[prev in list] [next in list] [prev in thread] [next in thread]
List: snort-users
Subject: Re: [Snort-users] Some confusion on lightspeed package
From: James Lay <jlay () slave-tothe-box ! net>
Date: 2021-07-13 14:31:25
Message-ID: 22df3e208e8e7246fa7edaede8e4ccf23dbd0350.camel () slave-tothe-box ! net
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Thanks Joel...completely missed that repo...will get to work on it.
On Tue, 2021-07-13 at 14:26 +0000, Joel Esler (jesler) wrote:
> The work for LightSPD is in pulledpork 3, a completely new version of
> pulledpork. https://github.com/shirkdog/pulledpork3
> This is under active development.
>
> > On Jul 13, 2021, at 8:39 AM, James Lay <jlay@slave-tothe-box.net>
> > wrote:
> >
> >
> > So.....since pulledpork doesn't seem ready for the lightspeed
> > package (and since there's no mention of the lightspeed package
> > anywhere in the pulledpork documentation) I've been kind of
> > "rolling my own" rule updater. Currently snort 3.1.6.0 is the
> > latest....here's the lightspeed package directory structure:
> > ./policies./policies/common./policies/3.0.3-4./policies/3.1.0.1-
> > 174./policies/3.0.3-1./policies/3.1.0.1-
> > 149./rules./rules/3.0.0.0./modules./modules/3.1.7.0./modules/3.1.7.
> > 0/centos-x64./modules/3.1.7.0/ubuntu-x64./modules/3.1.7.0/opensuse-
> > x64./modules/3.1.7.0/debian-
> > x64./modules/3.0.1.0./modules/3.0.1.0/centos-
> > x64./modules/3.0.1.0/ubuntu-x64./modules/3.0.1.0/opensuse-
> > x64./modules/3.0.1.0/debian-
> > x64./modules/stubs./modules/src./builtins/3.0.0-264
> > In testing this morning, snort 3.1.6.0 binary does not work with
> > the 3.1.7.0 modules, but does work with the 3.0.1.0 modules (ERROR:
> > <rule> SO rule <sid> not loaded). Here is my home made update
> > script:
> > #!/bin/bashVER=`/opt/snort/bin/snort --version | grep Version | sed
> > -e 's/.*Version //' -e 's/\.//g'`PROC=`ps aux | grep snort.lua |
> > grep -v grep | awk '{ print $2 }' | head -n 1`cd /tmpwget
> > https://snort.org/rules/Talos_LightSPD.tar.gz?oinkcode=<code>mv
> > Talos_LightSPD.tar.gz* Talos_LightSPD.tar.gzif [ ! -f "Talos_LightSPD.tar.gz" ]; \
> > then exitfitar xf Talos_LightSPD.tar.gzcd /opt/snort/etc/rulesrm -rf oldmkdir \
> > oldmv * oldcd /tmp/lightspdmv builtins/* /opt/snort/etc/rules/builtinsmv \
> > modules/3.1*/ubuntu-x64/so_rules /opt/snort/etc/rules/mv modules/stubs/* \
> > /opt/snort/etc/rules/so_rules/mv rules/*/*.rules /opt/snort/etc/rules/cd /tmpmv \
> > Talos_LightSPD.tar.gz Talos_LightSPD.oldlogger `/opt/snort/bin/snort \
> > --daq-dir=/opt/snort/libdaq/lib/daq --plugin-path=/opt/snort/etc/rules/so_rules \
> > -c /opt/snort/etc/snort.lua -T | tail -n 2`/usr/bin/kill -SIGHUP $PROC As you can \
> > see from my mv modules/3.1 line, if the modules aren't going to line up with the \
> > version I'm running....I'm going to have to continue manually copying these files \
> > each time I update to test. So my questions are:
> >
> > When will pulledpork be ready for lightspeed packages?
> > Will the modules version number line up with the running version of
> > snort at some point in time?
> > Thank you.
> > James
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users@lists.snort.org
> > Go to this URL to change user options or unsubscribe:
> > https://lists.snort.org/mailman/listinfo/snort-users
> >
> > To unsubscribe, send an email to:
> > snort-users-leave@lists.snort.org
> >
> > Please visit http://blog.snort.org to stay current on all the
> > latest Snort news!
> >
> > Please follow these rules:
> > https://snort.org/faq/what-is-the-mailing-list-etiquette
>
>
[Attachment #5 (text/html)]
<html dir="ltr"><head><meta http-equiv="Content-Type" content="text/html; \
charset=us-ascii"></head><body class="" style="text-align:left; direction:ltr;" \
bgcolor="#272727" text="#f7f7f7" link="#848484" vlink="#f7f7f7"><div>Thanks \
Joel...completely missed that repo...will get to work on \
it.</div><div><br></div><div>On Tue, 2021-07-13 at 14:26 +0000, Joel Esler (jesler) \
wrote:</div><blockquote type="cite" style="margin:0 0 0 .8ex; border-left:2px #729fcf \
solid;padding-left:1ex">The work for LightSPD is in pulledpork 3, a completely new \
version of pulledpork. <a href="https://github.com/shirkdog/pulledpork3" \
class="">https://github.com/shirkdog/pulledpork3</a><div class=""><br \
class=""></div><div class="">This is under active development.<br class=""><div><br \
class=""><blockquote type="cite" style="margin:0 0 0 .8ex; border-left:2px #729fcf \
solid;padding-left:1ex"><div class="">On Jul 13, 2021, at 8:39 AM, James Lay <<a \
href="mailto:jlay@slave-tothe-box.net" class="">jlay@slave-tothe-box.net</a>> \
wrote:</div><br class="Apple-interchange-newline"><div class=""> <meta \
http-equiv="Content-Type" content="text/html; charset=utf-8" class=""><div \
style="text-align:left; direction:ltr;" bgcolor="#272727" text="#f7f7f7" \
link="#848484" vlink="#f7f7f7" class=""><div class="">So.....since pulledpork doesn't \
seem ready for the lightspeed package (and since there's no mention of the lightspeed \
package anywhere in the pulledpork documentation) I've been kind of "rolling my own" \
rule updater. Currently snort 3.1.6.0 is the latest....here's the lightspeed \
package directory structure:</div><div class=""><br class=""></div><div \
class="">./policies</div><div class="">./policies/common</div><div \
class="">./policies/3.0.3-4</div><div class="">./policies/3.1.0.1-174</div><div \
class="">./policies/3.0.3-1</div><div class="">./policies/3.1.0.1-149</div><div \
class="">./rules</div><div class="">./rules/3.0.0.0</div><div \
class="">./modules</div><div class="">./modules/3.1.7.0</div><div \
class="">./modules/3.1.7.0/centos-x64</div><div \
class="">./modules/3.1.7.0/ubuntu-x64</div><div \
class="">./modules/3.1.7.0/opensuse-x64</div><div \
class="">./modules/3.1.7.0/debian-x64</div><div class="">./modules/3.0.1.0</div><div \
class="">./modules/3.0.1.0/centos-x64</div><div \
class="">./modules/3.0.1.0/ubuntu-x64</div><div \
class="">./modules/3.0.1.0/opensuse-x64</div><div \
class="">./modules/3.0.1.0/debian-x64</div><div class="">./modules/stubs</div><div \
class="">./modules/src</div><div class="">./builtins/3.0.0-264</div><div class=""><br \
class=""></div><div class="">In testing this morning, snort 3.1.6.0 binary does not \
work with the 3.1.7.0 modules, but does work with the 3.0.1.0 modules (ERROR: \
<rule> SO rule <sid> not loaded). Here is my home made update \
script:</div><div class=""><br class=""></div><div class=""><font face="monospace" \
size="3" class="">#!/bin/bash</font></div><div class=""><font face="monospace" \
size="3" class="">VER=`/opt/snort/bin/snort --version | grep Version | sed -e \
's/.*Version //' -e 's/\.//g'`</font></div><div class=""><font face="monospace" \
size="3" class="">PROC=`ps aux | grep snort.lua | grep -v grep | awk '{ print $2 }' | \
head -n 1`</font></div><div class=""><font face="monospace" size="3" class="">cd \
/tmp</font></div><div class=""><font face="monospace" size="3" class="">wget <a \
href="https://snort.org/rules/Talos_LightSPD.tar.gz?oinkcode=<code>" \
class="">https://snort.org/rules/Talos_LightSPD.tar.gz?oinkcode=<code></a></font></div><div \
class=""><font face="monospace" size="3" class="">mv Talos_LightSPD.tar.gz* \
Talos_LightSPD.tar.gz</font></div><div class=""><font face="monospace" size="3" \
class="">if [ ! -f "Talos_LightSPD.tar.gz" ]; then</font></div><div class=""><font \
face="monospace" size="3" class=""> exit</font></div><div \
class=""><font face="monospace" size="3" class="">fi</font></div><div class=""><font \
face="monospace" size="3" class="">tar xf Talos_LightSPD.tar.gz</font></div><div \
class=""><font face="monospace" size="3" class="">cd \
/opt/snort/etc/rules</font></div><div class=""><font face="monospace" size="3" \
class="">rm -rf old</font></div><div class=""><font face="monospace" size="3" \
class="">mkdir old</font></div><div class=""><font face="monospace" size="3" \
class="">mv * old</font></div><div class=""><font face="monospace" size="3" \
class="">cd /tmp/lightspd</font></div><div class=""><font face="monospace" size="3" \
class="">mv builtins/* /opt/snort/etc/rules/builtins</font></div><div class=""><font \
face="monospace" size="3" class="">mv modules/3.1*/ubuntu-x64/so_rules \
/opt/snort/etc/rules/</font></div><div class=""><font face="monospace" size="3" \
class="">mv modules/stubs/* /opt/snort/etc/rules/so_rules/</font></div><div \
class=""><font face="monospace" size="3" class="">mv rules/*/*.rules \
/opt/snort/etc/rules/</font></div><div class=""><font face="monospace" size="3" \
class="">cd /tmp</font></div><div class=""><font face="monospace" size="3" \
class="">mv Talos_LightSPD.tar.gz Talos_LightSPD.old</font></div><div class=""><font \
face="monospace" size="3" class="">logger `/opt/snort/bin/snort \
--daq-dir=/opt/snort/libdaq/lib/daq --plugin-path=/opt/snort/etc/rules/so_rules -c \
/opt/snort/etc/snort.lua -T | tail -n 2`</font></div><div class=""><font \
face="monospace" size="3" class="">/usr/bin/kill -SIGHUP $PROC</font></div><div \
class=""><font face="monospace" size="3" class=""><br class=""></font></div><div \
class="">As you can see from my mv modules/3.1 line, if the modules aren't going to \
line up with the version I'm running....I'm going to have to continue manually \
copying these files each time I update to test. So my questions are:<br \
class=""><br class="">When will pulledpork be ready for lightspeed packages?<br \
class="">Will the modules version number line up with the running version of snort at \
some point in time?</div><div class=""><br class=""></div><div class="">Thank \
you.</div><div class=""><br class=""></div><div class="">James</div><div \
class=""></div></div> _______________________________________________<br \
class="">Snort-users mailing list<br class=""><a \
href="mailto:Snort-users@lists.snort.org" class="">Snort-users@lists.snort.org</a><br \
class="">Go to this URL to change user options or unsubscribe:<br \
class="">https://lists.snort.org/mailman/listinfo/snort-users<br class=""><br \
class=""> To unsubscribe, send an email to:<br \
class=""> snort-users-leave@lists.snort.org<br class=""><br class="">Please visit \
http://blog.snort.org to stay current on all the latest Snort news!<br class=""><br \
class="">Please follow these rules: \
https://snort.org/faq/what-is-the-mailing-list-etiquette<br \
class=""></div></blockquote></div><br \
class=""></div></blockquote><div><br></div></body></html>
_______________________________________________
Snort-users mailing list
Snort-users@lists.snort.org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users
To unsubscribe, send an email to:
snort-users-leave@lists.snort.org
Please visit http://blog.snort.org to stay current on all the latest Snort news!
Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic