K Oct 10 11:47 VRT-pua-toolbars.rules
-rw-r--r-- 1 root wheel 5.3K Oct 10 11:47 VRT-scada.rules
-rw-r--r-- 1 root wheel 2.7K Oct 10 11:47 VRT-sensitive-data.rules
-rw-r--r-- 1 root wheel 82K Oct 10 11:47 VRT-server-apache.rules
-rw-r--r-- 1 root wheel 142K Oct 10 11:47 VRT-server-iis.rules
-rw-r--r-- 1 root wheel 117K Oct 10 11:47 VRT-server-mail.rules
-rw-r--r-- 1 root wheel 55K Oct 10 11:47 VRT-server-mssql.rules
-rw-r--r-- 1 root wheel 51K Oct 10 11:47 VRT-server-mysql.rules
-rw-r--r-- 1 root wheel 453K Oct 10 11:47 VRT-server-oracle.rules
-rw-r--r-- 1 root wheel 859K Oct 10 11:47 VRT-server-other.rules
-rw-r--r-- 1 root wheel 25K Oct 10 11:47 VRT-server-samba.rules
-rw-r--r-- 1 root wheel 1.3M Oct 10 11:47 VRT-server-webapp.rules
-rw-r--r-- 1 root wheel 61K Oct 10 11:47 VRT-sql.rules
-rw-r--r-- 1 root wheel 1.8K Oct 10 11:47 VRT-x11.rules
drwxr-xr-x 2 root wheel 3B Oct 10 10:18 iplists
-rw-r--r-- 1 root wheel 9B Oct 10 11:42 iplistsIPRVersion.dat
-rw-r--r-- 1 root wheel 0B Oct 10 10:47 local.rules
drwxr-xr-x 2 root wheel 36B Oct 10 11:43 so_rulesThis folder /usr/local/etc/snort/rules/ content doesn't contain what I see if I extract the snapshot in it manually, it should contain files listed in snort.conf like
Code:
include $RULE_PATH/app-detect.rules
include $RULE_PATH/attack-responses.rules
include $RULE_PATH/backdoor.rules
include $RULE_PATH/bad-traffic.rulesbut they are not there and why I get this VRT- prefix?
I also saw this in pulledpork.conf
Code:
# What path you want the .rules file containing all of the processed
# rules? (this value has changed as of 0.4.0, previously we copied
# all of the rules, now we are creating a single large rules file
# but still keeping a separate file for your so_rules!This makes me wonder should I use just one big file or all of these little files that can be included separately?
Here's my pulledpork.conf
Code:
# Config file for pulledpork
# Be sure to read through the entire configuration file
# If you specify any of these items on the command line, it WILL take
# precedence over any value that you specify in this file!
#######
####### The below section defines what your oinkcode is (required for
####### VRT rules), defines a temp path (must be writable) and also
####### defines what version of rules that you are getting (for your
####### snort version and subscription etc...)
#######
# You can specify one or as many rule_urls as you like, they
# must appear as http://what.site.com/|rulesfile.tar.gz|1234567. You can specify
# each on an individual line, or you can specify them in a , separated list
# i.e. rule_url=http://x.y.z/|a.tar.gz|123,http://z.y.z/|b.tar.gz|456
# note that the url, rule file, and oinkcode itself are separated by a pipe |
# i.e. url|tarball|123456789,
#rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|CODE
rule_url=https://www.snort.org/rules/|snortrules-snapshot.tar.gz|CODE
# NEW Community ruleset:
#rule_url=https://s3.amazonaws.com/snort-org/www/rules/community/|community-rules.tar.gz|Community
# NEW For IP Blacklisting! Note the format is urltofile|IPBLACKLIST|<oinkcode>
# This format MUST be followed to let pulledpork know that this is a blacklist
# rule_url=http://labs.snort.org/feeds/ip-filter.blf|IPBLACKLIST|open
rule_url=http://labs.snort.org/feeds/ip-filter.blf|IPBLACKLIST|CODE
# URL for rule documentation! (slow to process)
#rule_url=https://www.snort.org/reg-rules/|opensource.gz|CODE
#rule_url=https://rules.emergingthreatspro.com/|emerging.rules.tar.gz|open
# THE FOLLOWING URL is for etpro downloads, note the tarball name change!
# and the et oinkcode requirement!
#rule_url=https://rules.emergingthreatspro.com/|etpro.rules.tar.gz|<et oinkcode>
# NOTE above that the VRT snortrules-snapshot does not contain the version
# portion of the tarball name, this is because PP now automatically populates
# this value for you, if, however you put the version information in, PP will
# NOT populate this value but will use your value!
# Specify rule categories to ignore from the tarball in a comma separated list
# with no spaces. There are four ways to do this:
# 1) Specify the category name with no suffix at all to ignore the category
# regardless of what rule-type it is, ie: netbios
# 2) Specify the category name with a '.rules' suffix to ignore only gid 1
# rulefiles located in the /rules directory of the tarball, ie: policy.rules
# 3) Specify the category name with a '.preproc' suffix to ignore only
# preprocessor rules located in the /preproc_rules directory of the tarball,
# ie: sensitive-data.preproc
# 4) Specify the category name with a '.so' suffix to ignore only shared-object
# rules located in the /so_rules directory of the tarball, ie: netbios.so
# The example below ignores dos rules wherever they may appear, sensitive-
# data preprocessor rules, p2p so-rules (while including gid 1 p2p rules),
# and netbios gid-1 rules (while including netbios so-rules):
# ignore = dos,sensitive-data.preproc,p2p.so,netbios.rules
# These defaults are reasonable for the VRT ruleset with Snort 2.9.0.x.
ignore=deleted.rules,experimental.rules,local.rules
# IMPORTANT, if you are NOT yet using 2.8.6 then you MUST comment out the
# previous ignore line and uncomment the following!
# ignore=deleted,experimental,local,decoder,preprocessor,sensitive-data
# What is our temp path, be sure this path has a bit of space for rule
# extraction and manipulation, no trailing slash
temp_path=/tmp
#######
####### The below section is for rule processing. This section is
####### required if you are not specifying the configuration using
####### runtime switches. Note that runtime switches do SUPERSEED
####### any values that you have specified here!
#######
# What path you want the .rules file containing all of the processed
# rules? (this value has changed as of 0.4.0, previously we copied
# all of the rules, now we are creating a single large rules file
# but still keeping a separate file for your so_rules!
# rule_path=/usr/local/etc/snort/rules/snort.rules
# What path you want the .rules files to be written to, this is UNIQUE
# from the rule_path and cannot be used in conjunction, this is to be used with the
# -k runtime flag, this can be set at runtime using the -K flag or specified
# here. If specified here, the -k option must also be passed at runtime, however
# specifying -K <path> at runtime forces the -k option to also be set
out_path=/usr/local/etc/snort/rules/
# If you are running any rules in your local.rules file, we need to
# know about them to properly build a sid-msg.map that will contain your
# local.rules metadata (msg) information. You can specify other rules
# files that are local to your system here by adding a comma and more paths...
# remember that the FULL path must be specified for EACH value.
# local_rules=/path/to/these.rules,/path/to/those.rules
local_rules=/usr/local/etc/snort/rules/local.rules
# Where should I put the sid-msg.map file?
sid_msg=/usr/local/etc/snort/sid-msg.map
# New for by2 and more advanced msg mapping. Valid options are 1 or 2
# specify version 2 if you are running barnyard2.2+. Otherwise use 1
sid_msg_version=1
# Where do you want me to put the sid changelog? This is a changelog
# that pulledpork maintains of all new sids that are imported
sid_changelog=/var/log/sid_changes.log
# this value is optional
#######
####### The below section is for so_rule processing only. If you don't
####### need to use them.. then comment this section out!
####### Alternately, if you are not using pulledpork to process
####### so_rules, you can specify -T at runtime to bypass this altogether
#######
# What path you want the .so files to actually go to *i.e. where is it
# defined in your snort.conf, needs a trailing slash
sorule_path=/usr/local/etc/snort/so_rules/
# Path to the snort binary, we need this to generate the stub files
snort_path=/usr/local/bin/snort
# We need to know where your snort.conf file lives so that we can
# generate the stub files
config_path=/usr/local/etc/snort/snort.conf
##### Deprecated - The stubs are now categorically written to the single rule file!
# sostub_path=/usr/local/etc/snort/rules/so_rules.rules
# Define your distro, this is for the precompiled shared object libs!
# Valid Distro Types:
# Debian-6-0,
# Ubuntu-10-4, Ubuntu-12-04
# Centos-5-4
# FC-12, FC-14, RHEL-5-5, RHEL-6-0
# FreeBSD-8-1, FreeBSD-9-0
# OpenBSD-4-8, OpenBSD-5-2, OpenBSD-5-3
# Slackware-13-1
distro=FreeBSD-9-0
####### This next section is optional, but probably pretty useful to you.
####### Please read thoroughly!
# If you are using IP Reputation and getting some public lists, you will probably
# want to tell pulledpork where your blacklist file lives, PP automagically will
# de-dupe any duplicate IPs from different sources.
black_list=/usr/local/etc/snort/rules/iplists/default.blacklist
# IP Reputation does NOT require a full snort HUP, it introduces a concept whereby
# the IP list can be reloaded while snort is running through the use of a control
# socket. Please be sure that you built snort with the following optins:
# -enable-shared-rep and --enable-control-socket. Be sure to read about how to
# configure these! The following option tells pulledpork where to place the version
# file for use with control socket ip list reloads!
# This should be the same path where your black_list lives!
IPRVersion=/usr/local/etc/snort/rules/iplists
# The following option tells snort where the snort_control tool is located.
snort_control=/usr/local/bin/snort_control
# What do you want to backup and archive? This is a comma separated list
# of file or directory values. If a directory is specified, PP will recurse
# through said directory and all subdirectories to archive all files.
# The following example backs up all snort config files, rules, pulledpork
# config files, and snort shared object binary rules.
# backup=/usr/local/etc/snort,/usr/local/etc/pulledpork,/usr/local/etc/snort/so_rules/
# what path and filename should we use for the backup tarball?
# note that an epoch time value and the .tgz extension is automatically added
# to the backup_file name on completeion i.e. the written file is:
# pp_backup.1295886020.tgz
# backup_file=/tmp/pp_backup
# Where do you want the signature docs to be copied, if this is commented
# out then they will not be copied / extracted. Note that extracting them
# will add considerable runtime to pulledpork.
# docs=/path/to/base/www
# The following option, state_order, allows you to more finely control the order
# that pulledpork performs the modify operations, specifically the enablesid
# disablesid and dropsid functions. An example use case here would be to
# disable an entire category and later enable only a rule or two out of it.
# the valid values are disable, drop, and enable.
# state_order=disable,drop,enable
# Define the path to the pid files of any running process that you want to
# HUP after PP has completed its run.
# pid_path=/var/run/snort.pid,/var/run/barnyard.pid,/var/run/barnyard2.pid
# and so on...
# pid_path=/var/run/snort_eth0.pid
# This defines the version of snort that you are using, for use ONLY if the
# proper snort binary is not on the system that you are fetching the rules with
# This value MUST contain all 4 minor version
# numbers. ET rules are now also dependant on this, verify supported ET versions
# prior to simply throwing rubbish in this variable kthx!
# snort_version=2.9.0.0
# Here you can specify what rule modification files to run automatically.
# simply uncomment and specify the apt path.
# enablesid=/usr/local/etc/pulledpork/enablesid.conf
# dropsid=/usr/local/etc/pulledpork/dropsid.conf
# disablesid=/usr/local/etc/pulledpork/disablesid.conf
# modifysid=/usr/local/etc/pulledpork/modifysid.conf
# What is the base ruleset that you want to use, please uncomment to use
# and see the README.RULESETS for a description of the options.
# Note that setting this value will disable all ET rulesets if you are
# Running such rulesets
# ips_policy=security
####### Remember, a number of these values are optional.. if you don't
####### need to process so_rules, simply comment out the so_rule section
####### you can also specify -T at runtime to process only GID 1 rules.
version=0.7.0