yookd / pulledpork Goto Github PK
View Code? Open in Web Editor NEWAutomatically exported from code.google.com/p/pulledpork
License: GNU General Public License v2.0
Automatically exported from code.google.com/p/pulledpork
License: GNU General Public License v2.0
This is kind of like what I think you might be doing for -I.
There are rules related to particular services or applications that,
depending on the environment, will never be relevant to a sensor. For
example, none of my sensors ever need to have rules enabled for anything
related to McAfee, Sophos, BrightStor, MailEnable, etc (I have a list of
40+ keywords I currently search for). Any new rules for these will always
be irrelevant unless my environment changes.
I spend a lot of time playing games with grep and cut to find rules with
these terms in the msg: section of rules and then outputting their SID to
my onikmaster.conf. Especially when deploying a new sensor.
Same holds true to some extent for reference: section of a rule (but I have
to be more careful when using this section). For example I know what
Windows servers have what patches, so if all the servers a sensor is
monitoring are up to date with patches anything in the reference: section
with a MS00, MS01, MS02...etc are not needed.
The ability to do this on the fly would be immensely helpful and cut down
on the amount of time it takes to enable/disable rules when an update is
released.
I could see two possible options here:
1) keyword.conf at run time.
Syntax: <rule option>:<keyword>
Example: msg:MailEnable
That would search only the msg: section of all rules and disable any rule
with MailEnable in it.
Pros:
Very helpful
Cons:
Increases the amount of time it would take to run Pulledpork. This actually
would not take too long if you only look for rules that are currently
enabled. Also, it would not be too bad if you implemented an oinkmaster'ish
skipfile: option in pulledpork.conf to skip entire files that you are just
going to disable in snort.conf anyway (also currently needed for
local.rules BTW...).
2) keyword.conf non-runtime
Same syntax but instead of disabling the rule during an update send the
rule's GID:SID to disablesid.conf to be used later during an actual update.
You would have to make a call about case sensitivity of the search in
either case. And the order it occurs in compared to -I (and -E/e from the
other issue I opened).
Original issue reported on code.google.com by [email protected]
on 28 Jan 2010 at 4:49
What steps will reproduce the problem?
1. On a server with egress filtering, only allow outbound access to
www.snort.org (not
dl.snort.org).
2. Initiate the pulledpork download.
What is the expected output? What do you see instead?
I would expect pulledpork to say that www.snort.org returned an HTTP 302
Redirect and that it
was attempting to download from dl.snort.org now. Instead, it just hangs and
eventually fails
with:
Error 500 when fetching
http://www.snort.org/pub-bin/oinkmaster.cgi/snortrules-snapshot-
2860.tar.gz.md5 at /usr/local/bin/pulledpork.pl line 306.
What version of the product are you using? On what operating system?
PulledPork 0.4.1 on RHEL 5
Please provide any additional information below.
Original issue reported on code.google.com by [email protected]
on 1 Jun 2010 at 3:23
I found an oddity with the new enable option. Probably related to enabling
ranges.
The text "# SIMILAR RULES: sid:1125" appears in the current web-misc.rules
files. I have an enable range setup in my "enablesid.conf" that includes
SID 1125 in it, so I end up with a line in my post-PP rule file that says:
SIMILAR RULES: sid:1125
Which obviously causes Snort to choke when it starts.
Apparently PP is "enabling" this comment due to the mention of the sid in it.
Might need to add a check to ensure the line is actually a rule before
removing the # comment.
Original issue reported on code.google.com by [email protected]
on 1 Apr 2010 at 5:15
What version of the product are you using? On what operating system?
* pulledpork HEAD (rev 151), FreeBSD-7.3
Please provide any additional information below.
* attached a diff to svn rev. 151 with some corrections for typos/spell changes
* update and sort the list of so_rules to current available so_rules (sorted by
distro) in pulledpork.(pl|conf)
* change message "Please review the Changelog ..." to
"Please review $sid_changelog ..., if $sid_changelog is defined.
Please review the patch, I replaced some words like 'thusly' which cannot by
found in any dictionary (I'm no native English speaker).
Original issue reported on code.google.com by [email protected]
on 26 Sep 2010 at 5:07
Attachments:
First of, thanks so much for this great script!
What steps will reproduce the problem?
1. Install a squid proxy server that requires authentication
2. On a CentOS 5.5 server, ensure you have required perl modules
3. http_proxy=http://user:[email protected]:port
4. https_proxy=http://user:[email protected]:port
5. Run pulledpork.pl with double verbose output.
What is the expected output? What do you see instead?
I expect to have the rules downloaded and the getstore() function to return a
200 response code. Instead, the rules fail to download and I get a 503
response.
What version of the product are you using? On what operating system?
Snort Server
-------------
CentOS 5.5
pulledpork-0.4.2
perl-Crypt-SSLeay-0.51-11.el5
perl-libwww-perl-5.805-1.1.1
perl-Archive-Tar-1.39.1-1.el5_5.1
Proxy Server
-------------
squid-3.0.24
Please provide any additional information below.
I'm pretty sure it's the LWP::Simple->getstore() function not behaving
correctly with proxies and redirects. Using wget to download the rules, does
not have the same problem. Comparing the squid logs of wget and getstore().
1) wget
TCP_MISS/302 981 GET
http://www.snort.org/reg-rules/snortrules-snapshot-2860.tar.gz/oinkcode
TCP_MISS/200 20453072 CONNECT s3.amazonaws.com:443
2) getstore()
TCP_MISS/302 981 GET
http://www.snort.org/reg-rules/snortrules-snapshot-2860.tar.gz/oinkcode
GET
https://s3.amazonaws.com/snort.org/rules/20100915/snortrules-snapshot-2860.tar.g
z?...
The difference is that wget uses the CONNECT method to tunnel the ssl request
through the proxy (after the redirect). getstore(), on the other hand, tries
another GET request, which will always fail since we're being redirected a site
that uses ssl.
Without using a proxy, pulledpork and getstore() work correctly as expected
(since CONNECT is not required).
For the time being, I'll be modifying my pulledpork.pl to use wget instead of
getstore. Thought I'd mention this issue so you were aware.
Again, thanks for this great script!
James
Original issue reported on code.google.com by [email protected]
on 20 Oct 2010 at 9:26
What steps will reproduce the problem?
1. Set base_url=http://rules.emergingthreats.net/open/snort-2.8.6
2. Run pulledpork.pl with previous ET config
What is the expected output? What do you see instead?
The files are all in the correct area, except for the MD5 sums. An erroneous
regex check is made to see if ET is being used.
What version of the product are you using? On what operating system?
0.4.2, CentOS 5.
Please provide any additional information below.
This patch will fix and allow for backward compatibility:
@315
+elsif ($base_url =~ /emergingthreats.net/i){
+ $getrules_md5 =
getstore($base_url."/".$rule_file.".md5",$temp_path.$rule_file.".md5");
+}
Original issue reported on code.google.com by [email protected]
on 12 Oct 2010 at 7:11
This isn't a bug, just an FYI. I'm working on a package/ebuild for pulled
pork for the Gentoo Linux distro. I thought I would mention that when the
tarball name does not match the apps version it can cause grief for package
maintainers, especially for sourced based distros like Gentoo.
ex.
pulledpork20091013.tar.gz <-> pulledpork v0.2.5
This make life easier for us...
pulledpork-0.2.5.tar.gz <-> pulledpork v0.2.5
You probably don't care but I thought I'd throw it out there any ways...
Original issue reported on code.google.com by [email protected]
on 18 Nov 2009 at 2:31
I'd like to see the ability to specify the location of the disablesid and
enablesid conf files in the main conf file.
Original issue reported on code.google.com by [email protected]
on 12 Apr 2010 at 2:13
What steps will reproduce the problem?
1. try and run the program
2.
3.
What is the expected output? What do you see instead?
That is should update, instead, it only exists displaying the help screen,
never actually updating the rules.
Switching on -vv shows nothing
What version of the product are you using? On what operating system?
0.2.5, CentOS 5.3
Please provide any additional information below.
# pulledpork.pl -c /etc/pulledpork.conf -i /etc/disablesid.conf -vv
http://code.google.com/p/pulledpork/
_____ ____
`----,\ )
`--==\\ / Pulled_Pork v0.2.5
`--==\\/
.-~~~~-.Y|\\_ Copyright (C) 2009 JJ Cummings
@_/ / 66\_ [email protected]
| \ \ _(")
\ /-| ||'--' Rules give me wings!
\_\ \_\\
Command Line Variable Debug:
Config Path is: /etc/pulledpork.conf
Path to disablesid file: /etc/disablesid.conf
Verbose Flag is Set
Extra Verbose Flag is Set
Config File Variable Debug /etc/pulledpork.conf
sostub_path = /etc/snort/so_rules/
snort_path = /usr/sbin/snort
distro = CentOS-5.0
temp_path = /tmp
oinkcode = 2a299610b20fe30c8343bbc333444981eb336aaa
sorule_path = /usr/local/lib/snort_dynamicrule/
rule_path = /etc/snort/rules/
snort = 2.8.5
rule_file = snortrules-snapshot-2.8.tar.gz
tar_path = /bin/tar
config_path = /etc/snort/snort.conf
Usage: /usr/local/bin/pulledpork.pl [-lvvVdnHTn? -help] -c -o
-O -s <so_rule output directory> -D -S
-p -C -t
Options:
-c Where the pulledpork config file lives.
-i Where the disablesid config file lives.
-o Where do you want me to put generic rules files?
-f What snort rules tarball do you want to fetch
(i.e. snortrules-snapshot-2.8_s.tar.gz)
-u Where do you want me to pull the rules tarball from
(ET, Snort.org, see pulledpork config base_url option for value ideas)
-O What is your Oinkcode?
-T Process text based rules files only, i.e. DO NOT process so_rules
-m where do you want me to put the sid-msg.map file?
-s Where do you want me to put the so_rules?
-S Specify your Snort version
Valid options for this value 2.8.0.1,2.8.0.2,2.8.1,2.8.2,2.8.2.1,2.8.2.2,
2.8.3,2.8.3.1,2.8.3.2,2.8.4,2.8.4.1,2.8.5
-C Path to your snort.conf
-p Path to your Snort binary
-P Path to your tar binary
-t Where do you want me to put the so_rule stub files? ** Thus MUST be
uniquely
different from the -o option value
-D What Distro are you running on, for the so_rules
Valid Distro
Types=CentOS-4.6,CentOS-5.0,Debian-Lenny,FC-5,FC-9,FreeBSD-7.0,
RHEL-5.0,Ubuntu-6.01.1,Ubuntu-8.04
-l Log information to logger rather than stdout messages. not yet
implemented
-v Verbose mode, you know.. for troubleshooting and such nonsense.
-vv EXTRA Verbose mode, you know.. for in-depth troubleshooting and
other such nonsense.
-d Do not verify signature of rules tarball, i.e. downloading fron non
VRT or ET locations.
-H Send a SIGHUP to the pids listed in the config file
-n Do everything other than download of new files (disablesid, etc)
-V Print Version and exit
-help/? Print this help info.
Original issue reported on code.google.com by `[email protected]` on 15 Oct 2009 at 8:13
JJ,
I was manually checking on my updates, so I went and ran the new version of
pulledpork and noticed I was getting the following:
"Fetching md5sum for comparing from:
http://www.snort.org/pub-bin/oinkmaster.cgi/snortrules-snapshot-2.8.tar.gz.md5
Error 500 when fetching
http://www.snort.org/pub-bin/oinkmaster.cgi/snortrules-snapshot-2.8.tar.gz.md5
at /root/pulledpork/pulledpork.pl line 262."
In order to troubleshoot, I cracked open the pulledpork.conf file and
appended my oinkcode to the end of 'base_url' and saved and re-ran the
script... this time it worked. It seems as though the url composition in
the code is leaving out the base-url variable and trailing (or leading) /.
...I took a look at the source and in the rulefetch subroutine, I see the
logic for this is there, so it seems like the sanity check (if/then) that
looks for the existence of snort.org in the base_url is getting botched up
(perhaps a wild accusation). I would have stepped through this with a
debugger to verify, but I didn't want you to feel like I was doing your job ;-)
Oh, and this is on Debian.
Original issue reported on code.google.com by [email protected]
on 3 Nov 2009 at 9:42
What steps will reproduce the problem?
1. Run pulledpork to update the rules
What is the expected output? What do you see instead?
I expect the running snort process to keep on running, instead it segfaults
I run pulledpork to update the so_rules, so it then starts a separate snort
process to generate the rules, at this point, my in-line snort process dies
and traffic comes to a halt, this is undesirable.
Are there any solutions or work arounds ?
Original issue reported on code.google.com by [email protected]
on 18 Aug 2009 at 6:56
I've struck another issue (again because I am not doing the rule processing on
the real sensor). This again involves the running of snort. My current problem
is that the box that I am running pp on is i386 but the sensors are amd64.
One option is that we throw up a new VM with the appropriate version of RHE and
move everything over, we may well do this since we need a platform to build
snort packages anyway.
But one thing occurs to me -- we don't need to generate the stub rules as they
are already in the rule tarball so why does pp not use these? (as I have been
doing up to now).
Am I missing something?
looking at the code it seems to me that I could modify extract_rules very
easily to pull out the so_rules if the appropriate config var was set and that
we only run snort if we really have to.
I would add config vars sensor_arch and get_so_tarball ...
This would also mean that I would not need to pass extra parameters into snort
since I would not have to run snort.
Original issue reported on code.google.com by [email protected]
on 14 Oct 2010 at 12:29
What steps will reproduce the problem?
1.run pp with -nodownload and ask for so_rules
2.
3.
What is the expected output? What do you see instead?
snort does not run
What version of the product are you using? On what operating system?
latest from svn
I fixed this by moving the block that calls "gen_stubbs" out of the !
$nodownloads and after the $nodownloads block
Please provide any additional information below.
Original issue reported on code.google.com by [email protected]
on 13 Oct 2010 at 10:39
What steps will reproduce the problem?
1. Use CentOS instead of Centos in the pulledpork.conf
2. Notice the .so files are not being installed
What version of the product are you using? On what operating system?
0.4.1
Please provide any additional information below.
pulledpork.conf says to use CentOS for all of the CentOS flavors, but the
rules tarballs are using Centos for some of the directories. This is just a
quick documentation fix.
Original issue reported on code.google.com by [email protected]
on 5 May 2010 at 1:28
Attachments:
An issue has been discovered that caused some systems to not properly check
the MD5 value of the latest tarball against the currently running ruleset.
This issue has been corrected in the current version checked into SVN
JJC
.
Original issue reported on code.google.com by [email protected]
on 19 Nov 2009 at 2:37
What steps will reproduce the problem?
1. Download the file since the snort.org update yesterday
2. The md5 file contents have changed
3.
What is the expected output? What do you see instead?
The md5 should match and a download should not occur if they match
Instead the contents don't contain just the absolute hash from the md5...
thus a download loop occurs
Original issue reported on code.google.com by [email protected]
on 29 May 2009 at 6:01
What steps will reproduce the problem?
1. If a rule has a whitespace inbetween SID: and the number, it can not be
disabled with disablesid.conf
ex. rule 2001564 emerging-malware.rules.
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE
MarketScore.com Spyware Proxied Traffic"; flow: to_server,established;
content:"X-OSSProxy\: OSSProxy"; reference:url,www.marketscore.com;
reference:url,www.spysweeper.com/remove-marketscore.html; classtype:
policy-violation;
reference:url,doc.emergingthreats.net/bin/view/Main/2001564;
reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Ma
rketScore;
sid: 2001564; rev:6;)
What is the expected output? What do you see instead?
it will not get disabled..
What version of the product are you using? On what operating system?
v03.4, osx 10.5.8
Please provide any additional information below.
I corrected this situation by modifing the line
if (($txtsid ne "") &&
($rule_line=~/sid:$txtsid;/i)) {
in the disablesid part of the script to
if (($txtsid ne "") &&
($rule_line=~/sid:\s*$txtsid;/i)) {
Original issue reported on code.google.com by [email protected]
on 5 Mar 2010 at 10:20
I've just spent an hour tearing my hair out :)
I made a typo in the file name for the disabled sid file and the could not
figure out why the file was apparently being ignored -- which it was for good
reason.
A simple warning if a file is specified but not present would be nice!
Original issue reported on code.google.com by [email protected]
on 3 Nov 2010 at 10:47
What steps will reproduce the problem?
1. Include a rules_url entry that pulls ET (emergingthreats) rules
2.
3.
What is the expected output? What do you see instead?
Expected that the SO rules file will be refreshed - it isn't
What version of the product are you using? On what operating system?
0.5.0 on Centos5.5
Please provide any additional information below.
Running without an ET rules_url entry updates the SO rules file as expected.
Original issue reported on code.google.com by [email protected]
on 26 Oct 2010 at 7:10
The current version of PP does not support disabling/enabling gid's other
than 1 and 3 in disablesid.conf and enablesid.conf. Need to at lease add
gid 138 due to the new sensitive data rules.
Original issue reported on code.google.com by [email protected]
on 13 May 2010 at 4:51
For those of us that write our own rules and place them in the local.rules
file, it would be nice if pulledpork would ignore the local.rules file.
Original issue reported on code.google.com by [email protected]
on 2 Oct 2009 at 10:14
It would be nice if pulledpork could change rule actions:
- have a default rule action, eg: alert, drop etc.
- change only specific rule actions, eg: sid:882 to drop
Original issue reported on code.google.com by [email protected]
on 13 Aug 2009 at 7:26
What steps will reproduce the problem?
1. Run pulledpork with -nTH -vv
2.
3.
What is the expected output? What do you see instead?
Output indicates -H option should be run with -T. -T option does not appear to
be read.
What version of the product are you using? On what operating system?
Please provide any additional information below.
Original issue reported on code.google.com by [email protected]
on 8 Nov 2010 at 4:20
Hi,
first thanks for writing this great tool ;)
Since the pulledpork has emergingthreats.net rules as second option it will
be nice to have an option to include/exclude rules which triggers fwsam alerts.
Right now I try to do it this way (works for me)
disablesid.conf:
1:2000000-1:2404998
enablesid.conf
fwsam
Note I have to use 1:2404998 instead off 2404999 since it seems with ranges
there is a count by 1 difference.
Original issue reported on code.google.com by [email protected]
on 2 May 2010 at 12:17
Future request to sort the sids in the sid-msg.map file numerically.
Original issue reported on code.google.com by [email protected]
on 27 Jul 2009 at 9:40
ET ruleset SID 2007929 msg field has a backslash in it. when pulledpork makes
the sid-msg.map it does not include any text following the backslash.
Tested on the newest svn version on pulledpork (r154).
Original issue reported on code.google.com by [email protected]
on 11 Oct 2010 at 9:34
I am using a version fro SVN prior to 0.5.0 -- will retest as soon as I move to
0.5.0
What steps will reproduce the problem?
1. run pulledpork with so_rules and *no* existing snort rule file (to be
generated by pp run).
2. get error from snort about missing rule file
3.run PP again now that rule file has been created and all is well
What is the expected output? What do you see instead?
So stub rules should be generated after the rule files. This means that the
rule stub files are based on the *previous* run of oinkmaster
What version of the product are you using? On what operating system?
Please provide any additional information below.
Original issue reported on code.google.com by [email protected]
on 3 Nov 2010 at 9:50
When configuring pulledpork to generate the dynamic rules from the shared
objects, it first copies the shared objects to the directory specified, but
includes the directories ('.' and '..') in the copy:
ERROR! DOES NOT
EXIST:/tmp/tha_rules/so_rules/precompiled/CentOS-5.0/i386/2.8.4/. Copying
/tmp/tha_rules/so_rules/precompiled/CentOS-5.0/i386/2.8.4/chat.so to
/usr/local/lib/snort_dynamicrule/chat.so
Copying /tmp/tha_rules/so_rules/precompiled/CentOS-5.0/i386/2.8.4/imap.so
to /usr/local/lib/snort_dynamicrule/imap.so
ERROR! DOES NOT
EXIST:/tmp/tha_rules/so_rules/precompiled/CentOS-5.0/i386/2.8.4/..Generating
shared
object stubs via:/usr/sbin/snort -c /etc/snort/snort.conf
--dump-dynamic-rules=/etc/snort/so_rules/
Original issue reported on code.google.com by [email protected]
on 13 Aug 2009 at 8:01
I use less than half the rule files from VRT and ET tarballs -- it is much
easier for me to specify what I want than what I don't want. It also means
that when new rule files appear I get to choose whether to use them or not :)
I have coded this if you are interested in the patch if you want it.
Original issue reported on code.google.com by [email protected]
on 20 Oct 2010 at 9:01
"Please review the Changelog for additional detais Fly Piggy Fly!"
should be changed to:
"Please review the Changelog for additional details. Fly Piggy Fly!"
Original issue reported on code.google.com by [email protected]
on 28 Apr 2010 at 12:30
What steps will reproduce the problem?
1. A line in modifysid.conf like:
1:469 "(.*msg:\s*\")(.*)" "${1}BLOCK: ${2}"
performs literal instead of regex substitution.
2.
3.
What is the expected output? What do you see instead?
It would be great if regex constructs could be used to insert the word BLOCK:
at the beginning of the msg: stanza in the rule.
What version of the product are you using? On what operating system?
0.5.0 on Centos-5-5
Please provide any additional information below.
Original issue reported on code.google.com by [email protected]
on 27 Oct 2010 at 10:08
Maybe a better explanation for dropsid.conf
Original issue reported on code.google.com by [email protected]
on 2 May 2010 at 12:22
Attachments:
non comment lines other than disablesid, enablesid or modifysid go into pp.con
I've used this successfully on a couple of large oinkmaster.conf files
as always ymmv.
usage: perl oink-conv oinkmaster.conf
#! /usr/bin/perl -w
# simple script to convert oinkmaster conf files to the files that PulledPork
understands...
open(DIS, ">disabled.conf") || die "failed to open disabled file";
open(EN, ">enabled.conf") || die "failed to open enabled file";
open(MOD, ">modified.conf") || die "failed to open modified file";
open(PP, ">pp.conf" )|| die "failed to open pp.conf file";
while ( <> ) {
chomp;
s/^\s+//;
next if /^#/;
next if /^$/;
s/(#.*)$//; # remove comment
$comment = $1 || '';
if( s/^disablesid\s+//i ) { #disablesid 184, 221, 230, 241, 251, 253, 254, 257
print DIS "1:", join( ", 1:", split(/\s*,\s*/, $_ ) ), " # $comment\n";
} elsif( s/^modifysid\s+//i ) { # modifysid 2001855 "type limit, count 1, seconds 360" | "type both, count 4, seconds 600"
my @sids; # = undef;
while( s/^(\d+)// ) {
push( @sids, $1);
s/^\s*,\s*//;
}
print MOD "1:", join( ", 1:", @sids ), " $_ # $comment\n";
} elsif( s/^enablesid\s+//i ) {
print EN "1:", join( ", 1:", (split(/\s*,\s*/, $_ )) ), " # $comment\n";
} else {
print PP "$_\n";
}
}
Original issue reported on code.google.com by [email protected]
on 20 Oct 2010 at 10:59
related to 35:
I've included a patch against 0.5.0 to include two new configuration options:
1/ include <list of rule files> (works just like ignore option)
2/ Etc_path <path> ( copy the contents of the etc director here )
1/ provides a straight forward way of mimicking including a list of files in
rule files in snort.conf. This ability disappeared when PP but all rules into
a single file.
The problem as I see it is that rule categories is not equivalent to the
original rule files as some rules are shipped in the files already disabled.
Original issue reported on code.google.com by [email protected]
on 4 Nov 2010 at 3:23
Attachments:
What steps will reproduce the problem?
1. Not sure
2.
3.
What is the expected output? What do you see instead?
I am getting "can't exec "/etc/tmp" Permission denied at ./pl line 161"
What version of the product are you using? On what operating system?
Pulled_Pork v0.2.2 on Linux Centos 5.1
Please provide any additional information below.
It seems to be a permission issue. But the user I am running pulledpork.pl
as has all the permission to /etc/tmp.
Original issue reported on code.google.com by [email protected]
on 20 Aug 2009 at 10:09
Not sure if anyone reported this to you or not, but I seem to have a problem
with PulledPork v0.4.2 when it builds the sid-msg.map file from the emerging
threats rules. Some of the rules/sid pairs are not matching what they should
be, somehow using some of the text of the previous rule.
I've attached my sid-msg.map for you to take a look at. sid:2008489 is an
example, and it seems to happen with the Suspicious User Agents rules often.
I've never seen it happen with any VRT rules.
The line from the sid-msg.map:
2008489 || ET TROJAN Win32/Antivirus2008 ||
url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_AGENTS_Susp
icious || url,doc.emergingthreats.net/bin/view/Main/2008489
Grepping my rules files for "sid:2008489" shows me:
emerging.rules:alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET
USER_AGENTS Suspicious User-Agent (dwplayer)"; flow:established,to_server;
content:"|0d 0a|User-Agent\: dwplayer"; classtype:trojan-activity;
reference:url,doc.emergingthreats.net/bin/view/Main/2008489;
reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/USER_AGENTS/USER_A
GENTS_Suspicious; sid:2008489; rev:4;)
Original issue reported on code.google.com by [email protected]
on 27 Sep 2010 at 3:49
What steps will reproduce the problem?
1. Use of "pcre:" and other syntax in modifysid.conf is ignored
2.
3.
What is the expected output? What do you see instead?
It would be great if modifysid had the same rule matching options as the
enablesid, disablesid and dropsid.
What version of the product are you using? On what operating system?
0.5.0 on Centos-5-5
Please provide any additional information below.
Original issue reported on code.google.com by [email protected]
on 27 Oct 2010 at 10:04
When the -I tag is used in order to specify which policy pulled pork should run
(security/connectivity, etc) local.rules is modified. This should not happen.
Fix it.
Original issue reported on code.google.com by [email protected]
on 10 Mar 2010 at 8:07
This is an enhancement request -- can't figure out how to tag it as such...
I have several different sensor configurations each with multiple sensors. I
manage these all from a central box.
Current set up with oinkmaster is that I have a script that checks MD5s of all
the tarballs and download any that have changed -- I then unpack the tarballs.
I then run oinkmaster for each set of sensors and generate the rule sets and
push them out to the sensors and restart them.
I also use both VRT and ET rules so I need multiple feeds (but I see Mike L has
prompted you on that one :)
So what I want is an equivalent of the oinkmaster "directory" configuration
option. Otherwise we end up pulling the VRT rules 3 times and getting 503 and
it will take all night :)
Thanks, Russell
Original issue reported on code.google.com by [email protected]
on 20 Jul 2010 at 8:30
BASE provides links for [rule] and [local] that allow you to view the rule
definition itself and the signature documentation (12634.txt for instance).
I'd like to see an option in PP to have it copy those files to a directory
(specified in the conf file) after unpacking the rules tarball.
Original issue reported on code.google.com by [email protected]
on 21 Oct 2010 at 5:36
This was one of my contributions to oinkmaster :)
In our environment I end up modifying either source or dest addresses to reduce
FPs as an alternative to disabling the rule outright. I also have added
flowbit:noalert to a bunch of rule and tweaked the thresholds on others.
I currently have about 50 modify rules...
Original issue reported on code.google.com by [email protected]
on 20 Jul 2010 at 8:36
What steps will reproduce the problem?
1. Attempt to configure pulled-pork to download from more than one ruleset, for
example both VRT and Emerging Threats.
What is the expected output? What do you see instead?
Expect to find the ability to configure multiple base-urls, or some other way
of configuring multiple rule-sources. Instead, there are no such options are
available.
What version of the product are you using? On what operating system?
0.4.2, RHEL5.
Please provide any additional information below.
VRT + supplemental ET rules is not an uncommon configuration. It's
straightforward to configure in oinkmaster, but currently requires quite a bit
of hoop-jumping involving multiple pulled-pork configs working in concert.
Original issue reported on code.google.com by [email protected]
on 30 Jun 2010 at 3:12
I might be missing something, but after reading the doc's and the -h I can
not seem to find a why to actually enable a rule that is disabled by
default. If you enable a rule that is disabled by default it gets clobbered
the next time pulledpork is run.
I would like to see two options here:
-e <path to enablesid.conf>
This would support users that just need to enable a handful of rules.
-E
This would act similar to the oinkmaster functionality to enable all rules.
Some of us prefer to enable all rules and then disable those that we have
identified as not pertinent to our environments. This actually ties into an
separate issue I'll open in a few minutes.
The order would be important here. If you use -I then -e would need to
occur after -I. This would also mean that -I and -E should not be run
together. A sanity check to ensure the same GID:SID is not in both -i and
-e might be in order or at the very least clearly document which one takes
precedence.
Original issue reported on code.google.com by [email protected]
on 28 Jan 2010 at 3:44
HI JJ
Finally got back to PP and I am now converting all my stuff from oinkmaster to
pp in earnest. Thanks for the nodownload - works nicely once I moved the call
to gen_stubs.
The other thing that I have come up against is that I am running PP in a
different environment to what snort will run on the sensor so he paths in the
snort.conf file are wrong. This can be easily fixed by passing a base path to
snort with -s BASE=.....
So what I would like is to have a new var in the pp.conf
snort-var='BASE=.....'
Russell
Original issue reported on code.google.com by [email protected]
on 13 Oct 2010 at 10:56
Most of the time the default order of enable first then disable works fine,
however sometime I would like to deploy a specific set for rules on a sensor.
Currently it is difficult to disable everything and then enable a handful of
rules. Adding an option that lets the user define the order of operation would
be much appreciated.
Original issue reported on code.google.com by [email protected]
on 8 Nov 2010 at 3:29
Add functionality to generate sid-msg.map for all active rules?
Original issue reported on code.google.com by [email protected]
on 9 Jun 2009 at 2:11
Need to add an option that allows for the automatic creation of archive(backup)
tarballs of the current ruleset when updating
Original issue reported on code.google.com by [email protected]
on 10 Nov 2010 at 4:54
What version of the product are you using? On what operating system?
pulledpork-0.5.0 on CentOS 5.5
Please provide any additional information below.
Follow up on issue #36...
Tested the new pp with proxy and it wasn't working. Requests were not being
sent through proxy and received the following output...
MY HTTPS PROXY = http://user:[email protected]:9090
Checking latest MD5 for snortrules-snapshot-2861.tar.gz....
Fetching md5sum for: snortrules-snapshot-2861.tar.gz.md5
Error 500 when fetching https://www.snort.org/reg-rules/snortrules-snapshot-2861.tar.gz.md5 at /export/scripts/pulledpork.pl line 390
main::md5file('oinkcode', 'snortrules-snapshot-2861.tar.gz', '/tmp/', 'https://www.snort.org/reg-rules/') called at /export/scripts/pulledpork.pl line 1386
Please see below for code that is working for me.
# set some UserAgent and other connection configs
$ua->agent("$VERSION");
# Note, this doesn't work on CentOS 5.5 (outdated LWP::UserAgent)
#$ua->show_progress(1) if $Verbose;
# New Settings to allow proxy connections to use proper SSL formating - Thx
pkthound!
$ua->timeout(15);
$ua->cookie_jar( {} );
$ua->protocols_allowed( [ 'http', 'https' ] );
my $proxy = $ENV{http_proxy};
if ($proxy) {
$ua->proxy( ['http'], $proxy );
# Check if credentials are in proxy url
if ( $proxy =~ /^http:\/\/(.+):(.+)@(.+)$/i ) {
my $user = $1;
my $pass = $2;
my $proxy = $3;
$ENV{HTTPS_PROXY} = "http://" . $proxy;
$ENV{HTTPS_PROXY_USERNAME} = $user;
$ENV{HTTPS_PROXY_PASSWORD} = $pass;
#print "Proxy: $proxy\n";
#print "User: $user\n";
#print "Pass: $pass\n";
}
else {
$ENV{HTTPS_PROXY} = $proxy;
}
}
Thanks
James
Original issue reported on code.google.com by [email protected]
on 25 Oct 2010 at 6:53
Summary says it all
happy to submit patch :)
Original issue reported on code.google.com by [email protected]
on 27 Oct 2010 at 2:05
Need to add OpenSUSE-11-3 to the list of precompiled SO rules
Original issue reported on code.google.com by [email protected]
on 27 Oct 2010 at 8:10
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.