Unable to process shared object rules for a previous version of snort3

[da667]

Hey Hey, Swine people.

I'm having a problem with pulledpork, and pulling down rules for snort 3.

I'm using the latest release of snort on github (3.1.3.0)

I discovered quickly that there is not a snortrules-snapshot for version 3.1.3.0 available via snort.org

So I suppose my first question/problem is:

Are "releases" on github.com for snort 3 considered "stable"?
Should they be used in a production environment?

If so, that there aren't any snortrules-snapshots available for them is problematic.
If not, problem solved, I'll just download the version of snort3 specified on snort.org.

That brings me to my primary issue: if I run pulledpork.pl with the "-S" argument to specify a previous version of snort3 (e.g. -S 3.1.0.0) in order to download rules, it expects there to be a snort.conf file.

Here is my pulledpork.conf:

rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|**redacted**
rule_url=https://snort.org/downloads/ip-block-list|IPBLOCKLIST|open
ignore=deleted.rules,experimental.rules,local.rules
temp_path=/tmp
rule_path=/usr/local/etc/rules/snort.rules
local_rules=/usr/local/etc/rules/local.rules
sid_msg=/usr/local/etc/snort/sid-msg.map
sid_msg_version=2
sid_changelog=/var/log/sid_changes.log
sorule_path=/usr/local/etc/so_rules/
snort_path=/usr/local/bin/snort
**config_path=/usr/local/etc/snort/snort.conf**
distro=Ubuntu-18-4
block_list=/usr/local/etc/lists/default.blocklist
IPRVersion=/usr/local/etc/lists
snort_control=/usr/local/bin/snort_control
pid_path=/var/log/snort/snort.pid
ips_policy=security
version=0.8.0

Here are the arguments that I run for pulledpork.pl:

pulledpork.pl -W -vv -c /usr/local/etc/pulledpork/pulledpork.conf -S 3.1.0.0 -l -P -E

Here is the error I get from the verbose output:

Snort 3.0 detected, future Snort 3.0 processing
Generating Stub Rules....
Something failed in the gen_stubs sub, please verify your shared object config!

ERROR: The file that you specified: /usr/local/etc/snort/snort.conf does not exist! Please verify your configuration.

"Why don't you get rid of the config_path argument, then?"

Here's what happens when I remove the config_path option from my pulledpork.conf file:

Snort 3.0 detected, future Snort 3.0 processing
Generating Stub Rules....
Use of uninitialized value $Snort_config in -f at /usr/local/bin/pulledpork.pl line 821.
Something failed in the gen_stubs sub, please verify your shared object config!
Use of uninitialized value $Snort_config in -f at /usr/local/bin/pulledpork.pl line 856.
Use of uninitialized value $Snort_config in concatenation (.) or string at /usr/local/bin/pulledpork.pl line 857.

ERROR: The file that you specified:  does not exist! Please verify your configuration.

Note: I was able to get pulledpork to work by adding in the -T (text-only rules) option:

pulledpork.pl -W -vv -c /usr/local/etc/pulledpork/pulledpork.conf -S 3.1.0.0 -l -P -E -T

My problem with that is that means I don't get any SO rules. That's somewhat annoying.

[shirkdog]

This does share some of the issues with issue #356 but will keep it open until I work through it.

[redbaron4]

This is more in line with #359 and even that can now be closed as #363 has now merged.

But the problem I see here is that with Snort3 there is no snort.conf. Configuration for snort3 is done via lua and stored at snort.lua.