| Main Archive Page > Month Archives > snort-users archives |
Re: [Snort-users] Pulled Pork and SO_rules
From: beenph <beenph_at_nospam>Date: Wed May 18 2011 - 13:55:20 GMT
To: Dheeraj Gupta <dheeraj.gupta4@gmail.com>
[gid:sid:revision]
[3:16413:0]
So_rule alert, and as your previous e-mail its only because the
definition for the rule is not in
gen-id.msg. (should be there) because if it would have been a
signature the alert would look like
[1:16413:0]
Im sure JJC can help you more on this tho.
On Wed, May 18, 2011 at 8:24 AM, Dheeraj Gupta <dheeraj.gupta4@gmail.com> wrote:
> Nevermind...I got that to work...I had wrong directories for so stub files
> in conf file. I fixed it and got a new sid-msg.map file. But there is
> another probblem. My sid-msg.map file is new but still Barnyard is logging
> alerts as
> Snort Alert [3:16413:0]
> Barnyard is started using command
> /usr/local/bin/barnyard -c /etc/snort/barnyard.conf -g
> /etc/snort/gen-msg.map -s /etc/snort/sid-msg.map -d /var/log/snort -f
> snort.log -w /var/log/snort/barnyard.waldo -D
>
> Grepping the /etc/snort/sid-msg.map gives
> # grep "16413" /etc/snort/sid-msg.map
> 16413 || WEB-CLIENT Microsoft PowerPoint invalid TextCharsAtom remote code
> execution attempt ||
> url,www.microsoft.com/technet/security/bulletin/MS10-004.mspx ||
> cve,2010-0034
>
> So clearly the signature is there in sid-msg.map. Nut still barnyard is not
> logging it correctly. I have restarted barnyard after the new sid-msg.map
> file was generated.
> I had read somewhere that this happens because of gid=3 which barnyard can't
> handle. Is there a fix or should I upgrade to barnyard2
>
> regards,
> Dheeraj
>
> On Wed, May 18, 2011 at 3:15 PM, Dheeraj Gupta <dheeraj.gupta4@gmail.com>
> wrote:
>>
>> Hi,
>> So I installed pulled pork and used it in offline mode (-n option). The
>> execution went off perfectly. I got a new generated sid-msg.map file and all
>> that stuff. Even dynamic rules were (presumably) loaded. Here's PP output-
>>
>> Prepping rules from snortrules-snapshot-2861.tar.gz for work....
>> Done!
>> Reading rules...
>> Reading rules...
>> Reading rules...
>> Setting Flowbit State....
>> Enabled 47 flowbits
>> Enabled 25 flowbits
>> Done
>> Writing /etc/snort/rules/snort.rules....
>> Done
>> Writing /etc/snort/rules/so_rules.rules....
>> Done
>> Generating sid-msg.map....
>> Done
>> Writing /etc/snort/sid-msg.map....
>> Done
>> Writing /var/log/sid_changes.log....
>> Done
>> Rule Stats....
>> New:-------0
>> Deleted:---0
>> Enabled Rules:----4901
>> Dropped Rules:----0
>> Disabled Rules:---5491
>> Total Rules:------10392
>> Done
>>
>> (As you can see there is no "Generating Stub Rules" entry)
>>
>> However, Even now Barnyard (not barnyard2) will log alerts like SnortAlert
>> [3:13308:0] i.e. it does not find relevant information in sid-msg.map files.
>> What have I missed?
>>
>> Here's my pulledpork.conf file (Rulkes and So_Rules part only)
>> #######
>> ####### The below section is for rule processing. This section is
>> ####### required if you are not specifying the configuration using
>> ####### runtime switches. Note that runtime switches do SUPERSEED
>> ####### any values that you have specified here!
>> #######
>>
>> # What path you want the .rules file containing all of the processed
>> # rules? (this value has changed as of 0.4.0, previously we copied
>> # all of the rules, now we are creating a single large rules file
>> # but still keeping a separate file for your so_rules!
>> rule_path=/etc/snort/rules/snort.rules
>>
>> # What path you want the .rules files to be written to, this is UNIQUE
>> # from the rule_path and cannot be used in conjunction, this is to be used
>> with the
>> # -k runtime flag, this can be set at runtime using the -K flag or
>> specified
>> # here. If specified here, the -k option must also be passed at runtime,
>> however
>> # specifying -K <path> at runtime forces the -k option to also be set
>> out_path=etc/snort/rules/
>>
>> # If you are running any rules in your local.rules file, we need to
>> # know about them to properly build a sid-msg.map that will contain your
>> # local.rules metadata (msg) information. You can specify other rules
>> # files that are local to your system here by adding a comma and more
>> paths...
>> # remember that the FULL path must be specified for EACH value.
>> # local_rules=/path/to/these.rules,/path/to/those.rules
>> local_rules=/etc/snort/rules/local.rules
>>
>> # Where should I put the sid-msg.map file?
>> sid_msg=/etc/snort/sid-msg.map
>>
>> # Where do you want me to put the sid changelog? This is a changelog
>> # that pulledpork maintains of all new sids that are imported
>> sid_changelog=/var/log/sid_changes.log
>> # this value is optional
>>
>> #######
>> ####### The below section is for so_rule processing only. If you don't
>> ####### need to use them.. then comment this section out!
>> ####### Alternately, if you are not using pulledpork to process
>> ####### so_rules, you can specify -T at runtime to bypass this altogether
>> #######
>>
>> # What path you want the .so files to actually go to *i.e. where is it
>>
>> # defined in your snort.conf, needs a trailing slash
>> sorule_path=/usr/local/lib/snort_dynamicrules/
>>
>> # Path to the snort binary, we need this to generate the stub files
>> snort_path=/usr/local/bin/snort
>>
>> # We need to know where your snort.conf file lives so that we can
>> # generate the stub files
>> config_path=/etc/snort/snort.conf
>>
>> # This is the file that contains all of the shared object rules that
>> pulledpork
>> # has processed, note that this has changed as of 0.4.0 just like the
>> rules_path!
>> sostub_path=/etc/snort/rules/so_rules.rules
>>
>> # Define your distro, this is for the precompiled shared object libs!
>> # Valid Distro Types=Debian-Lenny, Ubuntu-6.01.1, Ubuntu-8.04
>> # CentOS-4.6, Centos-4-8, CentOS-5.0, Centos-5-4
>> # FC-5, FC-9, FC-11, FC-12, RHEL-5.0
>> # FreeBSD-6.3, FreeBSD-7-2, FreeBSD-7-3, FreeBSD-7.0, FreeBSD-8-0,
>> FreeBSD-8-1
>> # OpenSUSE-11-3
>> distro=Centos-5-4
>>
>> Regards,
>> Dheeraj
>
>
>
>
>
> ------------------------------------------------------------------------------
> What Every C/C++ and Fortran developer Should Know!
> Read this article and learn how Intel has extended the reach of its
> next-generation tools to help Windows* and Linux* C/C++ and Fortran
> developers boost performance applications - including clusters.
> http://p.sf.net/sfu/intel-dev2devmay
> _______________________________________________
> Snort-users mailing list
> Snort-users@lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
------------------------------------------------------------------------------
What Every C/C++ and Fortran developer Should Know!
Read this article and learn how Intel has extended the reach of its
next-generation tools to help Windows* and Linux* C/C++ and Fortran
developers boost performance applications - including clusters.
http://p.sf.net/sfu/intel-dev2devmay
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users