pulledpork - Project Hosting on Google Code

Earlier this year Nov 25, 2009 r43 (A number of fixes, still need to work out the multiline rule...) committed by Cummingsj - A number of fixes, still need to work out the multiline rule code! A number of fixes, still need to work out the multiline rule code! Nov 25, 2009 r42 (operator fix) committed by Cummingsj - operator fix operator fix Nov 24, 2009 r41 (Modified the sid changelog logic a bit) committed by Cummingsj - Modified the sid changelog logic a bit Modified the sid changelog logic a bit Nov 23, 2009 r40 (Added the changelog feature to track sid changes in a logfil...) committed by Cummingsj - Added the changelog feature to track sid changes in a logfile Added capability to handle multiline rules Additional speed enhancements All of this needs to be tested still! Added the changelog feature to track sid changes in a logfile Added capability to handle multiline rules Additional speed enhancements All of this needs to be tested still! Nov 19, 2009 issue 12 (MD5SUM Error) reported by Cummingsj - An issue has been discovered that caused some systems to not properly check the MD5 value of the latest tarball against the currently running ruleset. This issue has been corrected in the current version checked into SVN JJC . An issue has been discovered that caused some systems to not properly check the MD5 value of the latest tarball against the currently running ruleset. This issue has been corrected in the current version checked into SVN JJC . Nov 18, 2009 r39 (Fix for md5sum issues cleanup of other minor issues addition...) committed by Cummingsj - Fix for md5sum issues cleanup of other minor issues additional error handling Fix for md5sum issues cleanup of other minor issues additional error handling Nov 18, 2009 Timeline (The timeline page, you know, so that you know whats goin on ...) Wiki page edited by Cummingsj - Revision r38 Edited wiki page through web user interface. Revision r38 Edited wiki page through web user interface. Nov 18, 2009 issue 11 (tarball <> version mismatch) changed by Cummingsj - Fair enough, my build script for the tarball just puts the date, I'll start throwing the version out there, probably makes more sense since there are not daily tarballs anymore! Status: Done Labels: Type-Enhancement −Type-Defect Fair enough, my build script for the tarball just puts the date, I'll start throwing the version out there, probably makes more sense since there are not daily tarballs anymore! Status: Done Labels: Type-Enhancement −Type-Defect Nov 18, 2009 r37 (Minor fix to throw an error if the temp path does not exist,...) committed by Cummingsj - Minor fix to throw an error if the temp path does not exist, thaks Han! Minor fix to throw an error if the temp path does not exist, thaks Han! Nov 18, 2009 issue 11 (tarball <> version mismatch) reported by Jason.R.Wallace - This isn't a bug, just an FYI. I'm working on a package/ebuild for pulled pork for the Gentoo Linux distro. I thought I would mention that when the tarball name does not match the apps version it can cause grief for package maintainers, especially for sourced based distros like Gentoo. ex. pulledpork20091013.tar.gz <-> pulledpork v0.2.5 This make life easier for us... pulledpork-0.2.5.tar.gz <-> pulledpork v0.2.5 You probably don't care but I thought I'd throw it out there any ways... This isn't a bug, just an FYI. I'm working on a package/ebuild for pulled pork for the Gentoo Linux distro. I thought I would mention that when the tarball name does not match the apps version it can cause grief for package maintainers, especially for sourced based distros like Gentoo. ex. pulledpork20091013.tar.gz <-> pulledpork v0.2.5 This make life easier for us... pulledpork-0.2.5.tar.gz <-> pulledpork v0.2.5 You probably don't care but I thought I'd throw it out there any ways... Nov 11, 2009 issue 10 (v0.2.5 - oinkcode missing from url) Status changed by Cummingsj - I have verified that snort.org was experiencing issues and that I cannot reproduce this error. If you experience this issue again, please let me know and we will work through it. Status: Invalid I have verified that snort.org was experiencing issues and that I cannot reproduce this error. If you experience this issue again, please let me know and we will work through it. Status: Invalid Nov 09, 2009 issue 10 (v0.2.5 - oinkcode missing from url) Labels changed by Cummingsj - If I don't hear back by around the mid to end of this week then I am going to close this ticket. Labels: Priority-Low −Priority-Medium If I don't hear back by around the mid to end of this week then I am going to close this ticket. Labels: Priority-Low −Priority-Medium Nov 06, 2009 issue 10 (v0.2.5 - oinkcode missing from url) commented on by Cummingsj - I think that snort.org was experiencing some issues... but would like to confirm that you foo works etc... :-) I think that snort.org was experiencing some issues... but would like to confirm that you foo works etc... :-) Nov 05, 2009 issue 10 (v0.2.5 - oinkcode missing from url) commented on by Cummingsj - Can you paste your pulledpork.conf and cli runtime options? You can change the oinkcode of course.. just be sure any spaces that may / may not be there are in the exact same place :-) Can you paste your pulledpork.conf and cli runtime options? You can change the oinkcode of course.. just be sure any spaces that may / may not be there are in the exact same place :-) Nov 03, 2009 issue 10 (v0.2.5 - oinkcode missing from url) commented on by parkercrook - edit: It seems as though the url composition in the code is leaving out the oinkcode variable and trailing (or leading) /. (instead of "leaving out the base_url") edit: It seems as though the url composition in the code is leaving out the oinkcode variable and trailing (or leading) /. (instead of "leaving out the base_url") Nov 03, 2009 issue 10 (v0.2.5 - oinkcode missing from url) reported by parkercrook - JJ, I was manually checking on my updates, so I went and ran the new version of pulledpork and noticed I was getting the following: "Fetching md5sum for comparing from: http://www.snort.org/pub-bin/oinkmaster.cgi/snortrules-snapshot-2.8.tar.gz.md5 Error 500 when fetching http://www.snort.org/pub-bin/oinkmaster.cgi/snortrules-snapshot-2.8.tar.gz.md5 at /root/pulledpork/pulledpork.pl line 262." In order to troubleshoot, I cracked open the pulledpork.conf file and appended my oinkcode to the end of 'base_url' and saved and re-ran the script... this time it worked. It seems as though the url composition in the code is leaving out the base-url variable and trailing (or leading) /. ...I took a look at the source and in the rulefetch subroutine, I see the logic for this is there, so it seems like the sanity check (if/then) that looks for the existence of snort.org in the base_url is getting botched up (perhaps a wild accusation). I would have stepped through this with a debugger to verify, but I didn't want you to feel like I was doing your job ;-) Oh, and this is on Debian. JJ, I was manually checking on my updates, so I went and ran the new version of pulledpork and noticed I was getting the following: "Fetching md5sum for comparing from: http://www.snort.org/pub-bin/oinkmaster.cgi/snortrules-snapshot-2.8.tar.gz.md5 Error 500 when fetching http://www.snort.org/pub-bin/oinkmaster.cgi/snortrules-snapshot-2.8.tar.gz.md5 at /root/pulledpork/pulledpork.pl line 262." In order to troubleshoot, I cracked open the pulledpork.conf file and appended my oinkcode to the end of 'base_url' and saved and re-ran the script... this time it worked. It seems as though the url composition in the code is leaving out the base-url variable and trailing (or leading) /. ...I took a look at the source and in the rulefetch subroutine, I see the logic for this is there, so it seems like the sanity check (if/then) that looks for the existence of snort.org in the base_url is getting botched up (perhaps a wild accusation). I would have stepped through this with a debugger to verify, but I didn't want you to feel like I was doing your job ;-) Oh, and this is on Debian. Oct 19, 2009 issue 9 (pulledpork 0.2.5 only does not run, only exits with help scr...) Status changed by Cummingsj - I see your issue, you need to use the latest pulledpork.conf.. you don't have a base_url specified, please compare the new pulledpork.conf with your current one and add the base_url option. Please verify this and let me know, thx! Status: Invalid I see your issue, you need to use the latest pulledpork.conf.. you don't have a base_url specified, please compare the new pulledpork.conf with your current one and add the base_url option. Please verify this and let me know, thx! Status: Invalid Oct 19, 2009 issue 9 (pulledpork 0.2.5 only does not run, only exits with help scr...) commented on by Cummingsj - Can you pastebin a copy of your pulledpork.conf and disablesid.conf or possibly join #snort or #pulledpork on freenode so that we can troubleshoot this and see what is happening? Can you pastebin a copy of your pulledpork.conf and disablesid.conf or possibly join #snort or #pulledpork on freenode so that we can troubleshoot this and see what is happening? Oct 15, 2009 issue 9 (pulledpork 0.2.5 only does not run, only exits with help scr...) reported by oerknol - What steps will reproduce the problem? 1. try and run the program 2. 3. What is the expected output? What do you see instead? That is should update, instead, it only exists displaying the help screen, never actually updating the rules. Switching on -vv shows nothing What version of the product are you using? On what operating system? 0.2.5, CentOS 5.3 Please provide any additional information below. # pulledpork.pl -c /etc/pulledpork.conf -i /etc/disablesid.conf -vv http://code.google.com/p/pulledpork/ _____ ____ `----,\ ) `--==\\ / Pulled_Pork v0.2.5 `--==\\/ .-~~~~-.Y\|\\_ Copyright (C) 2009 JJ Cummings @_/ / 66\_ cummingsj@gmail.com \| \ \ _(") \ /-\| \|\|'--' Rules give me wings! \_\ \_\\ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Command Line Variable Debug: Config Path is: /etc/pulledpork.conf Path to disablesid file: /etc/disablesid.conf Verbose Flag is Set Extra Verbose Flag is Set Config File Variable Debug /etc/pulledpork.conf sostub_path = /etc/snort/so_rules/ snort_path = /usr/sbin/snort distro = CentOS-5.0 temp_path = /tmp oinkcode = 2a299610b20fe30c8343bbc333444981eb336aaa sorule_path = /usr/local/lib/snort_dynamicrule/ rule_path = /etc/snort/rules/ snort = 2.8.5 rule_file = snortrules-snapshot-2.8.tar.gz tar_path = /bin/tar config_path = /etc/snort/snort.conf Usage: /usr/local/bin/pulledpork.pl [-lvvVdnHTn? -help] -c <config filename> -o <rule output path> -O <oinkcode> -s <so_rule output directory> -D <Distro> -S <SnortVer> -p <path to your snort binary> -C <path to your snort.conf> -t <sostub output path> Options: -c Where the pulledpork config file lives. -i Where the disablesid config file lives. -o Where do you want me to put generic rules files? -f What snort rules tarball do you want to fetch (i.e. snortrules-snapshot-2.8_s.tar.gz) -u Where do you want me to pull the rules tarball from (ET, Snort.org, see pulledpork config base_url option for value ideas) -O What is your Oinkcode? -T Process text based rules files only, i.e. DO NOT process so_rules -m where do you want me to put the sid-msg.map file? -s Where do you want me to put the so_rules? -S Specify your Snort version Valid options for this value 2.8.0.1,2.8.0.2,2.8.1,2.8.2,2.8.2.1,2.8.2.2, 2.8.3,2.8.3.1,2.8.3.2,2.8.4,2.8.4.1,2.8.5 -C Path to your snort.conf -p Path to your Snort binary -P Path to your tar binary -t Where do you want me to put the so_rule stub files? Thus MUST be uniquely different from the -o option value -D What Distro are you running on, for the so_rules Valid Distro Types=CentOS-4.6,CentOS-5.0,Debian-Lenny,FC-5,FC-9,FreeBSD-7.0, RHEL-5.0,Ubuntu-6.01.1,Ubuntu-8.04 -l Log information to logger rather than stdout messages. not yet implemented -v Verbose mode, you know.. for troubleshooting and such nonsense. -vv EXTRA Verbose mode, you know.. for in-depth troubleshooting and other such nonsense. -d Do not verify signature of rules tarball, i.e. downloading fron non VRT or ET locations. -H Send a SIGHUP to the pids listed in the config file -n Do everything other than download of new files (disablesid, etc) -V Print Version and exit -help/? Print this help info. What steps will reproduce the problem? 1. try and run the program 2. 3. What is the expected output? What do you see instead? That is should update, instead, it only exists displaying the help screen, never actually updating the rules. Switching on -vv shows nothing What version of the product are you using? On what operating system? 0.2.5, CentOS 5.3 Please provide any additional information below. # pulledpork.pl -c /etc/pulledpork.conf -i /etc/disablesid.conf -vv http://code.google.com/p/pulledpork/ _____ ____ `----,\ ) `--==\\ / Pulled_Pork v0.2.5 `--==\\/ .-~~~~-.Y\|\\_ Copyright (C) 2009 JJ Cummings @_/ / 66\_ cummingsj@gmail.com \| \ \ _(") \ /-\| \|\|'--' Rules give me wings! \_\ \_\\ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Command Line Variable Debug: Config Path is: /etc/pulledpork.conf Path to disablesid file: /etc/disablesid.conf Verbose Flag is Set Extra Verbose Flag is Set Config File Variable Debug /etc/pulledpork.conf sostub_path = /etc/snort/so_rules/ snort_path = /usr/sbin/snort distro = CentOS-5.0 temp_path = /tmp oinkcode = 2a299610b20fe30c8343bbc333444981eb336aaa sorule_path = /usr/local/lib/snort_dynamicrule/ rule_path = /etc/snort/rules/ snort = 2.8.5 rule_file = snortrules-snapshot-2.8.tar.gz tar_path = /bin/tar config_path = /etc/snort/snort.conf Usage: /usr/local/bin/pulledpork.pl [-lvvVdnHTn? -help] -c <config filename> -o <rule output path> -O <oinkcode> -s <so_rule output directory> -D <Distro> -S <SnortVer> -p <path to your snort binary> -C <path to your snort.conf> -t <sostub output path> Options: -c Where the pulledpork config file lives. -i Where the disablesid config file lives. -o Where do you want me to put generic rules files? -f What snort rules tarball do you want to fetch (i.e. snortrules-snapshot-2.8_s.tar.gz) -u Where do you want me to pull the rules tarball from (ET, Snort.org, see pulledpork config base_url option for value ideas) -O What is your Oinkcode? -T Process text based rules files only, i.e. DO NOT process so_rules -m where do you want me to put the sid-msg.map file? -s Where do you want me to put the so_rules? -S Specify your Snort version Valid options for this value 2.8.0.1,2.8.0.2,2.8.1,2.8.2,2.8.2.1,2.8.2.2, 2.8.3,2.8.3.1,2.8.3.2,2.8.4,2.8.4.1,2.8.5 -C Path to your snort.conf -p Path to your Snort binary -P Path to your tar binary -t Where do you want me to put the so_rule stub files? Thus MUST be uniquely different from the -o option value -D What Distro are you running on, for the so_rules Valid Distro Types=CentOS-4.6,CentOS-5.0,Debian-Lenny,FC-5,FC-9,FreeBSD-7.0, RHEL-5.0,Ubuntu-6.01.1,Ubuntu-8.04 -l Log information to logger rather than stdout messages. not yet implemented -v Verbose mode, you know.. for troubleshooting and such nonsense. -vv EXTRA Verbose mode, you know.. for in-depth troubleshooting and other such nonsense. -d Do not verify signature of rules tarball, i.e. downloading fron non VRT or ET locations. -H Send a SIGHUP to the pids listed in the config file -n Do everything other than download of new files (disablesid, etc) -V Print Version and exit -help/? Print this help info. Oct 14, 2009 issue 3 (When the sid-msg.map creation is complete, sort the sid's nu...) Status changed by Cummingsj - Status: WontFix Status: WontFix Oct 14, 2009 issue 4 (Add support for chaning rule actions) Status changed by Cummingsj - This has been checked into SVN as of today, please feel free to test and give me feedback.. look for the dropsid.conf file in conjunction with the -b runtime option. Status: Fixed This has been checked into SVN as of today, please feel free to test and give me feedback.. look for the dropsid.conf file in conjunction with the -b runtime option. Status: Fixed Oct 14, 2009 r36 (Updated README with new feature info) committed by Cummingsj - Updated README with new feature info Updated README with new feature info Oct 14, 2009 r35 (Added dropsid functionality to allow for inline implementati...) committed by Cummingsj - Added dropsid functionality to allow for inline implementations to automate dropping of SIDS Added dropsid functionality to allow for inline implementations to automate dropping of SIDS Oct 14, 2009 issue 5 (pulledpork tries to copy directories when doing "Copying Sha...) Status changed by Cummingsj - Status: Verified Status: Verified Oct 14, 2009 issue 8 (Ignore local.rules) Status changed by Cummingsj - Status: Verified Status: Verified Oct 14, 2009 Timeline (The timeline page, you know, so that you know whats goin on ...) Wiki page edited by Cummingsj - Revision r34 Edited wiki page through web user interface. Revision r34 Edited wiki page through web user interface. Oct 14, 2009 pulledpork20091013.tar.gz (pulledpork v0.2.5) file uploaded by Cummingsj - Labels: Featured Type-Archive OpSys-Linux OpSys-OSX Labels: Featured Type-Archive OpSys-Linux OpSys-OSX Oct 07, 2009 r33 (Added functionality to specify the base url to pull specifie...) committed by Cummingsj - Added functionality to specify the base url to pull specified rules file from (this will allow for usage of redistribution points as well as ET rulesets) Added functionality that does not overwrite local.rules file Many other minor tweaks, including regex optimization etc. Added functionality to specify the base url to pull specified rules file from (this will allow for usage of redistribution points as well as ET rulesets) Added functionality that does not overwrite local.rules file Many other minor tweaks, including regex optimization etc. Oct 07, 2009 issue 6 (snort process dies when running pulledprok) Status changed by Cummingsj - Without looking, I would guess that when you don't daemonize snort and then run snort again to dump stubs (again, not daemonized) that it can't appropriately lock the process space and thus you see these results. This is potentially an issue with snort... I will close this ticket and discuss with the snort team. Status: Invalid Without looking, I would guess that when you don't daemonize snort and then run snort again to dump stubs (again, not daemonized) that it can't appropriately lock the process space and thus you see these results. This is potentially an issue with snort... I will close this ticket and discuss with the snort team. Status: Invalid Oct 07, 2009 issue 8 (Ignore local.rules) Labels changed by Cummingsj - I have changed this in my local code and will be testing and checking in shortly.. also changed the type to enhancement request Labels: Type-Enhancement −Type-Defect I have changed this in my local code and will be testing and checking in shortly.. also changed the type to enhancement request Labels: Type-Enhancement −Type-Defect Oct 02, 2009 issue 8 (Ignore local.rules) reported by parkercrook - For those of us that write our own rules and place them in the local.rules file, it would be nice if pulledpork would ignore the local.rules file. For those of us that write our own rules and place them in the local.rules file, it would be nice if pulledpork would ignore the local.rules file. Sep 23, 2009 issue 6 (snort process dies when running pulledprok) commented on by oerknol - Yes, running snort as a daemon seems to "fix" the problem. Yes, running snort as a daemon seems to "fix" the problem. Sep 09, 2009 issue 6 (snort process dies when running pulledprok) commented on by Cummingsj - it might, can you daemonize it and see if that changes the outcome? it might, can you daemonize it and see if that changes the outcome? Sep 02, 2009 issue 6 (snort process dies when running pulledprok) commented on by oerknol - Right, one more thing, might be nothing, might be part of the problem..... I'm running my inline snort, in a GNU screen, not as a daemon, could this have anything to do with it ? Right, one more thing, might be nothing, might be part of the problem..... I'm running my inline snort, in a GNU screen, not as a daemon, could this have anything to do with it ? Sep 02, 2009 issue 6 (snort process dies when running pulledprok) Labels changed by Cummingsj - I'll build an identical system to test this as I cannot reproduce on my current platforms, also reducing the priority unless I receive more reports Labels: Priority-Medium −Priority-High I'll build an identical system to test this as I cannot reproduce on my current platforms, also reducing the priority unless I receive more reports Labels: Priority-Medium −Priority-High Aug 25, 2009 issue 6 (snort process dies when running pulledprok) commented on by oerknol - Absolutely Absolutely Aug 25, 2009 r32 (Some minor tweaks and bugfixes) committed by Cummingsj - Some minor tweaks and bugfixes Some minor tweaks and bugfixes Aug 25, 2009 issue 6 (snort process dies when running pulledprok) commented on by Cummingsj - I have not been able to reproduce this, is it still causing issue for you? I have not been able to reproduce this, is it still causing issue for you? Aug 24, 2009 issue 6 (snort process dies when running pulledprok) commented on by Cummingsj - I am trying to reproduce.. will keep you posted!.. theredia.. thanks for the input.. good thought to look into! I am trying to reproduce.. will keep you posted!.. theredia.. thanks for the input.. good thought to look into! Aug 24, 2009 issue 7 (can't exec "/use/tmp" Permission denied at ./pl line 161) Status changed by Cummingsj - This is a permissions issue Status: Invalid This is a permissions issue Status: Invalid Aug 20, 2009 issue 7 (can't exec "/use/tmp" Permission denied at ./pl line 161) reported by onesto48 - What steps will reproduce the problem? 1. Not sure 2. 3. What is the expected output? What do you see instead? I am getting "can't exec "/etc/tmp" Permission denied at ./pl line 161" What version of the product are you using? On what operating system? Pulled_Pork v0.2.2 on Linux Centos 5.1 Please provide any additional information below. It seems to be a permission issue. But the user I am running pulledpork.pl as has all the permission to /etc/tmp. What steps will reproduce the problem? 1. Not sure 2. 3. What is the expected output? What do you see instead? I am getting "can't exec "/etc/tmp" Permission denied at ./pl line 161" What version of the product are you using? On what operating system? Pulled_Pork v0.2.2 on Linux Centos 5.1 Please provide any additional information below. It seems to be a permission issue. But the user I am running pulledpork.pl as has all the permission to /etc/tmp. Aug 20, 2009 issue 6 (snort process dies when running pulledprok) commented on by theredia - Don't know if it's relevant, but I had the same problem updating shared object rules. I had to first move the dynamic libraries (so rules) so Snort can keep them open, without getting it´s image changed, then copy the new shared libraries, and finally restart snort. Cheers! Don't know if it's relevant, but I had the same problem updating shared object rules. I had to first move the dynamic libraries (so rules) so Snort can keep them open, without getting it´s image changed, then copy the new shared libraries, and finally restart snort. Cheers! Aug 19, 2009 issue 6 (snort process dies when running pulledprok) commented on by oerknol - Distro: CentOS 5.3 Snort: 2.8.4.1 /etc/pulledpork.conf: rule_file=snortrules-snapshot-2.8.tar.gz oinkcode=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx temp_path=/tmp tar_path=/bin/tar rule_path=/etc/snort/rules/ sorule_path=/usr/local/lib/snort_dynamicrule/ snort_path=/usr/sbin/snort config_path=/etc/snort/snort.conf sostub_path=/etc/snort/so_rules/ distro=CentOS-5.0 snort=2.8.4 /etc/disablesid.conf: 1:882,1:1141 Command: pulledpork.pl -c /etc/pulledpork.conf -i /etc/disablesid.conf -vv It completes successfully, but kills the running snort process when creating the so_rules. Distro: CentOS 5.3 Snort: 2.8.4.1 /etc/pulledpork.conf: rule_file=snortrules-snapshot-2.8.tar.gz oinkcode=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx temp_path=/tmp tar_path=/bin/tar rule_path=/etc/snort/rules/ sorule_path=/usr/local/lib/snort_dynamicrule/ snort_path=/usr/sbin/snort config_path=/etc/snort/snort.conf sostub_path=/etc/snort/so_rules/ distro=CentOS-5.0 snort=2.8.4 /etc/disablesid.conf: 1:882,1:1141 Command: pulledpork.pl -c /etc/pulledpork.conf -i /etc/disablesid.conf -vv It completes successfully, but kills the running snort process when creating the so_rules. Aug 19, 2009 issue 6 (snort process dies when running pulledprok) commented on by Cummingsj - What pulledpork options are you using, what distro etc... What pulledpork options are you using, what distro etc... Aug 19, 2009 issue 6 (snort process dies when running pulledprok) changed by Cummingsj - I am researching this now, thank you! Status: Accepted Labels: Priority-High −Priority-Medium I am researching this now, thank you! Status: Accepted Labels: Priority-High −Priority-Medium Aug 17, 2009 issue 6 (snort process dies when running pulledprok) reported by oerknol - What steps will reproduce the problem? 1. Run pulledpork to update the rules What is the expected output? What do you see instead? I expect the running snort process to keep on running, instead it segfaults I run pulledpork to update the so_rules, so it then starts a separate snort process to generate the rules, at this point, my in-line snort process dies and traffic comes to a halt, this is undesirable. Are there any solutions or work arounds ? What steps will reproduce the problem? 1. Run pulledpork to update the rules What is the expected output? What do you see instead? I expect the running snort process to keep on running, instead it segfaults I run pulledpork to update the so_rules, so it then starts a separate snort process to generate the rules, at this point, my in-line snort process dies and traffic comes to a halt, this is undesirable. Are there any solutions or work arounds ? Aug 17, 2009 issue 3 (When the sid-msg.map creation is complete, sort the sid's nu...) Labels changed by Cummingsj - Labels: Priority-Low −Priority-Medium Labels: Priority-Low −Priority-Medium Aug 17, 2009 issue 5 (pulledpork tries to copy directories when doing "Copying Sha...) Status changed by Cummingsj - This issue has been resolved in the current version that was recently checked in to svn. I'll just be doing some testing before I close this issue out. Status: Started This issue has been resolved in the current version that was recently checked in to svn. I'll just be doing some testing before I close this issue out. Status: Started Aug 17, 2009 issue 4 (Add support for chaning rule actions) Labels changed by Cummingsj - This is an enhancement and is on the list of upcoming features Labels: Type-Enhancement −Type-Defect This is an enhancement and is on the list of upcoming features Labels: Type-Enhancement −Type-Defect Aug 13, 2009 issue 5 (pulledpork tries to copy directories when doing "Copying Sha...) reported by oerknol - When configuring pulledpork to generate the dynamic rules from the shared objects, it first copies the shared objects to the directory specified, but includes the directories ('.' and '..') in the copy: ERROR! DOES NOT EXIST:/tmp/tha_rules/so_rules/precompiled/CentOS-5.0/i386/2.8.4/. Copying /tmp/tha_rules/so_rules/precompiled/CentOS-5.0/i386/2.8.4/chat.so to /usr/local/lib/snort_dynamicrule/chat.so Copying /tmp/tha_rules/so_rules/precompiled/CentOS-5.0/i386/2.8.4/imap.so to /usr/local/lib/snort_dynamicrule/imap.so ERROR! DOES NOT EXIST:/tmp/tha_rules/so_rules/precompiled/CentOS-5.0/i386/2.8.4/..Generating shared object stubs via:/usr/sbin/snort -c /etc/snort/snort.conf --dump-dynamic-rules=/etc/snort/so_rules/ When configuring pulledpork to generate the dynamic rules from the shared objects, it first copies the shared objects to the directory specified, but includes the directories ('.' and '..') in the copy: ERROR! DOES NOT EXIST:/tmp/tha_rules/so_rules/precompiled/CentOS-5.0/i386/2.8.4/. Copying /tmp/tha_rules/so_rules/precompiled/CentOS-5.0/i386/2.8.4/chat.so to /usr/local/lib/snort_dynamicrule/chat.so Copying /tmp/tha_rules/so_rules/precompiled/CentOS-5.0/i386/2.8.4/imap.so to /usr/local/lib/snort_dynamicrule/imap.so ERROR! DOES NOT EXIST:/tmp/tha_rules/so_rules/precompiled/CentOS-5.0/i386/2.8.4/..Generating shared object stubs via:/usr/sbin/snort -c /etc/snort/snort.conf --dump-dynamic-rules=/etc/snort/so_rules/

issue 9 (pulledpork 0.2.5 only does not run, only exits with help scr...) reported by oerknol - What steps will reproduce the problem? 1. try and run the program 2. 3. What is the expected output? What do you see instead? That is should update, instead, it only exists displaying the help screen, never actually updating the rules. Switching on -vv shows nothing What version of the product are you using? On what operating system? 0.2.5, CentOS 5.3 Please provide any additional information below. # pulledpork.pl -c /etc/pulledpork.conf -i /etc/disablesid.conf -vv http://code.google.com/p/pulledpork/ _____ ____ `----,\ ) `--==\\ / Pulled_Pork v0.2.5 `--==\\/ .-~~~~-.Y|\\_ Copyright (C) 2009 JJ Cummings @_/ / 66\_ cummingsj@gmail.com | \ \ _(") \ /-| ||'--' Rules give me wings! \_\ \_\\ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Command Line Variable Debug: Config Path is: /etc/pulledpork.conf Path to disablesid file: /etc/disablesid.conf Verbose Flag is Set Extra Verbose Flag is Set Config File Variable Debug /etc/pulledpork.conf sostub_path = /etc/snort/so_rules/ snort_path = /usr/sbin/snort distro = CentOS-5.0 temp_path = /tmp oinkcode = 2a299610b20fe30c8343bbc333444981eb336aaa sorule_path = /usr/local/lib/snort_dynamicrule/ rule_path = /etc/snort/rules/ snort = 2.8.5 rule_file = snortrules-snapshot-2.8.tar.gz tar_path = /bin/tar config_path = /etc/snort/snort.conf Usage: /usr/local/bin/pulledpork.pl [-lvvVdnHTn? -help] -c <config filename> -o <rule output path> -O <oinkcode> -s <so_rule output directory> -D <Distro> -S <SnortVer> -p <path to your snort binary> -C <path to your snort.conf> -t <sostub output path> Options: -c Where the pulledpork config file lives. -i Where the disablesid config file lives. -o Where do you want me to put generic rules files? -f What snort rules tarball do you want to fetch (i.e. snortrules-snapshot-2.8_s.tar.gz) -u Where do you want me to pull the rules tarball from (ET, Snort.org, see pulledpork config base_url option for value ideas) -O What is your Oinkcode? -T Process text based rules files only, i.e. DO NOT process so_rules -m where do you want me to put the sid-msg.map file? -s Where do you want me to put the so_rules? -S Specify your Snort version Valid options for this value 2.8.0.1,2.8.0.2,2.8.1,2.8.2,2.8.2.1,2.8.2.2, 2.8.3,2.8.3.1,2.8.3.2,2.8.4,2.8.4.1,2.8.5 -C Path to your snort.conf -p Path to your Snort binary -P Path to your tar binary -t Where do you want me to put the so_rule stub files? ** Thus MUST be uniquely different from the -o option value -D What Distro are you running on, for the so_rules Valid Distro Types=CentOS-4.6,CentOS-5.0,Debian-Lenny,FC-5,FC-9,FreeBSD-7.0, RHEL-5.0,Ubuntu-6.01.1,Ubuntu-8.04 -l Log information to logger rather than stdout messages. **not yet implemented** -v Verbose mode, you know.. for troubleshooting and such nonsense. -vv EXTRA Verbose mode, you know.. for in-depth troubleshooting and other such nonsense. -d Do not verify signature of rules tarball, i.e. downloading fron non VRT or ET locations. -H Send a SIGHUP to the pids listed in the config file -n Do everything other than download of new files (disablesid, etc) -V Print Version and exit -help/? Print this help info.

What steps will reproduce the problem? 1. try and run the program 2. 3. What is the expected output? What do you see instead? That is should update, instead, it only exists displaying the help screen, never actually updating the rules. Switching on -vv shows nothing What version of the product are you using? On what operating system? 0.2.5, CentOS 5.3 Please provide any additional information below. # pulledpork.pl -c /etc/pulledpork.conf -i /etc/disablesid.conf -vv http://code.google.com/p/pulledpork/ _____ ____ `----,\ ) `--==\\ / Pulled_Pork v0.2.5 `--==\\/ .-~~~~-.Y|\\_ Copyright (C) 2009 JJ Cummings @_/ / 66\_ cummingsj@gmail.com | \ \ _(") \ /-| ||'--' Rules give me wings! \_\ \_\\ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Command Line Variable Debug: Config Path is: /etc/pulledpork.conf Path to disablesid file: /etc/disablesid.conf Verbose Flag is Set Extra Verbose Flag is Set Config File Variable Debug /etc/pulledpork.conf sostub_path = /etc/snort/so_rules/ snort_path = /usr/sbin/snort distro = CentOS-5.0 temp_path = /tmp oinkcode = 2a299610b20fe30c8343bbc333444981eb336aaa sorule_path = /usr/local/lib/snort_dynamicrule/ rule_path = /etc/snort/rules/ snort = 2.8.5 rule_file = snortrules-snapshot-2.8.tar.gz tar_path = /bin/tar config_path = /etc/snort/snort.conf Usage: /usr/local/bin/pulledpork.pl [-lvvVdnHTn? -help] -c <config filename> -o <rule output path> -O <oinkcode> -s <so_rule output directory> -D <Distro> -S <SnortVer> -p <path to your snort binary> -C <path to your snort.conf> -t <sostub output path> Options: -c Where the pulledpork config file lives. -i Where the disablesid config file lives. -o Where do you want me to put generic rules files? -f What snort rules tarball do you want to fetch (i.e. snortrules-snapshot-2.8_s.tar.gz) -u Where do you want me to pull the rules tarball from (ET, Snort.org, see pulledpork config base_url option for value ideas) -O What is your Oinkcode? -T Process text based rules files only, i.e. DO NOT process so_rules -m where do you want me to put the sid-msg.map file? -s Where do you want me to put the so_rules? -S Specify your Snort version Valid options for this value 2.8.0.1,2.8.0.2,2.8.1,2.8.2,2.8.2.1,2.8.2.2, 2.8.3,2.8.3.1,2.8.3.2,2.8.4,2.8.4.1,2.8.5 -C Path to your snort.conf -p Path to your Snort binary -P Path to your tar binary -t Where do you want me to put the so_rule stub files? ** Thus MUST be uniquely different from the -o option value -D What Distro are you running on, for the so_rules Valid Distro Types=CentOS-4.6,CentOS-5.0,Debian-Lenny,FC-5,FC-9,FreeBSD-7.0, RHEL-5.0,Ubuntu-6.01.1,Ubuntu-8.04 -l Log information to logger rather than stdout messages. **not yet implemented** -v Verbose mode, you know.. for troubleshooting and such nonsense. -vv EXTRA Verbose mode, you know.. for in-depth troubleshooting and other such nonsense. -d Do not verify signature of rules tarball, i.e. downloading fron non VRT or ET locations. -H Send a SIGHUP to the pids listed in the config file -n Do everything other than download of new files (disablesid, etc) -V Print Version and exit -help/? Print this help info.

Earlier this year