Installing Pulledpork for Snort

Installing Pulledpork for Snort

Date: 2015-10-07 13:15:09

Pulledpork is a Perl script that helps you to download recent rule tarballs and compile them into files that snort can use.

To download Pulledpork, we simply clone its github directory:

git clone https://github.com/shirkdog/pulledpork.git

To run it, we need some additional Perl libraries. It's advised you just install your distributions packets to make sure that the libs will work with your Perl version:

apt-get install libcrypt-ssleay-perl liblwp-protocol-https-perl

Pulledpork comes with its own config file. An example can be found in ./etc which we just edit to our needs.

The first thing we do is copying this file to /etc or whereever we like to have it.

mkdir /etc/pulledpork cd pulledpork cp etc/* /etc/pulledpork

Configuring Pulledpork

The most important options to configure are your rule tarballs and IP-Blacklists. You also have to point to the correct snort directories.

Some URLs are already in the examples. For some you need an Oink-Code. There are two types of Oink-Codes: A "registered" and a "subscription" one. The "registered" is free of charge but one month old, you just need to register and login on snort.org to get your code. The "subscription" code gets you access to their paid service of rule collection which contains the most recent rules. There is also an Opensource collection that's created and maintained by the Snort community. If you don't want to register anywhere, you can stick with that. You usually just need one rule collection of these, because the higher levels will include the less exclusive versions. So, if you use registered, you would get all Opensource rules but not those included in the subscription package.

There are also some other providers of Snort rules for instance emergingthreats.net and talosintel.com and you can decide on getting those rules too. However, be aware that the more rules you get, the higher the number of false positives could be. But on the other hand you raise your security level because you will be covering and detecting more possible threats.

Optimizing and writing rulesets can be a complex issue and there are book chapters filled with instructions. An optimal IDS will have a great coverage of threat detection and a low amount of false positives bothering your alerts.

Note that the URLs and filenames will change periodically. So if pulledpork stops working and produces error, try to update from the latest git source.

vim /etc/pulledpork/pulledpork.conf rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|< YOUR OINK HERE 123 >

We collect all our rules into one file named snort.rules. So we edit pulledpork.conf

vim /etc/pulledpork/pulledpork.conf rule_path=/etc/snort/rules/snort.rules

Pulledpork can create sid-msg.map entries for your own rules. We point to the rule file(s), in our case local.rules, and pulledpork will process sid-msg.map for us. Note that Pulledpork overwrites the map file, so when you entered your own mapping there, you will have to specify your .rule file otherwise your sid-msg mapping would be gone after Pulledpork processed all rules.

local_rules=/etc/snort/rules/local.rules

After everything is set, you can start a first run

/usr/bin/perl /usr/local/bin/pulledpork.pl -c /etc/pulledpork/pulledpork.conf

Now, as Pulledpork processed all rules and created snort.rules, you have to include it in your snort.conf:

vim /etc/snort/snort.conf include $RULE_PATH/snort.rules # Fetched by Pulledpork

A cronjob for Pulledpork

If we want to have our rules up to date, we do best with a cronjob that automatically starts the whole process of updating all rules.

crontab -e #Run pulledpork all 6 hours every day 0 */6 * * * /usr/bin/perl /usr/local/sbin/pulledpork.pl -c /etc/pulledpork/pulledpork.conf -l