{"id":1071,"date":"2012-08-22T16:24:52","date_gmt":"2012-08-22T08:24:52","guid":{"rendered":"http:\/\/rmohan.com\/?p=1071"},"modified":"2012-08-22T16:25:50","modified_gmt":"2012-08-22T08:25:50","slug":"configure-snort-automatic-rules-updating-with-pulledpork","status":"publish","type":"post","link":"https:\/\/mohan.sg\/?p=1071","title":{"rendered":"Configure Snort automatic rules updating with PulledPork"},"content":{"rendered":"<h1>\u00a0<\/h1>\n<div>\n<p dir=\"LTR\">OS: CentOS-6.2 i386, Ubuntu 12.04 x86_64 LTS,\u00a0Ubuntu 10.04 x86_64 LTS, Ubuntu 11.10 i386<br \/> Snort Version:\u00a02.9.2.2 IPv6 GRE (Build 121)<br \/> Hardware: VirtualBox 4.1.12<\/p>\n<h1 dir=\"LTR\">About<\/h1>\n<p dir=\"LTR\">PulledPork is an opensource perl script that can automatically update Snort rules.<\/p>\n<h1 dir=\"LTR\">Prerequisite<\/h1>\n<ul>\n<li><a title=\"101. Snort installation on Ubuntu 11.10 i386\" href=\"http:\/\/nachum234.no-ip.org\/?p=230\">Snort installation<\/a><\/li>\n<li>Install perl modules\n<ul>\n<li>On CentOS<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<pre>yum install perl-libwww-perl perl-Crypt-SSLeay perl-libwww-perl perl-Archive-Tar -y<\/pre>\n<ul>\n<ul>\n<li>On Ubuntu<\/li>\n<\/ul>\n<\/ul>\n<pre>apt-get install libcrypt-ssleay-perl liblwp-useragent-determined-perl -y<\/pre>\n<h1 dir=\"LTR\">Install PulledPork<\/h1>\n<ul>\n<li>Download and extract PulledPork<\/li>\n<\/ul>\n<pre>cd \/usr\/local\/src\/snort\r\nwget http:\/\/pulledpork.googlecode.com\/files\/pulledpork-0.6.1.tar.gz -O pulledpork.tar.gz\r\ncd \/usr\/local\/snort\r\ntar zxvf \/usr\/local\/src\/snort\/pulledpork.tar.gz\r\nmv pulledpork-0.6.1 pulledpork<\/pre>\n<ul>\n<li>Generate Oinkcode at Snort web site\n<ul>\n<li>If you are not already register to snort web site so do it now at\u00a0https:\/\/www.snort.org\/signup<\/li>\n<li>Login to Snort web site<\/li>\n<li>Go to Snort home page and Click on \u201cGet Snort Oinkcode\u201d at the bottom in \u201cSnort Links\u201d \u00a0section<\/li>\n<li>Click Generate Code and copy your new Oinkcode<\/li>\n<\/ul>\n<\/li>\n<li>Change the following in PulledPork configuration file<\/li>\n<\/ul>\n<pre>vi \/usr\/local\/snort\/pulledpork\/etc\/pulledpork.conf<\/pre>\n<pre>...\r\nrule_url=https:\/\/www.snort.org\/reg-rules\/|snortrules-snapshot.tar.gz|paste here your Oinknumber\r\n# get the rule docs!\r\n#rule_url=https:\/\/www.snort.org\/reg-rules\/|opensource.gz|\r\n#rule_url=https:\/\/rules.emergingthreats.net\/|emerging.rules.tar.gz|open\r\n# THE FOLLOWING URL is for etpro downloads, note the tarball name change!\r\n# and the et oinkcode requirement!\r\n#rule_url=https:\/\/rules.emergingthreats.net\/|etpro.rules.tar.gz|\r\n...\r\nrule_path=\/usr\/local\/snort\/etc\/rules\/snort.rules\r\n...\r\nlocal_rules=\/usr\/local\/snort\/etc\/rules\/local.rules\r\n\r\n# Where should I put the sid-msg.map file?\r\nsid_msg=\/usr\/local\/snort\/etc\/sid-msg.map\r\n...\r\n# Path to the snort binary, we need this to generate the stub files\r\nsnort_path=\/usr\/local\/snort\/bin\/snort\r\n\r\n# We need to know where your snort.conf file lives so that we can\r\n# generate the stub files\r\nconfig_path=\/usr\/local\/snort\/etc\/snort.conf\r\n\r\n# This is the file that contains all of the shared object rules that pulledpork\r\n# has processed, note that this has changed as of 0.4.0 just like the rules_path!\r\nsostub_path=\/usr\/local\/snort\/etc\/rules\/so_rules.rules\r\n...\r\ndistro=Ubuntu-10.04 # For CentOS 6.2 you can use RHEL-6-0\r\n...<\/pre>\n<ul>\n<li>Change RULE_PATH variable in snort configuration file<\/li>\n<\/ul>\n<pre>vi \/usr\/local\/snort\/etc\/snort.conf<\/pre>\n<pre>...\r\nvar RULE_PATH \/usr\/local\/snort\/etc\/rules\r\n...<\/pre>\n<ul>\n<li>Remove all snort include rules files<\/li>\n<\/ul>\n<pre dir=\"LTR\">sed -i '\/^include $RULE_PATH\/d' \/usr\/local\/snort\/etc\/snort.conf\r\nsed -i '\/^include $RULE_PATH\/d' \/usr\/local\/snort\/etc\/snort.conf\r\nsed -i '\/^include $RULE_PATH\/d' \/usr\/local\/snort\/etc\/snort.conf<\/pre>\n<ul>\n<li>Add the following include files to snort configuration file<\/li>\n<\/ul>\n<pre dir=\"LTR\">echo \"include \\$RULE_PATH\/snort.rules\" &gt;&gt; \/usr\/local\/snort\/etc\/snort.conf\r\necho \"include \\$RULE_PATH\/local.rules\" &gt;&gt; \/usr\/local\/snort\/etc\/snort.conf\r\necho \"include \\$RULE_PATH\/so_rules.rules\" &gt;&gt; \/usr\/local\/snort\/etc\/snort.conf<\/pre>\n<ul>\n<li>Create rules directory<\/li>\n<\/ul>\n<pre>mkdir \/usr\/local\/snort\/etc\/rules<\/pre>\n<ul>\n<li>Create your local rules file\n<ul>\n<li>If you have one, copy it<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<pre>cp \/usr\/local\/snort\/rules\/local.rules \/usr\/local\/snort\/etc\/rules\/<\/pre>\n<ul>\n<ul>\n<li>If you don\u2019t have local rules file then create an empty one<\/li>\n<\/ul>\n<\/ul>\n<pre>touch \/usr\/local\/snort\/etc\/rules\/local.rules<\/pre>\n<ul>\n<li>Run PulledPork for the first time<\/li>\n<\/ul>\n<pre dir=\"LTR\">\/usr\/local\/snort\/pulledpork\/pulledpork.pl -c \/usr\/local\/snort\/pulledpork\/etc\/pulledpork.conf<\/pre>\n<ul>\n<li>Schedule PulledPork to run every day. Add the following line to the end of crontab file<\/li>\n<\/ul>\n<pre>vi \/etc\/crontab<\/pre>\n<pre>...\r\n0 0 * * * root \/usr\/local\/snort\/pulledpork\/pulledpork.pl -c \/usr\/local\/snort\/pulledpork\/etc\/pulledpork.conf\r\n...<\/pre>\n<p>PulledPork installation completed. Now every day\u00a0PulledPoled will run and update your rules files from Snort site.<\/p>\n<p>For more information about PulledPork go to\u00a0<a href=\"http:\/\/code.google.com\/p\/pulledpork\/\">http:\/\/code.google.com\/p\/pulledpork\/<\/a>.<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"\n<p dir=\"LTR\">OS: CentOS-6.2 i386, Ubuntu 12.04 x86_64 LTS, Ubuntu 10.04 x86_64 LTS, Ubuntu 11.10 i386 Snort Version: 2.9.2.2 IPv6 GRE (Build 121) Hardware: VirtualBox 4.1.12<\/p>\n<p> About <\/p>\n<p dir=\"LTR\">PulledPork is an opensource perl script that can automatically update Snort rules.<\/p>\n<p> Prerequisite Snort installation Install perl modules On CentOS yum install perl-libwww-perl perl-Crypt-SSLeay perl-libwww-perl perl-Archive-Tar -y [&#8230;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[20],"tags":[],"_links":{"self":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/1071"}],"collection":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1071"}],"version-history":[{"count":2,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/1071\/revisions"}],"predecessor-version":[{"id":1074,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/1071\/revisions\/1074"}],"wp:attachment":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1071"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1071"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1071"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}