[prev in list] [next in list] [prev in thread] [next in thread]
List: snort-users
Subject: Re: [Snort-users] Pulledpork3 error
From: Noah Dietrich <noah_dietrich () 86penny ! org>
Date: 2021-07-08 18:44:29
Message-ID: CA+N0JEythh1vL1ovv9OwZHp_CYeXQhnLAkWGnPd_BH_tvVLXiQ () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/related)]
[Attachment #4 (multipart/alternative)]
i've pushed the 'fix' for the new hard-coded path. I'll look at a better
solution (less brittle) tomorrow or this weekend if I get some time.
On Thu, Jul 8, 2021 at 9:36 PM Noah Dietrich <noah_dietrich@86penny.org>
wrote:
> yeah, i had to hard-code that path since i'm waiting for feedback from
> Talos on how that folder is being used (and if it can be incorporated into
> the manifest.json file)
> I'll update the hard-coded path for now, but i'll look for a workaround
> (maybe if there's a single folder in the folder, it can just use that
> sub-folder)
>
> noah
>
>
> On Thu, Jul 8, 2021 at 9:33 PM David Melczer <dmelczer@greenbaumlaw.com>
> wrote:
>
> > Noah,
> >
> >
> >
> > Trying to use the Talos_LightSPD rulset introduces a new problem.
> > Pulledpork is looking in path:
> >
> > WARNING: Error getting policy information from
> > /tmp/Pulledpork-2021.07.08-14.30.31/extracted_rulesets/Talos_LightSPD//lightspd/builtins/
> >
> > *3.0.1-3*/rulestates-balanced-ips.states
> >
> >
> >
> > But the actual path is :
> >
> > root@grsd-wb-snort 3.0.0-264]# ls
> >
> > builtins.rules rulestates-connectivity-ips.states
> > rulestates-no-rules-active.states
> >
> > rulestates-balanced-ips.states rulestates-max-detect-ips.states
> > rulestates-security-ips.states
> >
> > [root@grsd-wb-snort 3.0.0-264]# pwd
> >
> >
> > /tmp/Pulledpork-2021.07.08-14.30.31/extracted_rulesets/Talos_LightSPD/lightspd/builtins/
> >
> > *3.0.0-264*
> >
> > [root@grsd-wb-snort 3.0.0-264]#
> >
> >
> >
> > I'm not sure where the difference between 3.0.1-3 and 3.0.0-264 comes
> > from, but the extracted folder is being misidentified.
> >
> >
> >
> > Thanks again for all of your help!
> >
> >
> >
> > -Dave
> >
> >
> >
> > *David Z. Melczer *| Director of Information Technology
> >
> >
> >
> > *Greenbaum, Rowe, Smith & Davis LLP*
> >
> > Delivery: 99 Wood Avenue South | Iselin, NJ | 08830
> >
> > Mailing: P.O. Box 5600 | Woodbridge, NJ | 07095
> >
> > T: 732.476.3284 | F: 732.476.3285 | vCard
> > <http://www.greenbaumlaw.com/vcard-1999.vcf>
> >
> >
> >
> > greenbaumlaw.com <http://www.greenbaumlaw.com/>
> >
> >
> > <https://www.linkedin.com/company/greenbaum-rowe-smith-&-davis-llp?trk=top_nav_home>
> >
> > <https://twitter.com/greenbaumlaw>
> >
> > <https://www.facebook.com/greenbaumlaw?fref=ts&ref=br_tf>
> >
> >
> >
> >
> >
> > *From:* Noah Dietrich <noah_dietrich@86penny.org>
> > *Sent:* Thursday, July 8, 2021 2:28 PM
> > *To:* David Melczer <dmelczer@greenbaumlaw.com>
> > *Cc:* Snort-users <Snort-users@lists.snort.org>
> > *Subject:* Re: [Snort-users] Pulledpork3 error
> >
> >
> >
> > Ok, i've looked at some older rulesets that i have downloaded to make
> > sure there weren't any changes in the tgz format, and you are correct: the
> > builtins folder for the registered ruleset only contains the
> > 'builtins.rules' file, and no *.states files to enable/disable rules based
> > on policy.
> >
> >
> >
> > The LightSPD package does contain these .states files for the 'builtin'
> > rules, so my recommendation is to use the LightSPD format instead of the
> > registered ruleset.
> >
> > registered_ruleset = false
> >
> > LightSPD_ruleset = true
> >
> >
> >
> > *Joel /Talos team: *can you include the same .states files from the
> > LightSPD ruleset into the registered ruleset for the builtin rules?
> > Otherwise for the Registered_ruleset, I'll mark all builtin rules as
> > enabled unless the ips_policy is 'none', in which case I'll disable all the
> > builtin rules.
> >
> >
> >
> > Noah
> >
> >
> >
> >
> >
> >
> >
> > On Thu, Jul 8, 2021 at 9:09 PM David Melczer <dmelczer@greenbaumlaw.com>
> > wrote:
> >
> > Hello.
> >
> >
> >
> > I decided to try Pulledpork3 after successfully running Pulledpork 0.8.0
> > successfully for a while. I am using Snort3 3.1.5.0 with Libdaq3 and the
> > registered ruleset.
> >
> >
> >
> > At first when running :
> >
> > # ./pulledpork.py -c /usr/local/pulledpork/etc/pulledpork.conf -v -k
> >
> >
> >
> > I was getting this output:
> >
> > WARNING: Error getting policy information from
> > /tmp/Pulledpork-2021.07.08-13.57.32/extracted_rulesets/snortrules-snapshot-3150//builtins/rulestates-balanced-ips.states
> >
> >
> >
> > I noticed the double slash by "builtins" so I modified the pulledpork.py
> > file at line 295 to remove the extra "+ sep".
> >
> >
> >
> > However, even with that part fixed, the only thing in "builtins" is the
> > builtins.rules file. The rulestates are included in "rules" not
> > "builtins". I had to change "builtins" on line 295 to "rules" to get this
> > to work.
> >
> >
> >
> > Not sure if this helps anyone, but at least I have rules pulling down
> > now. If I messed myself up with this, please let me know!
> >
> >
> >
> > -Dave
> >
> >
> >
> >
> >
> > *David Z. Melczer *| Director of Information Technology
> >
> >
> >
> > *Greenbaum, Rowe, Smith & Davis LLP*
> >
> > Delivery: 99 Wood Avenue South | Iselin, NJ | 08830
> >
> > Mailing: P.O. Box 5600 | Woodbridge, NJ | 07095
> >
> > T: 732.476.3284 | F: 732.476.3285 | vCard
> > <http://www.greenbaumlaw.com/vcard-1999.vcf>
> >
> >
> >
> > greenbaumlaw.com <http://www.greenbaumlaw.com/>
> >
> >
> > <https://www.linkedin.com/company/greenbaum-rowe-smith-&-davis-llp?trk=top_nav_home>
> >
> > <https://twitter.com/greenbaumlaw>
> >
> > <https://www.facebook.com/greenbaumlaw?fref=ts&ref=br_tf>
> >
> >
> >
> >
> >
> > *From:* Snort-users <snort-users-bounces@lists.snort.org> *On Behalf Of *Noah
> > Dietrich
> > *Sent:* Wednesday, July 7, 2021 1:19 PM
> > *To:* John Kayode-Abusi <jkayodeabusi@gmail.com>
> > *Cc:* Snort-users <Snort-users@lists.snort.org>;
> > snort-users-request@lists.snort.org
> > *Subject:* Re: [Snort-users] Pulledpork3 error
> >
> >
> >
> > **** External Email Message ****
> >
> > Have you tried running this command with sudo? (as admin)?
> >
> > On Wed, Jul 7, 2021, 5:40 PM John Kayode-Abusi via Snort-users <
> > snort-users@lists.snort.org> wrote:
> >
> > Dear all,
> >
> > I would like to receive help on this issue as shown in the attached
> > screenshot. I'm running snort3 and DAQ3 as well
> >
> >
> >
> > Thanks,
> >
> > John
> >
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users@lists.snort.org
> > Go to this URL to change user options or unsubscribe:
> > https://lists.snort.org/mailman/listinfo/snort-users
> >
> > To unsubscribe, send an email to:
> > snort-users-leave@lists.snort.org
> >
> > Please visit http://blog.snort.org to stay current on all the latest
> > Snort news!
> >
> > Please follow these rules:
> > https://snort.org/faq/what-is-the-mailing-list-etiquette
> >
> >
> >
> > *Disclaimer*
> >
> > This e-mail (including any attachments) is intended only for the
> > exclusive use of the individual to whom it is addressed. The information
> > contained hereinafter may be proprietary, confidential, privileged and
> > exempt from disclosure under applicable law. If the reader of this e-mail
> > is not the intended recipient or agent responsible for delivering the
> > message to the intended recipient, the reader is hereby put on notice that
> > any use, dissemination, distribution or copying of this communication is
> > strictly prohibited. If the reader has received this communication in
> > error, please immediately notify the sender by telephone (732-549-5600) or
> > e-mail and delete all copies of this e-mail and any attachments. Thank you.
> >
> >
> >
> > *Disclaimer*
> >
> > This e-mail (including any attachments) is intended only for the
> > exclusive use of the individual to whom it is addressed. The information
> > contained hereinafter may be proprietary, confidential, privileged and
> > exempt from disclosure under applicable law. If the reader of this e-mail
> > is not the intended recipient or agent responsible for delivering the
> > message to the intended recipient, the reader is hereby put on notice that
> > any use, dissemination, distribution or copying of this communication is
> > strictly prohibited. If the reader has received this communication in
> > error, please immediately notify the sender by telephone (732-549-5600) or
> > e-mail and delete all copies of this e-mail and any attachments. Thank you.
> >
>
[Attachment #7 (text/html)]
<div dir="ltr">i've pushed the 'fix' for the new hard-coded path. \
I'll look at a better solution (less brittle) tomorrow or this weekend if I get \
some time.</div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On \
Thu, Jul 8, 2021 at 9:36 PM Noah Dietrich <<a \
href="mailto:noah_dietrich@86penny.org">noah_dietrich@86penny.org</a>> \
wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px \
0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">yeah, i \
had to hard-code that path since i'm waiting for feedback from Talos on how that \
folder is being used (and if it can be incorporated into the manifest.json \
file)<div>I'll update the hard-coded path for now, but i'll look for a \
workaround (maybe if there's a single folder in the folder, it can just use that \
sub-folder)</div><div><br></div><div>noah<br><div><br></div></div></div><br><div \
class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, Jul 8, 2021 at 9:33 PM \
David Melczer <<a href="mailto:dmelczer@greenbaumlaw.com" \
target="_blank">dmelczer@greenbaumlaw.com</a>> wrote:<br></div><blockquote \
class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid \
rgb(204,204,204);padding-left:1ex">
<div lang="EN-US">
<div>
<p class="MsoNormal">Noah,<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">Trying to use the Talos_LightSPD rulset introduces a new \
problem. Pulledpork is looking in path:<u></u><u></u></p> <p \
class="MsoNormal">WARNING: Error getting policy information from \
/tmp/Pulledpork-2021.07.08-14.30.31/extracted_rulesets/Talos_LightSPD//lightspd/builtins/<b>3.0.1-3</b>/rulestates-balanced-ips.states<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">But the actual path is :<u></u><u></u></p>
<p class="MsoNormal">root@grsd-wb-snort 3.0.0-264]# ls<u></u><u></u></p>
<p class="MsoNormal">builtins.rules \
rulestates-connectivity-ips.states \
rulestates-no-rules-active.states<u></u><u></u></p> <p \
class="MsoNormal">rulestates-balanced-ips.states rulestates-max-detect-ips.states \
rulestates-security-ips.states<u></u><u></u></p> <p \
class="MsoNormal">[root@grsd-wb-snort 3.0.0-264]# pwd<u></u><u></u></p> <p \
class="MsoNormal">/tmp/Pulledpork-2021.07.08-14.30.31/extracted_rulesets/Talos_LightSPD/lightspd/builtins/<b>3.0.0-264</b><u></u><u></u></p>
<p class="MsoNormal">[root@grsd-wb-snort 3.0.0-264]#<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">I'm not sure where the difference between 3.0.1-3 and 3.0.0-264 \
comes from, but the extracted folder is being misidentified.<u></u><u></u></p> <p \
class="MsoNormal"><u></u> <u></u></p> <p class="MsoNormal">Thanks again for all of \
your help!<u></u><u></u></p> <p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">-Dave <u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal"><b><span style="font-family:"Arial \
Narrow",sans-serif;color:rgb(29,81,131)">David Z. Melczer </span></b><span \
style="font-family:"Univers LT Std 57 \
Cn";color:rgb(83,129,53)">|</span><span style="font-family:"Arial \
Narrow",sans-serif;color:rgb(31,73,125)"> </span><span \
style="font-size:9pt;font-family:"Arial \
Narrow",sans-serif;color:rgb(31,73,125)">Director of Information \
Technology</span><i><span style="font-family:"Arial \
Narrow",sans-serif;color:rgb(31,73,125)"><u></u><u></u></span></i></p> <p \
class="MsoNormal" style="line-height:11.5pt"><b><span \
style="font-size:3pt;font-family:"Arial \
Narrow",sans-serif;color:rgb(31,73,125)"><u></u> <u></u></span></b></p> <p \
class="MsoNormal" style="line-height:11.5pt"><b><span \
style="font-size:10pt;font-family:"Arial \
Narrow",sans-serif;color:rgb(31,73,125)">Greenbaum, Rowe, Smith & Davis \
LLP<u></u><u></u></span></b></p> <p class="MsoNormal" \
style="line-height:11.5pt"><span style="font-size:10pt;font-family:"Arial \
Narrow",sans-serif;color:rgb(31,73,125)">Delivery: 99 Wood Avenue South \
</span><span style="font-size:10pt;font-family:"Univers LT Std 57 \
Cn";color:rgb(83,129,53)">|</span><span \
style="font-size:10pt;font-family:"Arial \
Narrow",sans-serif;color:rgb(31,73,125)"> Iselin, NJ </span><span \
style="font-size:10pt;font-family:"Arial \
Narrow",sans-serif;color:rgb(83,129,53)">|</span><span \
style="font-size:10pt;font-family:"Arial \
Narrow",sans-serif;color:rgb(31,73,125)"> 08830<u></u><u></u></span></p> <p \
class="MsoNormal" style="line-height:11.5pt"><span \
style="font-size:10pt;font-family:"Arial \
Narrow",sans-serif;color:rgb(31,73,125)">Mailing: P.O. Box 5600 </span><span \
style="font-size:10pt;font-family:"Arial \
Narrow",sans-serif;color:rgb(83,129,53)">|</span><span \
style="font-size:10pt;font-family:"Arial \
Narrow",sans-serif;color:rgb(31,73,125)"> Woodbridge, NJ </span><span \
style="font-size:10pt;font-family:"Arial \
Narrow",sans-serif;color:rgb(83,129,53)">|</span><span \
style="font-size:10pt;font-family:"Arial \
Narrow",sans-serif;color:rgb(31,73,125)"> 07095<u></u><u></u></span></p> <p \
class="MsoNormal" style="line-height:11.5pt"><span \
style="font-size:10pt;font-family:"Arial \
Narrow",sans-serif;color:rgb(31,73,125)">T:</span><span \
style="color:rgb(31,73,125)"> </span><span \
style="font-size:10pt;font-family:"Arial \
Narrow",sans-serif;color:rgb(31,73,125)">732.476.3284</span><span \
style="color:rgb(31,73,125)"> </span><span \
style="font-size:10pt;font-family:"Arial \
Narrow",sans-serif;color:rgb(31,73,125)"> </span><span \
style="font-size:10pt;font-family:"Arial \
Narrow",sans-serif;color:rgb(83,129,53)">| </span><span \
style="font-size:10pt;font-family:"Arial \
Narrow",sans-serif;color:rgb(31,73,125)"> F:</span><span \
style="color:rgb(31,73,125)"> </span><span \
style="font-size:10pt;font-family:"Arial \
Narrow",sans-serif;color:rgb(31,73,125)">732.476.3285 </span><span \
style="font-size:10pt;font-family:"Arial \
Narrow",sans-serif;color:rgb(83,129,53)">| </span><span \
style="font-size:10pt;font-family:"Arial \
Narrow",sans-serif;color:rgb(29,81,131)"> </span><span \
style="color:rgb(31,73,125)"><a href="http://www.greenbaumlaw.com/vcard-1999.vcf" \
target="_blank"><span style="font-size:10pt;font-family:"Arial \
Narrow",sans-serif;color:rgb(29,81,131)">vCard</span></a></span><span \
style="font-size:10pt;font-family:"Arial \
Narrow",sans-serif;color:rgb(31,73,125)"><u></u><u></u></span></p> <p \
class="MsoNormal" style="line-height:10pt"><span \
style="font-size:4pt;font-family:"Arial \
Narrow",sans-serif;color:rgb(29,81,131)"><u></u> <u></u></span></p> <p \
class="MsoNormal"><span style="font-size:9pt;font-family:"Arial \
Narrow",sans-serif;color:rgb(31,73,125)"><img border="0" width="188" height="62" \
style="width: 1.9583in; height: 0.6458in;" \
id="gmail-m_-971377692568946872gmail-m_-2427014278064643882Picture_x0020_5" \
src="cid:17a876631aa4ce8e91"><u></u><u></u></span></p> <table border="0" \
cellspacing="0" cellpadding="0" style="margin-left:0.7pt;border-collapse:collapse"> \
<tbody> <tr style="height:0.2in">
<td width="144" style="width:1.5in;padding:0in 0.7pt;height:0.2in">
<p class="MsoNormal"><span style="color:rgb(31,73,125)"><a \
href="http://www.greenbaumlaw.com/" target="_blank"><span \
style="font-size:12pt;font-family:"Arial \
Narrow",sans-serif;color:rgb(237,125,49)">greenbaumlaw.com</span></a></span><u><span \
style="font-size:12pt;font-family:"Arial \
Narrow",sans-serif;color:rgb(83,129,53)"> </span></u><span \
style="font-size:12pt;font-family:"Arial \
Narrow",sans-serif;color:rgb(83,129,53)"><u></u><u></u></span></p> </td>
<td width="18" style="width:13.5pt;padding:0in 0.7pt;height:0.2in">
<p class="MsoNormal"><a \
href="https://www.linkedin.com/company/greenbaum-rowe-smith-&-davis-llp?trk=top_nav_home" \
target="_blank"><span style="font-family:"Arial \
Narrow",sans-serif;color:rgb(31,73,125);text-decoration:none"><img border="0" \
width="16" height="16" style="width: 0.1666in; height: 0.1666in;" \
id="gmail-m_-971377692568946872gmail-m_-2427014278064643882Picture_x0020_6" \
src="cid:17a876631aa5b16b22"></span></a><span style="font-family:"Arial \
Narrow",sans-serif;color:rgb(29,81,131)"><u></u><u></u></span></p> </td>
<td width="18" style="width:13.5pt;padding:0in 0.7pt;height:0.2in">
<p class="MsoNormal"><a href="https://twitter.com/greenbaumlaw" target="_blank"><span \
style="font-family:"Arial \
Narrow",sans-serif;color:rgb(31,73,125);text-decoration:none"><img border="0" \
width="16" height="16" style="width: 0.1666in; height: 0.1666in;" \
id="gmail-m_-971377692568946872gmail-m_-2427014278064643882Picture_x0020_7" \
src="cid:17a876631aa692e333"></span></a><span style="font-family:"Arial \
Narrow",sans-serif;color:rgb(29,81,131)"><u></u><u></u></span></p> </td>
<td width="18" style="width:13.5pt;padding:0in 0.7pt;height:0.2in">
<p class="MsoNormal"><a \
href="https://www.facebook.com/greenbaumlaw?fref=ts&ref=br_tf" \
target="_blank"><span style="font-family:"Arial \
Narrow",sans-serif;color:rgb(31,73,125);text-decoration:none"><img border="0" \
width="16" height="16" style="width: 0.1666in; height: 0.1666in;" \
id="gmail-m_-971377692568946872gmail-m_-2427014278064643882Picture_x0020_8" \
src="cid:17a876631aa7745b44"></span></a><span style="font-family:"Arial \
Narrow",sans-serif;color:rgb(29,81,131)"><u></u><u></u></span></p> </td>
</tr>
</tbody>
</table>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<div style="border-right:none;border-bottom:none;border-left:none;border-top:1pt \
solid rgb(225,225,225);padding:3pt 0in 0in"> <p class="MsoNormal"><b>From:</b> Noah \
Dietrich <<a href="mailto:noah_dietrich@86penny.org" \
target="_blank">noah_dietrich@86penny.org</a>> <br> <b>Sent:</b> Thursday, July 8, \
2021 2:28 PM<br> <b>To:</b> David Melczer <<a \
href="mailto:dmelczer@greenbaumlaw.com" \
target="_blank">dmelczer@greenbaumlaw.com</a>><br> <b>Cc:</b> Snort-users <<a \
href="mailto:Snort-users@lists.snort.org" \
target="_blank">Snort-users@lists.snort.org</a>><br> <b>Subject:</b> Re: \
[Snort-users] Pulledpork3 error<u></u><u></u></p> </div>
<p class="MsoNormal"><u></u> <u></u></p>
<div>
<div>
<p class="MsoNormal">Ok, i've looked at some older rulesets that i have \
downloaded to make sure there weren't any changes in the tgz format, and you are \
correct: the builtins folder for the registered ruleset only contains the \
'builtins.rules' file, and no
*.states files to enable/disable rules based on policy.<u></u><u></u></p>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">The LightSPD package does contain these .states files for the \
'builtin' rules, so my recommendation is to use the LightSPD format instead \
of the registered ruleset.<u></u><u></u></p> </div>
<div>
<div>
<div>
<p class="MsoNormal" style="line-height:14.25pt;background:rgb(255,255,254)"><span \
style="font-size:10.5pt;font-family:Consolas;color:darkblue">registered_ruleset</span><span \
style="font-size:10.5pt;font-family:Consolas;color:rgb(51,51,51)"> \
</span><span style="font-size:10.5pt;font-family:Consolas;color:black">=</span><span \
style="font-size:10.5pt;font-family:Consolas;color:rgb(51,51,51)"> \
false<u></u><u></u></span></p> </div>
<div>
<p class="MsoNormal" style="line-height:14.25pt;background:rgb(255,255,254)"><span \
style="font-size:10.5pt;font-family:Consolas;color:darkblue">LightSPD_ruleset</span><span \
style="font-size:10.5pt;font-family:Consolas;color:rgb(51,51,51)"> \
</span><span style="font-size:10.5pt;font-family:Consolas;color:black">=</span><span \
style="font-size:10.5pt;font-family:Consolas;color:rgb(51,51,51)"> \
true<u></u><u></u></span></p> </div>
</div>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal"><b><u>Joel /Talos team: </u></b>can you include the same .states \
files from the LightSPD ruleset into the registered ruleset for the builtin rules? \
Otherwise for the Registered_ruleset, I'll mark all builtin rules as enabled \
unless the ips_policy is 'none', in which case I'll disable all the \
builtin rules.<u></u><u></u></p> </div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">Noah<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
</div>
<p class="MsoNormal"><u></u> <u></u></p>
<div>
<div>
<p class="MsoNormal">On Thu, Jul 8, 2021 at 9:09 PM David Melczer <<a \
href="mailto:dmelczer@greenbaumlaw.com" \
target="_blank">dmelczer@greenbaumlaw.com</a>> wrote:<u></u><u></u></p> </div>
<blockquote style="border-top:none;border-right:none;border-bottom:none;border-left:1pt \
solid rgb(204,204,204);padding:0in 0in 0in 6pt;margin-left:4.8pt;margin-right:0in"> \
<div> <div>
<p class="MsoNormal">Hello.<u></u><u></u></p>
<p class="MsoNormal"> <u></u><u></u></p>
<p class="MsoNormal">I decided to try Pulledpork3 after successfully running \
Pulledpork 0.8.0 successfully for a while. I am using Snort3 <a href="http://3.1.5.0" \
target="_blank"> 3.1.5.0</a> with Libdaq3 and the registered \
ruleset.<u></u><u></u></p> <p class="MsoNormal"> <u></u><u></u></p>
<p class="MsoNormal">At first when running :<u></u><u></u></p>
<p class="MsoNormal"># ./pulledpork.py -c /usr/local/pulledpork/etc/pulledpork.conf \
-v -k<u></u><u></u></p> <p class="MsoNormal"> <u></u><u></u></p>
<p class="MsoNormal">I was getting this output:<u></u><u></u></p>
<p class="MsoNormal">WARNING: Error getting policy information from \
/tmp/Pulledpork-2021.07.08-13.57.32/extracted_rulesets/snortrules-snapshot-3150//builtins/rulestates-balanced-ips.states<u></u><u></u></p>
<p class="MsoNormal"> <u></u><u></u></p>
<p class="MsoNormal">I noticed the double slash by "builtins" so I modified the \
pulledpork.py file at line 295 to remove the extra "+ sep".<u></u><u></u></p> <p \
class="MsoNormal"> <u></u><u></u></p> <p class="MsoNormal">However, even with that \
part fixed, the only thing in "builtins" is the builtins.rules file. The rulestates \
are included in "rules" not "builtins". I had to change "builtins" on line 295 to \
"rules" to get this to work.<u></u><u></u></p> <p class="MsoNormal"> \
<u></u><u></u></p> <p class="MsoNormal">Not sure if this helps anyone, but at least I \
have rules pulling down now. If I messed myself up with this, please let me \
know!<u></u><u></u></p> <p class="MsoNormal"> <u></u><u></u></p>
<p class="MsoNormal">-Dave<u></u><u></u></p>
<p class="MsoNormal"> <u></u><u></u></p>
<p class="MsoNormal"> <u></u><u></u></p>
<div>
<p class="MsoNormal"><b><span style="font-family:"Arial \
Narrow",sans-serif;color:rgb(29,81,131)">David Z. Melczer </span></b><span \
style="font-family:"Univers LT Std 57 \
Cn";color:rgb(83,129,53)">|</span><span style="font-family:"Arial \
Narrow",sans-serif;color:rgb(31,73,125)"> </span><span \
style="font-size:9pt;font-family:"Arial \
Narrow",sans-serif;color:rgb(31,73,125)">Director of Information \
Technology</span><u></u><u></u></p> <p class="MsoNormal" style="line-height:11.5pt">
<b><span style="font-size:3pt;font-family:"Arial \
Narrow",sans-serif;color:rgb(31,73,125)"> </span></b><u></u><u></u></p> <p \
class="MsoNormal" style="line-height:11.5pt"> <b><span \
style="font-size:10pt;font-family:"Arial \
Narrow",sans-serif;color:rgb(31,73,125)">Greenbaum, Rowe, Smith & Davis \
LLP</span></b><u></u><u></u></p> <p class="MsoNormal" style="line-height:11.5pt">
<span style="font-size:10pt;font-family:"Arial \
Narrow",sans-serif;color:rgb(31,73,125)">Delivery: 99 Wood Avenue South \
</span><span style="font-size:10pt;font-family:"Univers LT Std 57 \
Cn";color:rgb(83,129,53)">|</span><span \
style="font-size:10pt;font-family:"Arial \
Narrow",sans-serif;color:rgb(31,73,125)"> Iselin, NJ </span><span \
style="font-size:10pt;font-family:"Arial \
Narrow",sans-serif;color:rgb(83,129,53)">|</span><span \
style="font-size:10pt;font-family:"Arial \
Narrow",sans-serif;color:rgb(31,73,125)"> 08830</span><u></u><u></u></p> <p \
class="MsoNormal" style="line-height:11.5pt"> <span \
style="font-size:10pt;font-family:"Arial \
Narrow",sans-serif;color:rgb(31,73,125)">Mailing: P.O. Box 5600 </span><span \
style="font-size:10pt;font-family:"Arial \
Narrow",sans-serif;color:rgb(83,129,53)">|</span><span \
style="font-size:10pt;font-family:"Arial \
Narrow",sans-serif;color:rgb(31,73,125)"> Woodbridge, NJ </span><span \
style="font-size:10pt;font-family:"Arial \
Narrow",sans-serif;color:rgb(83,129,53)">|</span><span \
style="font-size:10pt;font-family:"Arial \
Narrow",sans-serif;color:rgb(31,73,125)"> 07095</span><u></u><u></u></p> <p \
class="MsoNormal" style="line-height:11.5pt"> <span \
style="font-size:10pt;font-family:"Arial \
Narrow",sans-serif;color:rgb(31,73,125)">T:</span><span \
style="color:rgb(31,73,125)"> </span><span \
style="font-size:10pt;font-family:"Arial \
Narrow",sans-serif;color:rgb(31,73,125)">732.476.3284</span><span \
style="color:rgb(31,73,125)"> </span><span \
style="font-size:10pt;font-family:"Arial \
Narrow",sans-serif;color:rgb(31,73,125)"> </span><span \
style="font-size:10pt;font-family:"Arial \
Narrow",sans-serif;color:rgb(83,129,53)">| </span><span \
style="font-size:10pt;font-family:"Arial \
Narrow",sans-serif;color:rgb(31,73,125)"> F:</span><span \
style="color:rgb(31,73,125)"> </span><span \
style="font-size:10pt;font-family:"Arial \
Narrow",sans-serif;color:rgb(31,73,125)">732.476.3285 </span><span \
style="font-size:10pt;font-family:"Arial \
Narrow",sans-serif;color:rgb(83,129,53)">| </span><span \
style="font-size:10pt;font-family:"Arial \
Narrow",sans-serif;color:rgb(29,81,131)"> </span><span \
style="color:rgb(31,73,125)"><a href="http://www.greenbaumlaw.com/vcard-1999.vcf" \
target="_blank"><span style="font-size:10pt;font-family:"Arial \
Narrow",sans-serif;color:rgb(29,81,131)">vCard</span></a></span><u></u><u></u></p>
<p class="MsoNormal" style="line-height:10pt">
<span style="font-size:4pt;font-family:"Arial \
Narrow",sans-serif;color:rgb(29,81,131)"> </span><u></u><u></u></p> <p \
class="MsoNormal"><span style="font-size:9pt;font-family:"Arial \
Narrow",sans-serif;color:rgb(31,73,125)"><img border="0" width="188" height="62" \
style="width: 1.9583in; height: 0.6458in;" \
id="gmail-m_-971377692568946872gmail-m_-2427014278064643882gmail-m_-1158270076434298861Picture_x0020_5" \
src="cid:17a876631aa4ce8e91"></span><u></u><u></u></p> <table border="0" \
cellspacing="0" cellpadding="0" style="margin-left:0.7pt;border-collapse:collapse"> \
<tbody> <tr style="height:0.2in">
<td width="144" style="width:1.5in;padding:0in 0.7pt;height:0.2in">
<p class="MsoNormal"><span style="color:rgb(31,73,125)"><a \
href="http://www.greenbaumlaw.com/" target="_blank"><span \
style="font-size:12pt;font-family:"Arial \
Narrow",sans-serif;color:rgb(237,125,49)">greenbaumlaw.com</span></a></span><u><span \
style="font-size:12pt;font-family:"Arial \
Narrow",sans-serif;color:rgb(83,129,53)"> </span></u><u></u><u></u></p>
</td>
<td width="18" style="width:13.5pt;padding:0in 0.7pt;height:0.2in">
<p class="MsoNormal"><a \
href="https://www.linkedin.com/company/greenbaum-rowe-smith-&-davis-llp?trk=top_nav_home" \
target="_blank"><span style="font-family:"Arial \
Narrow",sans-serif;color:rgb(31,73,125);text-decoration:none"><img border="0" \
width="16" height="16" style="width: 0.1666in; height: 0.1666in;" \
id="gmail-m_-971377692568946872gmail-m_-2427014278064643882gmail-m_-1158270076434298861Picture_x0020_2" \
src="cid:17a876631aa5b16b22"></span></a><u></u><u></u></p> </td>
<td width="18" style="width:13.5pt;padding:0in 0.7pt;height:0.2in">
<p class="MsoNormal"><a href="https://twitter.com/greenbaumlaw" target="_blank"><span \
style="font-family:"Arial \
Narrow",sans-serif;color:rgb(31,73,125);text-decoration:none"><img border="0" \
width="16" height="16" style="width: 0.1666in; height: 0.1666in;" \
id="gmail-m_-971377692568946872gmail-m_-2427014278064643882gmail-m_-1158270076434298861Picture_x0020_3" \
src="cid:17a876631aa692e333"></span></a><u></u><u></u></p> </td>
<td width="18" style="width:13.5pt;padding:0in 0.7pt;height:0.2in">
<p class="MsoNormal"><a \
href="https://www.facebook.com/greenbaumlaw?fref=ts&ref=br_tf" \
target="_blank"><span style="font-family:"Arial \
Narrow",sans-serif;color:rgb(31,73,125);text-decoration:none"><img border="0" \
width="16" height="16" style="width: 0.1666in; height: 0.1666in;" \
id="gmail-m_-971377692568946872gmail-m_-2427014278064643882gmail-m_-1158270076434298861Picture_x0020_4" \
src="cid:17a876631aa7745b44"></span></a><u></u><u></u></p> </td>
</tr>
</tbody>
</table>
<p class="MsoNormal"> <u></u><u></u></p>
</div>
<p class="MsoNormal"> <u></u><u></u></p>
<div>
<div style="border-right:none;border-bottom:none;border-left:none;border-top:1pt \
solid rgb(225,225,225);padding:3pt 0in 0in"> <p class="MsoNormal"><b>From:</b> \
Snort-users <<a href="mailto:snort-users-bounces@lists.snort.org" \
target="_blank">snort-users-bounces@lists.snort.org</a>> <b>On Behalf Of </b>Noah \
Dietrich<br> <b>Sent:</b> Wednesday, July 7, 2021 1:19 PM<br>
<b>To:</b> John Kayode-Abusi <<a href="mailto:jkayodeabusi@gmail.com" \
target="_blank">jkayodeabusi@gmail.com</a>><br> <b>Cc:</b> Snort-users <<a \
href="mailto:Snort-users@lists.snort.org" \
target="_blank">Snort-users@lists.snort.org</a>>; <a \
href="mailto:snort-users-request@lists.snort.org" \
target="_blank">snort-users-request@lists.snort.org</a><br> <b>Subject:</b> Re: \
[Snort-users] Pulledpork3 error<u></u><u></u></p> </div>
</div>
<p class="MsoNormal"> <u></u><u></u></p>
<p class="MsoNormal" style="margin-bottom:12pt"><b><span \
style="font-size:13.5pt;font-family:Verdana,sans-serif;color:rgb(102,102,102);background:yellow">*** \
External Email Message ***</span></b> <u></u><u></u></p>
<div>
<div>
<p class="MsoNormal" style="margin-bottom:12pt">Have you tried running this command \
with sudo? (as admin)? <u></u><u></u></p> <div>
<div>
<p class="MsoNormal">On Wed, Jul 7, 2021, 5:40 PM John Kayode-Abusi via Snort-users \
<<a href="mailto:snort-users@lists.snort.org" \
target="_blank">snort-users@lists.snort.org</a>> wrote:<u></u><u></u></p> </div>
<blockquote style="border-top:none;border-right:none;border-bottom:none;border-left:1pt \
solid rgb(204,204,204);padding:0in 0in 0in 6pt;margin:5pt 0in 5pt 4.8pt"> <div>
<p class="MsoNormal">Dear all,<u></u><u></u></p>
<div>
<p class="MsoNormal">I would like to receive help on this issue as shown in the \
attached screenshot. I'm running snort3 and DAQ3 as well<u></u><u></u></p> </div>
<div>
<p class="MsoNormal"><u></u><u></u></p>
<div>
<div>
<div>
<p class="MsoNormal"> <u></u><u></u></p>
</div>
<div>
<p class="MsoNormal">Thanks,<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal">John<u></u><u></u></p>
</div>
</div>
</div>
</div>
</div>
<p class="MsoNormal">_______________________________________________<br>
Snort-users mailing list<br>
<a href="mailto:Snort-users@lists.snort.org" \
target="_blank">Snort-users@lists.snort.org</a><br> Go to this URL to change user \
options or unsubscribe:<br> <a \
href="https://lists.snort.org/mailman/listinfo/snort-users" \
target="_blank">https://lists.snort.org/mailman/listinfo/snort-users</a><br> <br>
To unsubscribe, send an email to:<br>
<a href="mailto:snort-users-leave@lists.snort.org" \
target="_blank">snort-users-leave@lists.snort.org</a><br> <br>
Please visit <a href="http://blog.snort.org" target="_blank">
http://blog.snort.org</a> to stay current on all the latest Snort news!<br>
<br>
Please follow these rules: <a \
href="https://snort.org/faq/what-is-the-mailing-list-etiquette" target="_blank"> \
https://snort.org/faq/what-is-the-mailing-list-etiquette</a><u></u><u></u></p> \
</blockquote> </div>
</div>
</div>
</div>
<p class="MsoNormal" style="margin-bottom:12pt"><u></u> <u></u></p>
<p><b><span style="font-size:10pt;font-family:Verdana,sans-serif;color:rgb(102,102,102)">Disclaimer</span></b><span \
style="font-size:10pt;font-family:Verdana,sans-serif;color:rgb(102,102,102)"><u></u><u></u></span></p>
<p><span style="font-size:8pt;font-family:Verdana,sans-serif;color:rgb(102,102,102)">This \
e-mail (including any attachments) is intended only for the exclusive use of the \
individual to whom it is addressed. The information contained hereinafter may be \
proprietary, confidential, privileged and exempt from disclosure under applicable \
law. If the reader of this e-mail is not the intended recipient or agent responsible \
for delivering the message to the intended recipient, the reader is hereby put on \
notice that any use, dissemination, distribution or copying of this communication is \
strictly prohibited. If the reader has received this communication in error, please \
immediately notify the sender by telephone (732-549-5600) or e-mail and delete all \
copies of this e-mail and any attachments. Thank you.<u></u><u></u></span></p>
</div>
</blockquote>
</div>
</div>
</div>
<br><br><p style="font-family:Verdana;font-size:10pt;color:rgb(102,102,102)"><b>Disclaimer</b></p><p \
style="font-family:Verdana;font-size:8pt;color:rgb(102,102,102)">This e-mail \
(including any attachments) is intended only for the exclusive use of the individual \
to whom it is addressed. The information contained hereinafter may be proprietary, \
confidential, privileged and exempt from disclosure under applicable law. If the \
reader of this e-mail is not the intended recipient or agent responsible for \
delivering the message to the intended recipient, the reader is hereby put on notice \
that any use, dissemination, distribution or copying of this communication is \
strictly prohibited. If the reader has received this communication in error, please \
immediately notify the sender by telephone (732-549-5600) or e-mail and delete all \
copies of this e-mail and any attachments. Thank you.</p></div> </blockquote></div>
</blockquote></div>
["image001.jpg" (image/jpeg)]
["image002.png" (image/png)]
["image003.png" (image/png)]
["image004.png" (image/png)]
_______________________________________________
Snort-users mailing list
Snort-users@lists.snort.org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users
To unsubscribe, send an email to:
snort-users-leave@lists.snort.org
Please visit http://blog.snort.org to stay current on all the latest Snort news!
Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic