I have recently went to upgrade my Snort version and Pulled Pork version. Those seem to have upgraded just fine. What I am having an issue with is trying to update pulled pork after the update. When I run the update command it seems like it can't connect to Talos which is a first time I am seeing that issue. Has anyone seen an issue like this before. In the attached screenshot I am able to browse to the website shown. It almost seems like the Talos side might not allow me in to download said file.

Thanks in advance. 

Firstly, thanks to Morpheus for the quite flawless instructions for installing Snort on Windows and the various additional tutorials.

Just a quick question about Pulled Pork.  I have installed it and everything is working just fine.  I'm just not clear how often the rules and sigs get updated and what the update mechanism is.  Can anyone elaborate?

thanks!

The my AWS setup continues to progress. I've managed to get success (I think) in running the pulledpork tutorial, however, I do have some lingering questions that concern me where I needed to deviate from the tutorial instructions:

1.) I'm using a Linux mySQL instance for the database. The Apache2 server is also running on the Linux box. Not std for the Winsnort tutorial where it comments on IIS Vs. Apache2 customizations The first instruction in question is to delete all files from a directory structure that is not present on my winIDS snort slave install: C:\IDS\Apache24\htdocs\base\signatures\  The cmd to del all files in the dir does not bother me.

after seeing the file path referenced in the pulledpork.conf file I created the file structure to accommodate the update process. I'm curious if these "signatures" are intended to be added somehow to the MySQL database via apache? The front end I'm using, Snorby, has a listing of signatures that it pulls from the MySQL DB. the front end only reports the original 522 signatures. Any thoughts on how the concepts work for a standard WinIDS deployment? Does Base have an updated sig count of 12000+ signatures after running pulledpork?

2.) When I ran the pulledpork cmd it seemed to go ok - the questions in the forums resolved some concerns - the downloaded signature files totaled 23,499 in the C:\IDS\Apache24\htdocs\base\signatures\ path. when running the pulledpork in ips_policy=security the pp script determines that out of 30577 rules 12275 will be enabled and 18302 will be disabled. I'd like to know more as to why the script decides on which rules to enable / disable 

3.) This is the thing that is of highest concern to me - I know the OS evnironment for the tutorial was a Win 7 machine and I'm installing on the Server counterpart, 2008 R2, but there is a box toward the bottom of the tutorial that claims after restarting the snort server that a Barnyard2 CMD window will just be running minimized in the taskbar area:

" When the system is rebooted, Barnyard2 will be running in a Minimized window located in the Windows task bar. Opening the Barnyard2 CMD window will display the events as they are being shuttled to the database. "

I don't think I missed any steps, but this is not going to happen in my current install - I'd like to know where I went wrong.

4.) Finally, my last question is concerning automating the Pulledpork updating process. Can WINsnort.com endorse the practice of having a .bat file called by a scheduled task to execute the CMD below on a daily basis? If yes why not include this in the pulledpork tutorial?

Perl d:\winids\pulledpork\pulledpork.pl -c d:\winids\pulledpork\etc\pulledpork.conf -T

Thanks in advance for the feedback.

JVinson

PS - @ Mopheus - did you see my private message? just wanted to confirm you did or not. Thanks.

'uname' is not recognized as an intenal or external command.

The specified Snort binary does not exist.

Please correct the value or specify the FULL rules tarball name in pulledpork.conf!

at d:\winids\pulledpork\pulledpork.pl line 1932

To activate all the rules bypassing the original policy setting

Open a CMD window and type notepad2 d:\winids\script\etc\enablesid.conf and tap the Enter key.

Scroll down find and change the line below:

Original Line: # pcre:.
Change to: pcre:.

Save the file and exit.

At the CMD prompt type perl d:\winids\script\pulledpork.pl -c d:\winids\script\etc\pulledpork.conf -nPT and tap the Enter key.

Note: The added switches (nP) instructs Pulledpork to process the local rules bypassing the ips_policy switch setting, and this process should take about two minutes.

Rule Stats...
        New:-------0
        Deleted:---0
        Enabled Rules:----27325
        Dropped Rules:----0
        Disabled Rules:---0
        Total Rules:------27325
No IP Blacklist Changes

Done
Please review d:\winids\snort\log\sid_changes.log for additional details
Fly Piggy Fly!

Note: The verbose output above will display the Rule Stats, showing both enabled rule count, and disabled rule count should be 0.

At the CMD prompt type net stop snort & net start snort and tap the Enter key.

Note: Allow a couple of minutes for Barnyard2 to reconnect to the event log file after cycling Snort.

At the CMD prompt type exit and tap the Enter key.

To revert back to the original policy setting

Open a CMD window and type notepad2 d:\winids\script\etc\enablesid.conf and tap the Enter key.

Scroll down find and change the line below:

Original Line: pcre:.
Change to: # pcre:.

Save the file and exit.

At the CMD prompt type perl d:\winids\script\pulledpork.pl -c d:\winids\script\etc\pulledpork.conf -nPT and tap the Enter key.

Note: The added switches (nP) instructs Pulledpork to process the local rules using the ips_policy switch setting, and this process should take about two minutes.

Rule Stats...
        New:-------0
        Deleted:---0
        Enabled Rules:----9853
        Dropped Rules:----0
        Disabled Rules:---17472
        Total Rules:------27325
No IP Blacklist Changes

Done
Please review d:\winids\snort\log\sid_changes.log for additional details
Fly Piggy Fly!

Note: The verbose output above will display the Rule Stats, showing both enabled rule count, and disabled rule count.

At the CMD prompt type net stop snort & net start snort and tap the Enter key.

Note: Allow a couple of minutes for Barnyard2 to reconnect to the event log file after cycling Snort.

At the CMD prompt type exit and tap the Enter key.

1. balanced
2. connectivity
3. security

The default ips_policy switch is set to security. If at any time you want to change the ips_policy switch in the pulledpork.conf it will require an additional two switches added to the end of the Pulledpork run line to process the new ips_policy.

Open a CMD prompt type as Administrator and type 'perl d:\winids\pulledpork\pulledpork.pl -c d:\winids\pulledpork\etc\pulledpork.conf -nPT' (less the outside quotes) and tap the Enter key.

The above run line will only process the local rules for the new policy change on the fly! This run line will not update the rules from the rules repository. It will only update the policy selection from the existing set of rules!

The rules should be checked for errors after the update for validation, and Snort must be cycled!

Open a CMD prompt type as Administratort 'd:\winids\snort\bin\snort -c d:\winids\snort\etc\snort.conf -l d:\winids\snort\log -ix -T' (less the outside quotes) and tap the 'Enter' key.
 

Note: In the interface switch above (-ix), the x will be substituted for the Index number of the monitoring NIC.

Snort successfully validated the configuration!
Snort exiting

'uname' is not recognized as an internal or external command,
operable program or batch file.
Checking latest MD5 for snortrules-snapshot-2975.tar.gz....
Rules tarball download of snortrules-snapshot-2975.tar.gz....
        They Match
        Done!
IP Blacklist download of http://talosintel.com/files/additional_resources/ips_bl
acklist/ip-filter.blf....
Reading IP List...
Couldn't read d:\winids\pulledpork\temp/888.85498046875-black_list.rules - No su
ch file or directory
 at d:\winids\pulledpork\pulledpork.pl line 540
        main::read_iplist('HASH(0x38eba80)', 'd:\winids\pulledpork\temp/888.8549
8046875-black_list.rules') called at d:\winids\pulledpork\pulledpork.pl line 431

        main::rulefetch('open', 'IPBLACKLIST0', 'd:\winids\pulledpork\temp/', 'h
ttp://talosintel.com/files/additional_resources/ips_blacklis...') called at d:\w
inids\pulledpork\pulledpork.pl line 1946

I see no other rules in snort.conf other than SO_RULEs.  Are there supposed to be regular rules there?  If yes, how do I get them there?

I have started to read-

SO_Rules are not compatible with Windows.

d:\winids\pulledpork\pulledpork.pl -c d:\winids\pulledpork\e
tc\pulledpork.conf -T

    http://code.google.com/p/pulledpork/
      _____ ____
     `----,\    )
      `--==\\  /    PulledPork v0.7.0 - Swine Flu!
       `--==\\/
     .-~~~~-.Y|\\_  Copyright (C) 2009-2013 JJ Cummings
  @_/        /  66\_  cummingsj@gmail.com
    |    \   \   _(")
     \   /-| ||'--'  Rules give me wings!
      \_\  \_\\
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

'uname' is not recognized as an internal or external command,
operable program or batch file.
Checking latest MD5 for snortrules-snapshot-xxxx.tar.gz....
        Error 422 when fetching https://www.snort.org/reg-rules/snortrules-snaps
hot-xxxx.tar.gz.md5 at D:\winids\pulledpork\pulledpork.pl line 463
        main::md5file('20d5e532f75a4aaceee29638b0458901dd617c16', 'snortrules-sn
apshot-xxxx.tar.gz', 'd:\winids\pulledpork\temp/', 'https://www.snort.org/reg-ru
les/') called at D:\winids\pulledpork\pulledpork.pl line 1847

Could you help me to fix this please. Regards Jan

The attachment shows the error that results from the test.  I have gone to the referenced line numbers shown in the error message but have not been able to determine a resolution.

Please advise.

So my Barnyard2 cmd is just sitting at a waiting for new data prompt and has been like this all weekend, there is no data being passed to winids console either. Seems to me that barnyard is not receiving any traffic.  

If i run the test commands : d:\winids\snort\bin\snort -v -i1 or i2 both display's traffic and (warning: no preprocessors configured for policy 0).

If i run d:\winids\activators\by2-test config file successfully loads. 

Running 'perl d:\winids\pulledpork\pulledpork.pl -c d:\winids\pulledpork\etc\pulledpork.conf -T completes in about 30 mins no erros

Running d:\winids\snort\bin\snort -c d:\winids\snort\etc\snort.conf -l d:\winids\snort\log -i1 -T (snort validated the config file successfully)

All services are running and started

Does anyone have any ideas what i am missing ?

Thanks

Gary

However, the real issue I'm having is that the igmp protocol doesn't seem to be supported. Upon testing Snort, I receive an error:

Invalid protocol name for
"ip_proto" rule option: "igmp".

Therefore, I have disabled these rules in my disable.conf (pcre:ip_proto:igmp). Any idea how to enable support for the igmp protocol? (21 rules are disabled by this regular expression, so it is not such a big deal, but still).

UPDATE: Hmm it's pretty strange, cause Snort doesn't throw an error on 'ip_proto:2', even though that is exactly the same as syaing 'ip_proto:igmp'. Maybe a very small issue in the protocol number to name link? Can that link be changed manually?

I've installed PulledPork per the instructions, went back and deleted everything, restored to a known good backup taken from right before I started the install, and did everything over. No matter what I try I can't get snort.exe to start again? Would it be helpful if I copied my pulledport.conf and snort.conf files here? Any help would be greatly appreciated.

Thanks,

KiRyah

I've problem with local rules. In BASE local rule not shows name (there is only gid:sid:rev i suppose). After updating pulled pork i ran create sid-map and there is created name for local rule. Barnyard shows rules with names too. What should be update to see names of rule in BASE?

And i've one off topic question - how to make autorisation to BASE page?

thanks

kjannasz

When looking at line 29 for pulledpork.pl there is line called 'use sys::syslog;'

Has anyone else had or seen this problem ?

After adding the PulledPork add-on events have stopped. I went back thru my snort conf file following the update tutorial and the only discrepancies I found had to do with the preproc_rule paths.  In the update tutorial, the rules are turned on, in the PulledPork tutorial, they are turned off.  Once I turned them back on, events started spooling to the unified2 file consistently.  Which is the correct configuration?  

d:winidssnortbinsnort -c d:\winids\snort\etc\snort.conf -l d:\winids\snort\log -i1 -T

It comes back with an error 

ERROR: d:\winids\snort\etc\snort.conf(507) => Unable to open address file d:\winids\snort\rules\white_list.rules, Error: No such file or directory Fatal Error, Quitting..

Not sure what I messed up exactly.

   Please help!! After following the pulledpork configuration steps, I have not been able to get any data into the database. In my Barnyard window it just says "Waiting for New Data". I have gone through several suggestions as to why this is the case but no resolution. I have added in the test.rules to the snort.conf files and have seen data coming in. I have also installed wireshark on the box and have verified that the monitor port is seeing the data. My network administrator have verified that the mirrored port is setup correctly. I just cannot get it to be written to the database. Any help is greatly appreciated. Thank you.