Closed felbinger closed 2 months ago
Running into this issue as well. Also noticing that Noah (the dude who wrote the installation guide for Ubuntu) experienced this problem as well:
https://seclists.org/snort/2021/q1/36
Has there been any progress on this?
A look at the latest 3.x tarball, and I do see that there are now precompiled shared object rules being distributed. I am not sure the dumping of the stub rules is necessary in 3.x, since the rules are provided, but the distro types are completely different. I had a note in the code to handle some differences, but it looks like the list will have to be different.
I have also encountered this issue. There is a large difference between how Snort2 and Snort3 handle and package SO rules. I will try to document my findings here.
Under Snort2, SO rules were in a path like /so_rules/precompiled/Centos-7/x86-64/2.9.17.1/
so Distro
needed to be Centos-7
and arch
was picked up by PP as x86-64
Under Snort3, SO rules are in a path like /so_rules/precompiled/centos-x64/
so Distro
is now centos
and arch
needs to be set to x64
. There is no version string here.
In snort2, the config file had a directive like
dynamicdetection directory /usr/lib64/snort_dynamicrules
which told snort where dynamic rules could be found. So PP extracted the so files directly to this location (via sorule_path
). The --dump-dynamicrules=X
told snort to look in the directory defined in the config and generate stub rule files which were stored at X. So PP used to run this command with /tmp/tha_rules/so_rules
to gather rule stubs at that location.
Under snort3, the said configuration option is no longer there. We do have a new --plugin-path
option which I think can be used the same way. So assuming we modify PP to get correct path of so files from rule tarball & save those to sorule_path
. However in snort3 --dump-dynamic-rules
does not take any options. It works by reading any loaded rules and dumps the stubs to stdout. So to work with this, we will need to run snort with --plugin-path
set to sorule_path
and expect all rule stubs to be dumped to stdout.
The command would change to
$Snort_path -c $Snort_config --plugin-path=$Sorules --dump-dynamic-rules
and we will need to collect the output under a new file in /tmp/tha_rules/so_rules
.
My Perl is not strong enough to generate a PR for this complicated case.
I have created a new repo for snort3 called "pulledpork3". There is some initial code that has been written by someone in the community that will be a good starting point for getting snort3 signature updates working for everyone. Any snort3 issues will be tracked here and only closed when resolved with pulledpork3
@shirkdog I have created PR #363 which modifies pulledpork script so that it can be used to dump dynamic rules in both Snort2 and Snort3. I have tested it and it appears to work.
Users must set distro to appropriate values. E.g. for Snort2 if distro=RHEL-7
then for Snort3 that should change to distro=centos
for correct rules to be copied & their stubs dumped.
I think this can now be closed as #363 has merged. There may be a need to update documentation regarding distros for Snort3 being different from Snort2.
I downloaded pulledpork.pl today (July 24, 2021) and had to modify the code to properly handle SO_rules for Snort3 (my flavor is ubuntu). I removed the "(" and ")" around $Distro and $arch on line 333 (else). And I also changed pulledpork.conf with distro=ubuntu.
if ($Snortv3 == 0) {
$sofile_pat_base = $sofile_pat_base . "($Distro)\/($arch)\/($Snort)\/";
}
else {
$sofile_pat_base = $sofile_pat_base . "$Distro-$arch\/";
}
@seanjowen I tried it on my system with and without the paranthesis ((
and )
) and both times the rules extracted OK. I am on CentOS-7 (although I manually set the distro to ubuntu
to test) and my perl is 5.16.3. Maybe its got something to do with perl versions?
@redbaron4, my apologies. I retested and the code is fine. The solution was actually simply changing the distro to "ubuntu" rather than "Ubuntu-18-4" in the pulledpork.conf. In my troubleshooting the code, I believe I was distracted by one of my children and had inadvertently changed both the code and the distro config in the same step, leading me to incorrectly conclude it was the code. I had the proper spot in the code that was causing the error, but I had identified the wrong solution. Thanks for building this script and maintaining it!
@seanjowen Thanks for clearing it up! And thanks goes to @shirkdog who is the author/maintainer.
Hello, I tried to install your application according to the snort 3 Installation guide for Ubuntu (page 9 - 11).
When I try to execute the last command one page 10 (
sudo /usr/local/bin/pulledpork.pl -c /usr/local/etc/pulledpork/pulledpork.conf -l -P -E -H SIGHUP
), I get an error and no rules are being importedI guess this is the interesting part, but you can find the whole output and the configuration below:
Verbose Output (
``` https://github.com/shirkdog/pulledpork _____ ____ `----,\ ) `--==\\ / PulledPork v0.8.0 - The only positive thing to come out of 2020...well this and take-out liquor! `--==\\/ .-~~~~-.Y|\\_ Copyright (C) 2009-2021 JJ Cummings, Michael Shirk @_/ / 66\_ and the PulledPork Team! | \ \ _(") \ /-| ||'--' Rules give me wings! \_\ \_\\ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Config File Variable Debug /usr/local/etc/pulledpork/pulledpork.conf sid_changelog = /var/log/sid_changes.log block_list = /usr/local/etc/lists/default.blocklist temp_path = /tmp distro = FreeBSD-12 snort_path = /usr/local/bin/snort ignore = deleted.rules,experimental.rules,local.rules IPRVersion = /usr/local/etc/lists rule_url = ARRAY(0x55bb38e47dd0) rule_path = /usr/local/etc/rules/snort.rules snort_control = /usr/local/bin/snort_control sid_msg = /usr/local/etc/snort/sid-msg.map pid_path = /var/log/snort/snort.pid sorule_path = /usr/local/etc/so_rules/ sid_msg_version = 2 config_path = /usr/local/etc/snort/snort.conf local_rules = /usr/local/etc/rules/local.rules version = 0.8.0 ips_policy = security MISC (CLI and Autovar) Variable Debug: Process flag specified! arch Def is: x86-64 Operating System is: linux CA Certificate File is: OS Default Config Path is: /usr/local/etc/pulledpork/pulledpork.conf Distro Def is: FreeBSD-12 Write ONLY enabled rules flag is Set security policy specified local.rules path is: /usr/local/etc/rules/local.rules Rules file is: /usr/local/etc/rules/snort.rules sid changes will be logged to: /var/log/sid_changes.log sid-msg.map Output Path is: /usr/local/etc/snort/sid-msg.map Sending signal Flag is Set: SIGHUP Snort Version is: 3.1.0.0 Snort Config File: /usr/local/etc/snort/snort.conf Snort Path is: /usr/local/bin/snort SO Output Path is: /usr/local/etc/so_rules/ Will process SO rules Logging Flag is Set Verbose Flag is Set File(s) to ignore = deleted.rules,experimental.rules,local.rules Base URL is: https://www.snort.org/rules/|snortrules-snapshot.tar.gz|MY_OINKCODE https://snort.org/downloads/ip-block-list|IPBLOCKLIST|open doh, we need to perform some cleanup ... an unclean run last time? Cleanup.... removed 2 temporary snort files or directories from /tmp/tha_rules! Checking latest MD5 for snortrules-snapshot-3100.tar.gz.... Fetching md5sum for: snortrules-snapshot-3100.tar.gz.md5 ** GET https://www.snort.org/rules/snortrules-snapshot-3100.tar.gz.md5?oinkcode=MY_OINKCODE ==> 200 OK most recent rules file digest: 89f05dbaa731ff94434bd60c1d02e49f current local rules file digest: 89f05dbaa731ff94434bd60c1d02e49f The MD5 for snortrules-snapshot-3100.tar.gz matched 89f05dbaa731ff94434bd60c1d02e49f IP Blocklist download of https://snort.org/downloads/ip-block-list.... ** GET https://snort.org/downloads/ip-block-list ==> 302 Found ** GET https://snort-org-site.s3.amazonaws.com/production/document_files/files/000/004/600/original/ip_filter.blf?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIXACIED2SPMSC7GA%2F20210215%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20210215T163750Z&X-Amz-Expires=3600&X-Amz-SignedHeaders=host&X-Amz-Signature=dc6a7df1349a66743cb3202b0ddf0ebb313b5279966c84a799bb6f85c5486668 ==> 200 OK (1s) Reading IP List... Prepping rules from snortrules-snapshot-3100.tar.gz for work.... extracting contents of /tmp/snortrules-snapshot-3100.tar.gz... Ignoring plaintext rules: deleted.rules Ignoring plaintext rules: experimental.rules Ignoring plaintext rules: local.rules Reading rules... Snort 3.0 detected, future Snort 3.0 processing Generating Stub Rules.... Generating shared object stubs via:/usr/local/bin/snort -c /usr/local/etc/snort/snort.conf --dump-dynamic-rules=/tmp/tha_rules/so_rules/ An error occurred: ERROR: can't set --dump-dynamic-rules /tmp/tha_rules/so_rules/ An error occurred: ERROR: usage: --dump-dynamic-rules output stub rules for all loaded rules libraries An error occurred: FATAL: see prior 2 errors An error occurred: Fatal Error, Quitting.. Done Reading rules... Reading rules... Cleanup.... removed 2 temporary snort files or directories from /tmp/tha_rules! Writing Blocklist File /usr/local/etc/lists/default.blocklist.... Writing Blocklist Version 858940980 to /usr/local/etc/lists/IPRVersion.dat.... Activating security rulesets.... Done Setting Flowbit State.... Done Writing /usr/local/etc/rules/snort.rules.... Done Generating sid-msg.map.... Done Writing v2 /usr/local/etc/snort/sid-msg.map.... Done WARNING, cannot send signal if also processing SO rules see README.SHAREDOBJECTS or use -T flag! Writing /var/log/sid_changes.log.... Done Rule Stats... New:-------0 Deleted:---0 Enabled Rules:----0 Dropped Rules:----0 Disabled Rules:---0 Total Rules:------0 IP Blocklist Stats... Total IPs:-----789 Done Please review /var/log/sid_changes.log for additional details Fly Piggy Fly! ```-vvv
) of the mentioned command
``` # Config file for pulledpork # Be sure to read through the entire configuration file # If you specify any of these items on the command line, it WILL take # precedence over any value that you specify in this file! ####### ####### The below section defines what your oinkcode is (required for ####### VRT rules), defines a temp path (must be writable) and also ####### defines what version of rules that you are getting (for your ####### snort version and subscription etc...) ####### # You can specify one or as many rule_urls as you like, they # must appear as http://what.site.com/|rulesfile.tar.gz|1234567. You can specify # each on an individual line, or you can specify them in a , separated list # i.e. rule_url=http://x.y.z/|a.tar.gz|123,http://z.y.z/|b.tar.gz|456 # note that the url, rule file, and oinkcode itself are separated by a pipe | # i.e. url|tarball|123456789, rule_url=https://www.snort.org/rules/|snortrules-snapshot.tar.gz|MY_OINKCODE # NEW Community ruleset: #rule_url=https://snort.org/downloads/community/|community-rules.tar.gz|Community # NEW For IP Block lists! Note the format is urltofile|IPBLOCKLIST|/usr/local/etc/pulledpork/pulledpork.conf
Thanks in Advance