Post by ZF on Apr 30, 2014 21:51:57 GMT -5
Note: Use the latest copy of pulledpork from code.google.com/p/pulledpork else you will get "Not updated version of pulled pork detected"
Note:
If you encounter Error 500 when running pulledpork, check ur oinkcode in pulledpork.conf
Note that snort version defined in pulledpork.conf defines the signature file to download.
Note that apt-get uses an older version of snort
To determine which version of SERVER to use, check out latest snort pre-compiled signature and determine... ...
e.g Pre-compiled in snortrules-snapshot-2961.tar only supports ubuntu-12-04.
Use snort --version to determine the snort version.
snortrules-snapshot-2961.tar.gz is for snort version 2.9.6.2
If you don't use this version of snort, the precompiled dynamic library will give you the following message:
ERROR: Dynamic detection lib /usr/lib/snort_dynamicrules/web-client.so 1.0 isn't compatible with the current dynamic engine library /usr/lib/snort_dynamicengine/libsf_engine.so 1.15.
Remove local.rules from snort.conf if you encounter the following error. Reason: there is no local.rules file.
ERROR: Unable to open rules file "/etc/snort//etc/snort/rules/etc/snort/rules/local.rules": No such file or
directory.
Oinkmaster has deprecated. Pulledpork follows the newer structures of the Snort project and the VRT rules.
Pulledpork will not let you disable a rule that is needed by another rule. You can still threshold the rule so that it doesn't alert, but it will still allow the flowbits to be followed.
Barnyard2 is used for logging. It allows Snort to write to it's native u2 file format and then get back to sniffing.
Barnyard2 will then read the u2 file and write to the different logging facilities that you wish to log to.
Barnyard requires a web server and mySQL
Steps to install:
//THIS STEP IS CONTROVERSIAL coz the snort version is old. As of this article, it is 2.9 but snort website has 2.9.6.2 rules! This NEEDS TO MATCH!
apt-get install snort
//For pulledpork
apt-get install libcrypt-ssleay-perl liblwp-protocol-https-perl
Download the stable pulledpork from code.google.com/p/pulledpork/
copy etc/pulledpork.conf to /etc/pulledpork/pulledpork.conf
Edit pulledpork.conf to include oinkcode
Edit snort.conf to remove local.rules and add rules
Remove all files in rules
SOURCE:
www.rivy.org/2013/03/howto-install-snort/
wiki.aanval.com/wiki/Community:Snort_2.9.2.3_Installation_Guide_for_Ubuntu_12.04,_with_Barnyard2,_Pulledpork,_and_Aanval
Note:
If you encounter Error 500 when running pulledpork, check ur oinkcode in pulledpork.conf
Note that snort version defined in pulledpork.conf defines the signature file to download.
Note that apt-get uses an older version of snort
To determine which version of SERVER to use, check out latest snort pre-compiled signature and determine... ...
e.g Pre-compiled in snortrules-snapshot-2961.tar only supports ubuntu-12-04.
Use snort --version to determine the snort version.
snortrules-snapshot-2961.tar.gz is for snort version 2.9.6.2
If you don't use this version of snort, the precompiled dynamic library will give you the following message:
ERROR: Dynamic detection lib /usr/lib/snort_dynamicrules/web-client.so 1.0 isn't compatible with the current dynamic engine library /usr/lib/snort_dynamicengine/libsf_engine.so 1.15.
Remove local.rules from snort.conf if you encounter the following error. Reason: there is no local.rules file.
ERROR: Unable to open rules file "/etc/snort//etc/snort/rules/etc/snort/rules/local.rules": No such file or
directory.
Oinkmaster has deprecated. Pulledpork follows the newer structures of the Snort project and the VRT rules.
Pulledpork will not let you disable a rule that is needed by another rule. You can still threshold the rule so that it doesn't alert, but it will still allow the flowbits to be followed.
Barnyard2 is used for logging. It allows Snort to write to it's native u2 file format and then get back to sniffing.
Barnyard2 will then read the u2 file and write to the different logging facilities that you wish to log to.
Barnyard requires a web server and mySQL
Steps to install:
//THIS STEP IS CONTROVERSIAL coz the snort version is old. As of this article, it is 2.9 but snort website has 2.9.6.2 rules! This NEEDS TO MATCH!
apt-get install snort
//For pulledpork
apt-get install libcrypt-ssleay-perl liblwp-protocol-https-perl
Download the stable pulledpork from code.google.com/p/pulledpork/
copy etc/pulledpork.conf to /etc/pulledpork/pulledpork.conf
Edit pulledpork.conf to include oinkcode
Edit snort.conf to remove local.rules and add rules
Remove all files in rules
SOURCE:
www.rivy.org/2013/03/howto-install-snort/
wiki.aanval.com/wiki/Community:Snort_2.9.2.3_Installation_Guide_for_Ubuntu_12.04,_with_Barnyard2,_Pulledpork,_and_Aanval