Wednesday, 6 June 2012

Configure Snort automatic rules updating with PulledPork


About

PulledPork is an opensource perl script that can automatically update Snort rules.

 

Prerequisite

    • On Ubuntu

 

 Install PulledPork

  • Download and extract PulledPork
  • Generate Oinkcode at Snort web site
    • If you are not already register to snort web site so do it now at https://www.snort.org/signup
    • Login to Snort web site
    • Go to Snort home page and Click on “Get Snort Oinkcode” at the bottom in “Snort Links”  section
    • Click Generate Code and copy your new Oinkcode
  • Change the following in PulledPork configuration file



...
rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|paste here your Oinknumber
# get the rule docs!
#rule_url=https://www.snort.org/reg-rules/|opensource.gz|
#rule_url=https://rules.emergingthreats.net/|emerging.rules.tar.gz|open
# THE FOLLOWING URL is for etpro downloads, note the tarball name change!
# and the et oinkcode requirement!
#rule_url=https://rules.emergingthreats.net/|etpro.rules.tar.gz|
...
rule_path=/usr/local/snort/etc/rules/snort.rules
...
local_rules=/usr/local/snort/etc/rules/local.rules

# Where should I put the sid-msg.map file?
sid_msg=/usr/local/snort/etc/sid-msg.map
...
# Path to the snort binary, we need this to generate the stub files
snort_path=/usr/local/snort/bin/snort

# We need to know where your snort.conf file lives so that we can
# generate the stub files
config_path=/usr/local/snort/etc/snort.conf

# This is the file that contains all of the shared object rules that pulledpork
# has processed, note that this has changed as of 0.4.0 just like the rules_path!
sostub_path=/usr/local/snort/etc/rules/so_rules.rules
...
distro=Ubuntu-10.04 # For CentOS 6.2 you can use RHEL-6-0
...
  • Change RULE_PATH variable in snort configuration file



...
var RULE_PATH /usr/local/snort/etc/rules
...
  • Remove all snort include rules files
  • Add the following include files to snort configuration file

echo "include \$RULE_PATH/snort.rules" >> /usr/local/snort/etc/snort.conf
echo "include \$RULE_PATH/local.rules" >> /usr/local/snort/etc/snort.conf
echo "include \$RULE_PATH/so_rules.rules" >> /usr/local/snort/etc/snort.conf
  • Create rules directory
  • Create your local rules file
    • If you have one, copy it
    • If you don’t have local rules file then create an empty one
  • Run PulledPork for the first time
  • Schedule PulledPork to run every day. Add the following line to the end of crontab file
PulledPork installation completed. Now every day PulledPoled will run and update your rules files from Snort site.

For more information about PulledPork go to http://code.google.com/p/pulledpork/.

No comments:

Post a Comment