PulledPork is an opensource perl script that can automatically update Snort rules.
- Snort installation
- Install perl modules
- On CentOS
yum install perl-Crypt-SSLeay perl-libwww-perl perl-Archive-Tar -y
- On Ubuntu
apt-get install libcrypt-ssleay-perl liblwp-useragent-determined-perl -y
- Download and extract PulledPork
cd /usr/local/src/snort wget https://pulledpork.googlecode.com/files/pulledpork-0.6.1.tar.gz -O pulledpork.tar.gz cd /usr/local/snort tar zxvf /usr/local/src/snort/pulledpork.tar.gz mv pulledpork-0.6.1 pulledpork
- Generate Oinkcode at Snort web site
- If you are not already register to snort web site so do it now at https://www.snort.org/signup
- Login to Snort web site
- Go to Snort home page and Click on “Get Snort Oinkcode” at the bottom in “Snort Links” section
- Click Generate Code and copy your new Oinkcode
- Change the following in PulledPork configuration file
... rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|paste here your Oinknumber # get the rule docs! #rule_url=https://www.snort.org/reg-rules/|opensource.gz| #rule_url=https://rules.emergingthreats.net/|emerging.rules.tar.gz|open # THE FOLLOWING URL is for etpro downloads, note the tarball name change! # and the et oinkcode requirement! #rule_url=https://rules.emergingthreats.net/|etpro.rules.tar.gz| ... rule_path=/usr/local/snort/etc/rules/snort.rules ... local_rules=/usr/local/snort/etc/rules/local.rules # Where should I put the sid-msg.map file? sid_msg=/usr/local/snort/etc/sid-msg.map ... # Path to the snort binary, we need this to generate the stub files snort_path=/usr/local/snort/bin/snort # We need to know where your snort.conf file lives so that we can # generate the stub files config_path=/usr/local/snort/etc/snort.conf # This is the file that contains all of the shared object rules that pulledpork # has processed, note that this has changed as of 0.4.0 just like the rules_path! sostub_path=/usr/local/snort/etc/rules/so_rules.rules ... distro=Ubuntu-10.04 # For CentOS 6.x you can use RHEL-6-0 ... pid_path=/var/run/snort_eth0.pid ...
- Change RULE_PATH variable in snort configuration file
... var RULE_PATH /usr/local/snort/etc/rules ...
- Remove all snort include rules files
sed -i '/^include $RULE_PATH/d' /usr/local/snort/etc/snort.conf sed -i '/^include $RULE_PATH/d' /usr/local/snort/etc/snort.conf sed -i '/^include $RULE_PATH/d' /usr/local/snort/etc/snort.conf
- Add the following include files to snort configuration file
echo "include $RULE_PATH/snort.rules" >> /usr/local/snort/etc/snort.conf echo "include $RULE_PATH/local.rules" >> /usr/local/snort/etc/snort.conf echo "include $RULE_PATH/so_rules.rules" >> /usr/local/snort/etc/snort.conf
- Create rules directory
- Create your local rules file
- If you have one, copy it
cp /usr/local/snort/rules/local.rules /usr/local/snort/etc/rules/
- If you don’t have local rules file then create an empty one
- Run PulledPork for the first time
/usr/local/snort/pulledpork/pulledpork.pl -c /usr/local/snort/pulledpork/etc/pulledpork.conf
- Schedule PulledPork to run every day. Add the following line to the end of crontab file
... 0 0 * * * root /usr/local/snort/pulledpork/pulledpork.pl -c /usr/local/snort/pulledpork/etc/pulledpork.conf ...
PulledPork installation completed. Now every day PulledPoled will run and update your rules files from Snort site.
For more information about PulledPork go to https://code.google.com/p/pulledpork/.