Description
Hey Hey, Swine people.
I'm having a problem with pulledpork, and pulling down rules for snort 3.
I'm using the latest release of snort on github (3.1.3.0)
I discovered quickly that there is not a snortrules-snapshot for version 3.1.3.0 available via snort.org
So I suppose my first question/problem is:
Are "releases" on github.com for snort 3 considered "stable"?
Should they be used in a production environment?
If so, that there aren't any snortrules-snapshots available for them is problematic.
If not, problem solved, I'll just download the version of snort3 specified on snort.org.
That brings me to my primary issue: if I run pulledpork.pl with the "-S" argument to specify a previous version of snort3 (e.g. -S 3.1.0.0) in order to download rules, it expects there to be a snort.conf file.
Here is my pulledpork.conf:
rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|**redacted**
rule_url=https://snort.org/downloads/ip-block-list|IPBLOCKLIST|open
ignore=deleted.rules,experimental.rules,local.rules
temp_path=/tmp
rule_path=/usr/local/etc/rules/snort.rules
local_rules=/usr/local/etc/rules/local.rules
sid_msg=/usr/local/etc/snort/sid-msg.map
sid_msg_version=2
sid_changelog=/var/log/sid_changes.log
sorule_path=/usr/local/etc/so_rules/
snort_path=/usr/local/bin/snort
**config_path=/usr/local/etc/snort/snort.conf**
distro=Ubuntu-18-4
block_list=/usr/local/etc/lists/default.blocklist
IPRVersion=/usr/local/etc/lists
snort_control=/usr/local/bin/snort_control
pid_path=/var/log/snort/snort.pid
ips_policy=security
version=0.8.0
Here are the arguments that I run for pulledpork.pl:
pulledpork.pl -W -vv -c /usr/local/etc/pulledpork/pulledpork.conf -S 3.1.0.0 -l -P -E
Here is the error I get from the verbose output:
Snort 3.0 detected, future Snort 3.0 processing
Generating Stub Rules....
Something failed in the gen_stubs sub, please verify your shared object config!
ERROR: The file that you specified: /usr/local/etc/snort/snort.conf does not exist! Please verify your configuration.
"Why don't you get rid of the config_path argument, then?"
Here's what happens when I remove the config_path option from my pulledpork.conf file:
Snort 3.0 detected, future Snort 3.0 processing
Generating Stub Rules....
Use of uninitialized value $Snort_config in -f at /usr/local/bin/pulledpork.pl line 821.
Something failed in the gen_stubs sub, please verify your shared object config!
Use of uninitialized value $Snort_config in -f at /usr/local/bin/pulledpork.pl line 856.
Use of uninitialized value $Snort_config in concatenation (.) or string at /usr/local/bin/pulledpork.pl line 857.
ERROR: The file that you specified: does not exist! Please verify your configuration.
Note: I was able to get pulledpork to work by adding in the -T (text-only rules) option:
pulledpork.pl -W -vv -c /usr/local/etc/pulledpork/pulledpork.conf -S 3.1.0.0 -l -P -E -T
My problem with that is that means I don't get any SO rules. That's somewhat annoying.