jvinson

General Questions for Pulledpork slave setup

2 posts in this topic

Hello,

The my AWS setup continues to progress. I've managed to get success (I think) in running the pulledpork tutorial, however, I do have some lingering questions that concern me where I needed to deviate from the tutorial instructions:

1.) I'm using a Linux mySQL instance for the database. The Apache2 server is also running on the Linux box. Not std for the Winsnort tutorial where it comments on IIS Vs. Apache2 customizations The first instruction in question is to delete all files from a directory structure that is not present on my winIDS snort slave install: C:\IDS\Apache24\htdocs\base\signatures\  The cmd to del all files in the dir does not bother me.

after seeing the file path referenced in the pulledpork.conf file I created the file structure to accommodate the update process. I'm curious if these "signatures" are intended to be added somehow to the MySQL database via apache? The front end I'm using, Snorby, has a listing of signatures that it pulls from the MySQL DB. the front end only reports the original 522 signatures. Any thoughts on how the concepts work for a standard WinIDS deployment? Does Base have an updated sig count of 12000+ signatures after running pulledpork?

2.) When I ran the pulledpork cmd it seemed to go ok - the questions in the forums resolved some concerns - the downloaded signature files totaled 23,499 in the C:\IDS\Apache24\htdocs\base\signatures\ path. when running the pulledpork in ips_policy=security the pp script determines that out of 30577 rules 12275 will be enabled and 18302 will be disabled. I'd like to know more as to why the script decides on which rules to enable / disable 

3.) This is the thing that is of highest concern to me - I know the OS evnironment for the tutorial was a Win 7 machine and I'm installing on the Server counterpart, 2008 R2, but there is a box toward the bottom of the tutorial that claims after restarting the snort server that a Barnyard2 CMD window will just be running minimized in the taskbar area:

" When the system is rebooted, Barnyard2 will be running in a Minimized window located in the Windows task bar. Opening the Barnyard2 CMD window will display the events as they are being shuttled to the database. "

I don't think I missed any steps, but this is not going to happen in my current install - I'd like to know where I went wrong.

4.) Finally, my last question is concerning automating the Pulledpork updating process. Can WINsnort.com endorse the practice of having a .bat file called by a scheduled task to execute the CMD below on a daily basis? If yes why not include this in the pulledpork tutorial?

Perl d:\winids\pulledpork\pulledpork.pl -c d:\winids\pulledpork\etc\pulledpork.conf -T

Thanks in advance for the feedback.

JVinson

PS - @ Mopheus - did you see my private message? just wanted to confirm you did or not. Thanks.

 

Share this post


Link to post
Share on other sites

There is a new tutorial specifically for the slave sensor. Some of the questions above will be moot by using the new tutorial.

//--\\

Sourcefire determines which rules are activated for each of the three policies.

Note: Rules are managed by using the 4 .conf file located in the pulledpork\etc folder. Read each file for a description. Never modify the winids.rules file at any time.

//--\\

Winsnort.com does not furnish script files for automating the processing of the rules. However this doesn't prevent users from posting their script/s.

//--\\

PS - Yes, I did see the PM, and will get back to you on that. I'm being squeezed for time in other things right now.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now