search

shirkdog / pulledpork

Pulled Pork for Snort and Suricata rule management (from Google code)
GNU General Public License v2.0
418 stars 134 forks source link

pulledpork 0.7.1 resolving flowbits issue #171

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 9 years ago 
OS X 10.10.2
Snort Version 2.9.7.0 GRE (Build 149)
PulledPork v0.7.1 - Swine Flu with a side of Ebola!

after sucsessfuly running pulledpork still having flowbits warnings in snort

Pulledpork output:
$ sudo pulledpork.pl -vv -w -c /usr/local/etc/pulledpork/pulledpork.conf
Password:

    http://code.google.com/p/pulledpork/
      _____ ____
     `----,\    )
      `--==\\  /    PulledPork v0.7.1 - Swine Flu with a side of Ebola!
       `--==\\/
     .-~~~~-.Y|\\_  Copyright (C) 2009-2014 JJ Cummings
  @_/        /  66\_  cummingsj@gmail.com
    |    \   \   _(")
     \   /-| ||'--'  Rules give me wings!
      \_\  \_\\

Config File Variable Debug /usr/local/etc/pulledpork/pulledpork.conf config_path = /usr/local/etc/snort/snort.conf snort_control = /usr/local/bin/snort_control snort_path = /usr/local/bin/snort sid_changelog = /var/log/sid_changes.log distro = FreeBSD-8.1 sid_msg = /usr/local/etc/snort/sid-msg.map temp_path = /tmp version = 0.7.1 black_list = /usr/local/etc/snort/rules/iplists/default.blacklist sorule_path = /usr/local/lib/snort_dynamicrules/ rule_path = /usr/local/etc/snort/rules/snort.rules local_rules = /usr/local/etc/snort/rules/local.rules sid_msg_version = 1 IPRVersion = /usr/local/etc/snort/rules/iplists ignore = deleted.rules,experimental.rules,local.rules rule_url = ARRAY(0x7f8eee947cc0) MISC (CLI and Autovar) Variable Debug: arch Def is: X86-64 Config Path is: /usr/local/etc/pulledpork/pulledpork.conf Distro Def is: FreeBSD-8.1 Disabled policy specified local.rules path is: /usr/local/etc/snort/rules/local.rules Rules file is: /usr/local/etc/snort/rules/snort.rules sid changes will be logged to: /var/log/sid_changes.log sid-msg.map Output Path is: /usr/local/etc/snort/sid-msg.map Snort Version is: 2.9.7.0 Snort Config File: /usr/local/etc/snort/snort.conf Snort Path is: /usr/local/bin/snort SO Output Path is: /usr/local/lib/snort_dynamicrules/ Will process SO rules Extra Verbose Flag is Set Verbose Flag is Set SSL Hostname Verification disabled Base URL is: https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|44146283d5bb770b010082666768b9c083bfdb02 https://s3.amazonaws.com/snort-org/www/rules/community/|community-rules.tar.gz|Community http://labs.snort.org/feeds/ip-filter.blf|IPBLACKLIST|open https://www.snort.org/reg-rules/|opensource.gz|44146283d5bb770b010082666768b9c083bfdb02 Checking latest MD5 for snortrules-snapshot-2970.tar.gz.... Fetching md5sum for: snortrules-snapshot-2970.tar.gz.md5 \ GET https://www.snort.org/reg-rules/snortrules-snapshot-2970.tar.gz.md5/44146283d5bb 770b010082666768b9c083bfdb02 ==> 200 OK (1s) most recent rules file digest: 95af6b9b4a89a276ee40b964d015fe9f current local rules file digest: 95af6b9b4a89a276ee40b964d015fe9f The MD5 for snortrules-snapshot-2970.tar.gz matched 95af6b9b4a89a276ee40b964d015fe9f

Checking latest MD5 for community-rules.tar.gz.... Fetching md5sum for: community-rules.tar.gz.md5 \ GET https://s3.amazonaws.com/snort-org/www/rules/community/community-rules.tar.gz.md 5 ==> 200 OK most recent rules file digest: 9e879ce53e34c580a97407f869d2d7f0 current local rules file digest: 9e879ce53e34c580a97407f869d2d7f0 The MD5 for community-rules.tar.gz matched 9e879ce53e34c580a97407f869d2d7f0

IP Blacklist download of http://labs.snort.org/feeds/ip-filter.blf.... * GET http://labs.snort.org/feeds/ip-filter.blf ==> 200 OK (1s) Reading IP List... Checking latest MD5 for opensource.gz.... Fetching md5sum for: opensource.gz.md5 * GET https://www.snort.org/reg-rules/opensource.gz.md5/44146283d5bb770b010082666768b9 c083bfdb02 ==> 200 OK (1s) most recent rules file digest: 489712cc1f594ad03958473e8a4c00d0 current local rules file digest: 489712cc1f594ad03958473e8a4c00d0 The MD5 for opensource.gz matched 489712cc1f594ad03958473e8a4c00d0

Cleanup.... removed 0 temporary snort files or directories from /tmp/tha_rules! Writing Blacklist File /usr/local/etc/snort/rules/iplists/default.blacklist.... Writing Blacklist Version 1630953778 to /usr/local/etc/snort/rules/iplistsIPRVersion.dat.... Writing /var/log/sid_changes.log.... Done

No Rule Changes

IP Blacklist Stats... Total IPs:-----4449

Done Please review /var/log/sid_changes.log for additional details Fly Piggy Fly!

Snort output:

$ sudo /usr/local/bin/snort -vde -i en0 -c /usr/local/etc/snort/snort.conf

... Verifying Preprocessor Configurations! WARNING: flowbits key 'file.k3g' is set but not ever checked. WARNING: flowbits key 'file.maki' is set but not ever checked. WARNING: flowbits key 'file.msi' is set but not ever checked. WARNING: flowbits key 'file.bak' is set but not ever checked. WARNING: flowbits key 'file.s3m' is set but not ever checked. WARNING: flowbits key 'file.eps' is set but not ever checked. WARNING: flowbits key 'file.eot' is set but not ever checked. WARNING: flowbits key 'file.winampskin' is set but not ever checked. WARNING: flowbits key 'file.tar' is set but not ever checked. WARNING: flowbits key 'file.xspf' is set but not ever checked. WARNING: flowbits key 'file.search-ms' is set but not ever checked. WARNING: flowbits key 'file.hpj' is set but not ever checked. WARNING: flowbits key 'file.cy3' is set but not ever checked. WARNING: flowbits key 'file.ht3' is set but not ever checked. WARNING: flowbits key 'file.mppl' is set but not ever checked. WARNING: flowbits key 'file.htc' is set but not ever checked. WARNING: flowbits key 'file.mswmm' is set but not ever checked. WARNING: flowbits key 'file.rt' is set but not ever checked. WARNING: flowbits key 'file.asf' is set but not ever checked. WARNING: flowbits key 'file.vqf' is set but not ever checked. WARNING: flowbits key 'ssl_handshake' is set but not ever checked. WARNING: flowbits key 'file.torrent' is set but not ever checked. WARNING: flowbits key 'file.aiff' is set but not ever checked. WARNING: flowbits key 'file.3g2' is set but not ever checked. WARNING: flowbits key 'file.xfdl' is set but not ever checked. WARNING: flowbits key 'file.cyb' is set but not ever checked. WARNING: flowbits key 'file.m4b' is set but not ever checked. WARNING: flowbits key 'file.caff' is set but not ever checked. WARNING: flowbits key 'file.cue' is set but not ever checked. WARNING: flowbits key 'file.lanman' is set but not ever checked. WARNING: flowbits key 'file.m4v' is set but not ever checked. WARNING: flowbits key 'file.smil' is set but not ever checked. WARNING: flowbits key 'file.job' is set but not ever checked. WARNING: flowbits key 'file.mny' is set but not ever checked. WARNING: flowbits key 'file.vap' is set but not ever checked. WARNING: flowbits key 'file.rjs' is set but not ever checked. WARNING: flowbits key 'file.m4p' is set but not ever checked. WARNING: flowbits key 'file.mp3' is set but not ever checked. WARNING: flowbits key 'file.m4a' is set but not ever checked. WARNING: flowbits key 'file.zip.winrar.spoof' is set but not ever checked. WARNING: flowbits key 'file.hhk' is set but not ever checked. WARNING: flowbits key 'file.xwd' is set but not ever checked. WARNING: flowbits key 'file.mht' is set but not ever checked. WARNING: flowbits key 'file.reg' is set but not ever checked. WARNING: flowbits key 'file.dws' is set but not ever checked. WARNING: flowbits key 'file.jp2' is set but not ever checked. WARNING: flowbits key 'file.4xm' is set but not ever checked. WARNING: flowbits key 'file.addin' is set but not ever checked. WARNING: flowbits key 'file.rdp' is set but not ever checked. WARNING: flowbits key 'file.mkv' is set but not ever checked. WARNING: flowbits key 'file.wma' is set but not ever checked. WARNING: flowbits key 'acunetix-scan' is set but not ever checked. WARNING: flowbits key 'file.aom' is set but not ever checked. WARNING: flowbits key 'file.fon' is set but not ever checked. WARNING: flowbits key 'file.skm' is set but not ever checked. WARNING: flowbits key 'file.hlp' is set but not ever checked. WARNING: flowbits key 'file.sln' is set but not ever checked. WARNING: flowbits key 'file.apk' is set but not ever checked. WARNING: flowbits key 'file.rp' is set but not ever checked. WARNING: flowbits key 'file.psfont' is set but not ever checked. WARNING: flowbits key 'file.qt' is set but not ever checked. WARNING: flowbits key 'file.chm' is set but not ever checked. WARNING: flowbits key 'file.screensaver' is set but not ever checked. WARNING: flowbits key 'tlsv1.0_handshake' is set but not ever checked. WARNING: flowbits key 'file.wps' is set but not ever checked. WARNING: flowbits key 'file.xul' is set but not ever checked. WARNING: flowbits key 'file.xps' is set but not ever checked. WARNING: flowbits key 'file.xm' is set but not ever checked. WARNING: flowbits key 'file.csd' is set but not ever checked. WARNING: flowbits key 'file.3gp' is set but not ever checked. WARNING: flowbits key 'file.wk4' is set but not ever checked. WARNING: flowbits key 'cve.2008-4265' is set but not ever checked. WARNING: flowbits key 'file.xbm' is set but not ever checked. WARNING: flowbits key 'file.skp' is set but not ever checked. WARNING: flowbits key 'file.cnt' is set but not ever checked. WARNING: flowbits key 'file.xcf' is set but not ever checked. WARNING: flowbits key 'file.jnlp' is set but not ever checked. WARNING: flowbits key 'file.pmd' is set but not ever checked. WARNING: flowbits key 'file.gzip' is set but not ever checked. WARNING: flowbits key 'file.pui' is set but not ever checked. WARNING: flowbits key 'file.ani' is set but not ever checked. WARNING: flowbits key 'file.pkp' is set but not ever checked. WARNING: flowbits key 'file.smi' is set but not ever checked. WARNING: flowbits key 'file.amf' is set but not ever checked. WARNING: flowbits key 'file.collada' is set but not ever checked. WARNING: flowbits key 'file.maplet' is set but not ever checked. WARNING: flowbits key 'file.rat' is set but not ever checked. WARNING: flowbits key 'file.wmf' is set but not ever checked. WARNING: flowbits key 'file.fpx' is set but not ever checked. WARNING: flowbits key 'tlsv1.2_handshake' is set but not ever checked. WARNING: flowbits key 'file.m4r' is set but not ever checked. WARNING: flowbits key 'file.abc' is set but not ever checked. WARNING: flowbits key 'file.file.jpeg' is set but not ever checked. WARNING: flowbits key 'file.psd' is set but not ever checked. WARNING: flowbits key 'tnftp' is set but not ever checked. WARNING: flowbits key 'file.pls' is set but not ever checked. WARNING: flowbits key 'spyrat_bd' is set but not ever checked. WARNING: flowbits key 'file.works' is set but not ever checked. WARNING: flowbits key 'tlsv1.1_handshake' is set but not ever checked. WARNING: flowbits key 'file.plf' is set but not ever checked. WARNING: flowbits key 'kit.blackhole' is set but not ever checked. WARNING: flowbits key 'file.wri' is set but not ever checked. WARNING: flowbits key 'file.xpm' is set but not ever checked. WARNING: flowbits key 'file.rtx' is set but not ever checked. WARNING: flowbits key 'file.cov' is set but not ever checked. WARNING: flowbits key 'file.lnk' is set but not ever checked. WARNING: flowbits key 'imap.cram_md5' is set but not ever checked. WARNING: flowbits key 'ms.packager' is set but not ever checked. WARNING: flowbits key 'file.cur' is set but not ever checked. WARNING: flowbits key 'file.dbp' is set but not ever checked. WARNING: flowbits key 'file.flac' is set but not ever checked. WARNING: flowbits key 'hornet.2' is set but not ever checked. WARNING: flowbits key 'file.metalink' is set but not ever checked. WARNING: flowbits key 'file.fli' is set but not ever checked. WARNING: flowbits key 'file.nab' is set but not ever checked. WARNING: flowbits key 'file.vwr' is set but not ever checked. WARNING: flowbits key 'file.autodesk_max' is set but not ever checked. WARNING: flowbits key 'file.met' is set but not ever checked. 237 out of 1024 flowbits in use. ...


Original issue reported on code.google.com by `Drew...@gmail.com` on 22 Mar 2015 at 5:10
shirkdog commented 8 years ago

Verify the Snort rules, as this is a Snort warning issue. If the flowbit is set, but there is not a single signature configured with "isset:" then you will see these warnings.