Pulledpork
Description
PulledPork is a rule manager for Snort and Suricata. It will help automatizing the process of downloading and installing/updating your VRT Snort rules, SharedObject rules or Emerging Threats rules.
Pulledpork features include:
- Automatic rule downloads using your Oinkcode
- MD5 verification prior to downloading new rulesets
- Full handling of Shared Object (SO) rules
- Generation of so_rule stub files
- Modification of ruleset state (disabling rules, etc)
The project is run by JJ Cummings of Sourcefire.
Installation
Prerequisites
Install these dependencies:
# apt-get install perl subversion
Install dependencies via CPAN:
# perl -MCPAN -e 'install Crypt::SSLeay' # perl -MCPAN -e 'install LWP::Simple'
or via packages:
# aptitude install libcrypt-ssleay-perl # aptitude install liblwp-protocol-https-perl
Installation of PulledPork
From Subversion repository
This is the recommended method since it will ensure you have last version.
$ cd /data/src/ $ svn checkout http://pulledpork.googlecode.com/svn/trunk/ pulledpork-read-only
Copy necessary files:
$ cd /data/src/pulledpork-read-only/ # cp pulledpork.pl /usr/local/bin/ # mkdir -p /usr/local/etc/pulledpork/ # cp etc/* /usr/local/etc/pulledpork/
Make pulledpork executable:
# chmod +x /usr/local/bin/pulledpork.pl
From tarball
Download and uncompress:
$ cd /data/src/ $ wget http://pulledpork.googlecode.com/files/pulledpork-0.6.1.tar.gz $ tar xzvf pulledpork-0.6.1.tar.gz
Copy necessary files:
$ cd /data/src/pulledpork-0.6.1/ # cp pulledpork.pl /usr/local/bin/ # mkdir -p /usr/local/etc/pulledpork/ # cp etc/* /usr/local/etc/pulledpork/
Make pulledpork executable:
# chmod +x /usr/local/bin/pulledpork.pl
Configuration
Now that we have copied all configuration files in /usr/local/etc/pulledpork/, we must at least configure pulledpork.conf.
Edit the configuration file:
$ sudo vim /usr/local/etc/pulledpork/pulledpork.conf
Provide pulledpork with a URLs depending on your needs (VRT Snort rules and EmergingThreats rules, free and commercial editions). Notice that there is a special configuration for SO rules, that will be explained further in the configuration file.
rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|<oinkcode> # get the rule docs! rule_url=https://www.snort.org/reg-rules/|opensource.gz|<oinkcode> rule_url=https://rules.emergingthreats.net/|emerging.rules.tar.gz|open # THE FOLLOWING URL is for etpro downloads, note the tarball name change! # and the et oinkcode requirement! rule_url=https://rules.emergingthreats.net/|etpro.rules.tar.gz|<et oinkcode>
Specify the path of your rules:
rule_path=/usr/local/etc/snort/rules/snort.rules
If you are running local rules, uncomment this and update the path:
local_rules=/usr/local/etc/snort/rules/local.rules
Specify the path where to place map files:
# Where should I put the sid-msg.map file? sid_msg=/usr/local/etc/snort/sid-msg.map # Where do you want me to put the sid changelog? This is a changelog # that pulledpork maintains of all new sids that are imported sid_changelog=/var/log/snort/sid_changes.log
Everything that follows only concerns SharedObject (SO) rules. If you don't use them, comment out all of these lines.
# What path you want the .so files to actually go to *i.e. where is it # defined in your snort.conf, needs a trailing slash sorule_path=/usr/local/lib/snort_dynamicrules/ # Path to the snort binary, we need this to generate the stub files snort_path=/usr/local/bin/snort # We need to know where your snort.conf file lives so that we can # generate the stub files config_path=/usr/local/etc/snort/snort.conf # This is the file that contains all of the shared object rules that pulledpork # has processed, note that this has changed as of 0.4.0 just like the rules_path! sostub_path=/usr/local/etc/snort/rules/so_rules.rules # Define your distro, this is for the precompiled shared object libs! # Valid Distro Types=Debian-Lenny, Ubuntu-6.01.1, Ubuntu-8.04 # CentOS-4.6, Centos-4-8, CentOS-5.0, Centos-5-4 # FC-5, FC-9, FC-11, FC-12, RHEL-5.0 # FreeBSD-6.3, FreeBSD-7-2, FreeBSD-7-3, FreeBSD-7.0, FreeBSD-8-0, FreeBSD-8-1 # OpenSUSE-11-3 distro=Debian-Lenny
Usage
Syntax
$ ./pulledpork.pl [options]
Options
- -b <path_to_dropsid.conf>
- Where the dropsid config file lives.
- -C <path_to_snort.conf>
- Path to your snort.conf
- -c <config_file>
- Where the pulledpork config file lives.
- -D <distro>
- What Distro are you running on, for the so_rules
- Valid Distro Types:
- Debian-Lenny, Ubuntu-6.01.1, Ubuntu-8.04
- CentOS-4.6, Centos-4-8, CentOS-5.0, Centos-5-4
- FC-5, FC-9, FC-11, FC-12, RHEL-5.0
- FreeBSD-6.3, FreeBSD-7-2, FreeBSD-7-3, FreeBSD-7.0, FreeBSD-8-0, FreeBSD-8-1
- -d
- Do not verify signature of rules tarball, i.e. downloading fron non VRT or ET locations.
- -E
- Write ONLY the enabled rules to the output files.
- -e <path_to_enablesid.conf>
- Where the enablesid config file lives.
- -g
- Grabonly (download tarball rule file(s) and do NOT process)
- -H
- Send a SIGHUP to the pids listed in the config file
- -h <path_to_changelog>
- path to the sid_changelog if you want to keep one?
- -help/?
- Print this help info.
- -I <security|connectivity|balanced>
- Specify a base ruleset( -I security,connectivity,or balanced, see README.RULESET)
- -i <path_to_disablesid.conf>
- Where the disablesid config file lives.
- -K <directory for separate rules files>
- Where (what directory) do you want me to put the separate rules files?
- -k
- Keep the rules in separate files (using same file names as found when reading)
- -L <path_to_local.rules>
- Where do you want to read your local.rules for inclusion in sid-msg.map
- -l
- Log Important Info to Syslog (Errors, Successful run etc, all items logged as WARN or higher)
- -M <path to modifysid.conf>
- Where the modifysid config file lives.
- -m <path_to_sid-msg.map>
- Where do you want to put the sid-msg.map file?
- -n
- Do everything other than download of new files (disablesid, etc)
- -O <oinkcode>
- What is your Oinkcode?
- -o <rule_output_path>
- Where do you want to put generic rules file?
- -p <path_to_snort>
- Path to your Snort binary
- -R
- When processing enablesid, return the rules to their ORIGINAL state
- -r <path to docs folder>
- Where do you want to put the reference files (xxxx.txt)
- -S <SnortVer>
- What version of snort are you using (2.8.6 or 2.9.0) are valid values
- -s <so_rule output directory>
- Where do you want to put the so_rules?
- -T
- Process text based rules files only, i.e. DO NOT process so_rules
- -t <sostub output path>
- Where do you want to put the so_rule stub files?
- Thus MUST be uniquely different from the -o option value
- -u <path_to_rules_tarball>
- Where do you want to pull the rules tarball from (ET, Snort.org, see pulledpork config rule_url option for value ideas)
- -V
- Print Version and exit
- -v
- Verbose mode, you know.. for troubleshooting and such nonsense.
- -vv
- EXTRA Verbose mode, you know.. for in-depth troubleshooting and other such nonsense.
Usage Example
Provided you have entered all necessary parameters in /usr/local/etc/pulledpork/pulledpork.conf file, the simplest usage can be as follows:
$ perl /usr/local/bin/pulledpork.pl \ -c /usr/local/etc/pulledpork/pulledpork.conf \ -o /usr/local/etc/snort/rules/snort.rules
If you have any error, please refer to this section.
Automatize Pulledpork
Edit your crontab:
$ crontab -e
And add following line (the example automatically checks for the presence of new rules every day at 2:30am):
30 2 * * * /usr/bin/perl /usr/local/bin/pulledpork.pl \
-c /usr/local/etc/pulledpork/pulledpork.conf \
-o /usr/local/etc/snort/rules/snort.rules
Errors
403 error
If you have such an error, just wait 15 minutes and try again:
A 403 error occurred, please wait for the 15 minute timeout to expire before trying again or specify the -n runtime switch You may also wish to verfiy your oinkcode, tarball name, and other configuration options
500 error
If you have such an error while issuing the command with the -vv parameter:
500 Can't connect to www.snort.org:443 (Crypt-SSLeay can't verify hostnames
Then add this environment variable:
export HTTPS_CA_DIR=/usr/share/ca-certificates/