Activating all the rules for testing purposes in Pulledpork

[Morpheus 28]

You may want to activate all the rules just to make sure everything is working correctly after installing Pulledpork. The policy switch in Pulledpork tells Snort which rules to activate, but in general you may not be seeing any events for some time. This procedure will activate ALL the rules. Make SURE at the end of the test that you revert back to original policy setting or you may end up with millions of events that could bog down the Windows Intrusion Detection System (WinIDS).

 

To activate all the rules bypassing the original policy setting

Open a CMD window and type notepad2 d:\winids\script\etc\enablesid.conf and tap the Enter key.

Scroll down find and change the line below:

Original Line: # pcre:.
Change to: pcre:.

Save the file and exit.

At the CMD prompt type perl d:\winids\script\pulledpork.pl -c d:\winids\script\etc\pulledpork.conf -nPT and tap the Enter key.

Note: The added switches (nP) instructs Pulledpork to process the local rules bypassing the ips_policy switch setting, and this process should take about two minutes.

The below is displayed in the terminal window after a successful update.

Rule Stats...
        New:-------0
        Deleted:---0
        Enabled Rules:----27325
        Dropped Rules:----0
        Disabled Rules:---0
        Total Rules:------27325
No IP Blacklist Changes

Done
Please review d:\winids\snort\log\sid_changes.log for additional details
Fly Piggy Fly!

Note: The verbose output above will display the Rule Stats, showing both enabled rule count, and disabled rule count should be 0.

Do not continue or intervene until 'Fly Piggy Fly!' is displayed in the terminal window.

At the CMD prompt type net stop snort & net start snort and tap the Enter key.

Note: Allow a couple of minutes for Barnyard2 to reconnect to the event log file after cycling Snort.

At the CMD prompt type exit and tap the Enter key.

Note: Once the test is complete it is imperative to return and complete this tutorial or the end database fill up with millions of useless events.

To revert back to the original policy setting

Open a CMD window and type notepad2 d:\winids\script\etc\enablesid.conf and tap the Enter key.

Scroll down find and change the line below:

Original Line: pcre:.
Change to: # pcre:.

Save the file and exit.

At the CMD prompt type perl d:\winids\script\pulledpork.pl -c d:\winids\script\etc\pulledpork.conf -nPT and tap the Enter key.

Note: The added switches (nP) instructs Pulledpork to process the local rules using the ips_policy switch setting, and this process should take about two minutes.

The below is displayed in the terminal window after a successful update.

Rule Stats...
        New:-------0
        Deleted:---0
        Enabled Rules:----9853
        Dropped Rules:----0
        Disabled Rules:---17472
        Total Rules:------27325
No IP Blacklist Changes

Done
Please review d:\winids\snort\log\sid_changes.log for additional details
Fly Piggy Fly!

Note: The verbose output above will display the Rule Stats, showing both enabled rule count, and disabled rule count.

Do not continue or intervene until 'Fly Piggy Fly!' is displayed in the terminal window.

At the CMD prompt type net stop snort & net start snort and tap the Enter key.

Note: Allow a couple of minutes for Barnyard2 to reconnect to the event log file after cycling Snort.

At the CMD prompt type exit and tap the Enter key.