OS: CentOS-6.2 i386, Ubuntu 12.04 x86_64 LTS, Ubuntu 10.04 x86_64 LTS, Ubuntu 11.10 i386
Snort Version: 2.9.2.2 IPv6 GRE (Build 121)
Hardware: VirtualBox 4.1.12

About

PulledPork is an opensource perl script that can automatically update Snort rules.

Prerequisite

• Snort installation
• Install perl modules
  • On CentOS

yum install perl-libwww-perl perl-Crypt-SSLeay perl-libwww-perl perl-Archive-Tar -y

• On Ubuntu

apt-get install libcrypt-ssleay-perl liblwp-useragent-determined-perl -y

Install PulledPork

• Download and extract PulledPork

cd /usr/local/src/snort
wget http://pulledpork.googlecode.com/files/pulledpork-0.6.1.tar.gz -O pulledpork.tar.gz
cd /usr/local/snort
tar zxvf /usr/local/src/snort/pulledpork.tar.gz
mv pulledpork-0.6.1 pulledpork

• Generate Oinkcode at Snort web site
  • If you are not already register to snort web site so do it now at https://www.snort.org/signup
  • Login to Snort web site
  • Go to Snort home page and Click on “Get Snort Oinkcode” at the bottom in “Snort Links”  section
  • Click Generate Code and copy your new Oinkcode
• Change the following in PulledPork configuration file

vi /usr/local/snort/pulledpork/etc/pulledpork.conf

...
rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|paste here your Oinknumber
# get the rule docs!
#rule_url=https://www.snort.org/reg-rules/|opensource.gz|
#rule_url=https://rules.emergingthreats.net/|emerging.rules.tar.gz|open
# THE FOLLOWING URL is for etpro downloads, note the tarball name change!
# and the et oinkcode requirement!
#rule_url=https://rules.emergingthreats.net/|etpro.rules.tar.gz|
...
rule_path=/usr/local/snort/etc/rules/snort.rules
...
local_rules=/usr/local/snort/etc/rules/local.rules

# Where should I put the sid-msg.map file?
sid_msg=/usr/local/snort/etc/sid-msg.map
...
# Path to the snort binary, we need this to generate the stub files
snort_path=/usr/local/snort/bin/snort

# We need to know where your snort.conf file lives so that we can
# generate the stub files
config_path=/usr/local/snort/etc/snort.conf

# This is the file that contains all of the shared object rules that pulledpork
# has processed, note that this has changed as of 0.4.0 just like the rules_path!
sostub_path=/usr/local/snort/etc/rules/so_rules.rules
...
distro=Ubuntu-10.04 # For CentOS 6.2 you can use RHEL-6-0
...

• Change RULE_PATH variable in snort configuration file

vi /usr/local/snort/etc/snort.conf

...
var RULE_PATH /usr/local/snort/etc/rules
...

• Remove all snort include rules files

sed -i '/^include $RULE_PATH/d' /usr/local/snort/etc/snort.conf
sed -i '/^include $RULE_PATH/d' /usr/local/snort/etc/snort.conf
sed -i '/^include $RULE_PATH/d' /usr/local/snort/etc/snort.conf

• Add the following include files to snort configuration file

echo "include \$RULE_PATH/snort.rules" >> /usr/local/snort/etc/snort.conf
echo "include \$RULE_PATH/local.rules" >> /usr/local/snort/etc/snort.conf
echo "include \$RULE_PATH/so_rules.rules" >> /usr/local/snort/etc/snort.conf

• Create rules directory

mkdir /usr/local/snort/etc/rules

• Create your local rules file
  • If you have one, copy it

cp /usr/local/snort/rules/local.rules /usr/local/snort/etc/rules/

• If you don’t have local rules file then create an empty one

touch /usr/local/snort/etc/rules/local.rules

• Run PulledPork for the first time

/usr/local/snort/pulledpork/pulledpork.pl -c /usr/local/snort/pulledpork/etc/pulledpork.conf

• Schedule PulledPork to run every day. Add the following line to the end of crontab file

vi /etc/crontab

...
0 0 * * * root /usr/local/snort/pulledpork/pulledpork.pl -c /usr/local/snort/pulledpork/etc/pulledpork.conf
...

PulledPork installation completed. Now every day PulledPoled will run and update your rules files from Snort site.

For more information about PulledPork go to http://code.google.com/p/pulledpork/.