rule-update: run PulledPork with -T option if ENGINE=suricata #560

Closed
GoogleCodeExporter opened this Issue Mar 24, 2015 · 3 comments

Comments

Projects
None yet
1 participant
@GoogleCodeExporter
rule-update: run PulledPork with -T option if ENGINE=suricata

Original issue reported on code.google.com by doug.bu...@gmail.com on 17 Jul 2014 at 10:47

@GoogleCodeExporter

This comment has been minimized.

Show comment
Hide comment
@GoogleCodeExporter

GoogleCodeExporter Mar 24, 2015

        # Default to no PulledPork options
        PP_OPTIONS=""

        # OPTION: -n if we have no Internet connection
        if [ "$LOCAL_NIDS_RULE_TUNING" == "true" ] || [ "$LOCAL_NIDS_RULE_TUNING" == "yes" ]; then
                cp /opt/emergingthreats/emerging* /tmp
                PP_OPTIONS="-n"
                echo "LOCAL_NIDS_RULE_TUNING is enabled."
                echo "This will cause PulledPork to use the existing rules in /opt/emergingthreats/"
                echo "instead of downloading new rules from the Internet."
                echo "If you want PulledPork to download new rules from the Internet,"
                echo "set the following in /etc/nsm/securityonion.conf:"
                echo "LOCAL_NIDS_RULE_TUNING=no" 
        fi

        # OPTION: -T if the user is running Suricata
        if [ "$ENGINE" = "suricata" ]; then
                PP_OPTIONS="$PP_OPTIONS -T"
                echo "ENGINE=suricata, so we'll execute PulledPork with the -T option to avoid adding soid rules to downloaded.rules."
        fi

        # Go get rules from Internet.
        echo "Running PulledPork."
        /usr/bin/pulledpork.pl -P $PP_OPTIONS -c /etc/nsm/pulledpork/pulledpork.conf |
                grep -v "normalizations disabled because not inline" |grep -v "^$"

Original comment by doug.bu...@gmail.com on 17 Jul 2014 at 11:17

  • Added labels: ****
  • Removed labels: ****
        # Default to no PulledPork options
        PP_OPTIONS=""

        # OPTION: -n if we have no Internet connection
        if [ "$LOCAL_NIDS_RULE_TUNING" == "true" ] || [ "$LOCAL_NIDS_RULE_TUNING" == "yes" ]; then
                cp /opt/emergingthreats/emerging* /tmp
                PP_OPTIONS="-n"
                echo "LOCAL_NIDS_RULE_TUNING is enabled."
                echo "This will cause PulledPork to use the existing rules in /opt/emergingthreats/"
                echo "instead of downloading new rules from the Internet."
                echo "If you want PulledPork to download new rules from the Internet,"
                echo "set the following in /etc/nsm/securityonion.conf:"
                echo "LOCAL_NIDS_RULE_TUNING=no" 
        fi

        # OPTION: -T if the user is running Suricata
        if [ "$ENGINE" = "suricata" ]; then
                PP_OPTIONS="$PP_OPTIONS -T"
                echo "ENGINE=suricata, so we'll execute PulledPork with the -T option to avoid adding soid rules to downloaded.rules."
        fi

        # Go get rules from Internet.
        echo "Running PulledPork."
        /usr/bin/pulledpork.pl -P $PP_OPTIONS -c /etc/nsm/pulledpork/pulledpork.conf |
                grep -v "normalizations disabled because not inline" |grep -v "^$"

Original comment by doug.bu...@gmail.com on 17 Jul 2014 at 11:17

  • Added labels: ****
  • Removed labels: ****
@GoogleCodeExporter

This comment has been minimized.

Show comment
Hide comment
@GoogleCodeExporter

GoogleCodeExporter Mar 24, 2015

Submitted for testing:
https://groups.google.com/d/topic/security-onion-testing/RoNGrHjMEGk/discussion

Original comment by doug.bu...@gmail.com on 17 Jul 2014 at 11:58

  • Added labels: ****
  • Removed labels: ****
Submitted for testing:
https://groups.google.com/d/topic/security-onion-testing/RoNGrHjMEGk/discussion

Original comment by doug.bu...@gmail.com on 17 Jul 2014 at 11:58

  • Added labels: ****
  • Removed labels: ****
@GoogleCodeExporter

This comment has been minimized.

Show comment
Hide comment
@GoogleCodeExporter

GoogleCodeExporter Mar 24, 2015

Published:
http://blog.securityonion.net/2014/07/new-securityonion-rule-update-package.html

Original comment by doug.bu...@gmail.com on 25 Jul 2014 at 11:45

  • Changed state: Verified
  • Added labels: ****
  • Removed labels: ****
Published:
http://blog.securityonion.net/2014/07/new-securityonion-rule-update-package.html

Original comment by doug.bu...@gmail.com on 25 Jul 2014 at 11:45

  • Changed state: Verified
  • Added labels: ****
  • Removed labels: ****
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment