PulledPork 0.7.0 #390

Closed
GoogleCodeExporter opened this Issue Mar 24, 2015 · 10 comments

Comments

Projects
None yet
1 participant
http://blog.snort.org/2013/09/pulledpork-070-released-include.html

Original issue reported on code.google.com by doug.bu...@gmail.com on 12 Sep 2013 at 10:16

Might be worth pointing this out: 
https://code.google.com/p/pulledpork/issues/detail?id=151

I'm having the same issue with modifysid.conf as detailed in that Issue. I can 
confirm that after 0.6.1, this seems ok as I have another sensor arrangement 
using 0.6.2dev that operates on rules containing flowbits fine, with the same 
rules being singled out in that Issue.

Willing to help test, I can see that upgrading to 0.7.0 might break break 
rule-update a bit.

Original comment by jk...@indexzero.org on 7 Mar 2014 at 3:28

  • Added labels: ****
  • Removed labels: ****
I would also recommend removing LWP and adding utilizing CURL.  I am having 
issues with rule updates through a Bluecoat proxy because of the LWP 
implementation.

https://code.google.com/p/pulledpork/issues/attachmentText?id=152&aid=1520000000
&name=pulledpork.pl&token=r52qRMuqE1RR08cZzleiP9ws1ws%3A1396574163192

Original comment by travisls...@gmail.com on 4 Apr 2014 at 2:56

  • Added labels: ****
  • Removed labels: ****
Hi Travis,

I'd like to avoid having to maintain too many PulledPork patches.  If you can 
convince JJ (the PulledPork author/maintainer) to incorporate the CURL patch 
into the next PulledPork stable release, that'd be great, thanks!

Original comment by doug.bu...@gmail.com on 4 Apr 2014 at 9:52

  • Added labels: ****
  • Removed labels: ****
What are thoughts on moving to latest PulledPork?  The current version on 
security onion is not working with our proxy (bluecoat).  I get the following 
error in our logs, "NULL character found in the request line from <IP Address 
Removed>".  I put the latest version of PulledPork on and point to some 
temporary locations and it works fine.  I would be happy to help with this.

Original comment by travisls...@gmail.com on 10 Apr 2014 at 7:45

  • Added labels: ****
  • Removed labels: ****
Please find attached the modified version of Pulledpork 0.7.0.  I have been 
using it on my SO system and have not had any issues.  

Original comment by travisls...@gmail.com on 17 Apr 2014 at 2:38

  • Added labels: ****
  • Removed labels: ****

Attachments:

[deleted comment]
LWP vs CURL aside - I've been using pulledpork-0.7.0 on a standalone sensor for 
a couple months now. /etc/nsm/pulledpork/pulledpork.conf really only needed the 
version number updated to reflect 0.7.0. 

I'm currently only using this against snort, so I can't comment on Suri rule 
management, but this is working quite well. There is a caveat - looks like 
pulledpork-0.7.0 has some deprecation around where SO stubs get put - 
preferring to roll them into the standard .rules file/s. This is a non-issue 
for me as I don't have any SO rules to speak of, but might require some testing.

0.7.0 completely resolved the issues I was having with disablesid.conf and 
modifysid.conf.

Original comment by jk...@indexzero.org on 4 May 2014 at 12:18

  • Added labels: ****
  • Removed labels: ****

Original comment by doug.bu...@gmail.com on 15 Jun 2014 at 8:50

  • Changed title: PulledPork 0.7.0
  • Added labels: ****
  • Removed labels: ****
Submitted for testing:

https://groups.google.com/d/topic/security-onion-testing/CK1e5OG4LPg/discussion

https://groups.google.com/d/topic/security-onion-testing/piRYj-7Ar8M/discussion

Original comment by doug.bu...@gmail.com on 8 Jul 2014 at 11:06

  • Added labels: ****
  • Removed labels: ****
Published:
http://blog.securityonion.net/2014/07/new-securityonion-pulledpork-and.html

Original comment by doug.bu...@gmail.com on 8 Jul 2014 at 11:19

  • Changed state: Verified
  • Added labels: ****
  • Removed labels: ****
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment