Configure Snort automatic rules updating via PulledPork

AllCloud Blog:
Cloud Insights and Innovation


PulledPork is an opensource perl script that can automatically update Snort rules.


yum install perl-Crypt-SSLeay perl-libwww-perl perl-Archive-Tar -y
    • On Ubuntu
apt-get install libcrypt-ssleay-perl liblwp-useragent-determined-perl -y

Install PulledPork

  • Download and extract PulledPork
cd /usr/local/src/snort
wget -O pulledpork.tar.gz
cd /usr/local/snort
tar zxvf /usr/local/src/snort/pulledpork.tar.gz
mv pulledpork-0.6.1 pulledpork
  • Generate Oinkcode at Snort web site
    • If you are not already register to snort web site so do it now at
    • Login to Snort web site
    • Go to Snort home page and Click on “Get Snort Oinkcode” at the bottom in “Snort Links”  section
    • Click Generate Code and copy your new Oinkcode
  • Change the following in PulledPork configuration file
vi /usr/local/snort/pulledpork/etc/pulledpork.conf
rule_url=|snortrules-snapshot.tar.gz|paste here your Oinknumber
# get the rule docs!
# THE FOLLOWING URL is for etpro downloads, note the tarball name change!
# and the et oinkcode requirement!

# Where should I put the file?
# Path to the snort binary, we need this to generate the stub files

# We need to know where your snort.conf file lives so that we can
# generate the stub files

# This is the file that contains all of the shared object rules that pulledpork
# has processed, note that this has changed as of 0.4.0 just like the rules_path!
distro=Ubuntu-10.04 # For CentOS 6.x you can use RHEL-6-0
  • Change RULE_PATH variable in snort configuration file
vi /usr/local/snort/etc/snort.conf
var RULE_PATH /usr/local/snort/etc/rules
  • Remove all snort include rules files
sed -i '/^include $RULE_PATH/d' /usr/local/snort/etc/snort.conf
sed -i '/^include $RULE_PATH/d' /usr/local/snort/etc/snort.conf
sed -i '/^include $RULE_PATH/d' /usr/local/snort/etc/snort.conf
  • Add the following include files to snort configuration file
echo "include $RULE_PATH/snort.rules" >> /usr/local/snort/etc/snort.conf
echo "include $RULE_PATH/local.rules" >> /usr/local/snort/etc/snort.conf
echo "include $RULE_PATH/so_rules.rules" >> /usr/local/snort/etc/snort.conf
  • Create rules directory
mkdir /usr/local/snort/etc/rules
  • Create your local rules file
    • If you have one, copy it
cp /usr/local/snort/rules/local.rules /usr/local/snort/etc/rules/
    • If you don’t have local rules file then create an empty one
touch /usr/local/snort/etc/rules/local.rules
  • Run PulledPork for the first time
/usr/local/snort/pulledpork/ -c /usr/local/snort/pulledpork/etc/pulledpork.conf
  • Schedule PulledPork to run every day. Add the following line to the end of crontab file
vi /etc/crontab
0 0 * * * root /usr/local/snort/pulledpork/ -c /usr/local/snort/pulledpork/etc/pulledpork.conf

PulledPork installation completed. Now every day PulledPoled will run and update your rules files from Snort site.

For more information about PulledPork go to

Lahav Savir

Founder and CTO, Cloud Platforms

Read more posts by Lahav Savir