Installing Pulledpork for SnortDate: 2015-10-07 13:15:09
Pulledpork is a Perl script that helps you to download recent rule tarballs and compile them into files that snort can use.
To download Pulledpork, we simply clone its github directory:
To run it, we need some additional Perl libraries. It's advised you just install your distributions packets to make sure that the libs will work with your Perl version:
Pulledpork comes with its own config file. An example can be found in ./etc which we just edit to our needs.
The first thing we do is copying this file to /etc or whereever we like to have it.
The most important options to configure are your rule tarballs and IP-Blacklists. You also have to point to the correct snort directories.
Some URLs are already in the examples. For some you need an Oink-Code. There are two types of Oink-Codes: A "registered" and a "subscription" one. The "registered" is free of charge but one month old, you just need to register and login on snort.org to get your code. The "subscription" code gets you access to their paid service of rule collection which contains the most recent rules. There is also an Opensource collection that's created and maintained by the Snort community. If you don't want to register anywhere, you can stick with that. You usually just need one rule collection of these, because the higher levels will include the less exclusive versions. So, if you use registered, you would get all Opensource rules but not those included in the subscription package.
There are also some other providers of Snort rules for instance emergingthreats.net and talosintel.com and you can decide on getting those rules too. However, be aware that the more rules you get, the higher the number of false positives could be. But on the other hand you raise your security level because you will be covering and detecting more possible threats.
Optimizing and writing rulesets can be a complex issue and there are book chapters filled with instructions. An optimal IDS will have a great coverage of threat detection and a low amount of false positives bothering your alerts.
Note that the URLs and filenames will change periodically. So if pulledpork stops working and produces error, try to update from the latest git source.
We collect all our rules into one file named snort.rules. So we edit pulledpork.conf
Pulledpork can create sid-msg.map entries for your own rules. We point to the rule file(s), in our case local.rules, and pulledpork will process sid-msg.map for us. Note that Pulledpork overwrites the map file, so when you entered your own mapping there, you will have to specify your .rule file otherwise your sid-msg mapping would be gone after Pulledpork processed all rules.
After everything is set, you can start a first run
Now, as Pulledpork processed all rules and created snort.rules, you have to include it in your snort.conf:
A cronjob for Pulledpork
If we want to have our rules up to date, we do best with a cronjob that automatically starts the whole process of updating all rules.