Pulledpork

From aldeid
Jump to: navigation, search

Description

PulledPork is a rule manager for Snort and Suricata. It will help automatizing the process of downloading and installing/updating your VRT Snort rules, SharedObject rules or Emerging Threats rules.

Pulledpork features include:

  • Automatic rule downloads using your Oinkcode
  • MD5 verification prior to downloading new rulesets
  • Full handling of Shared Object (SO) rules
  • Generation of so_rule stub files
  • Modification of ruleset state (disabling rules, etc)

The project is run by JJ Cummings of Sourcefire.

Installation

Prerequisites

Install these dependencies:

# apt-get install perl subversion

Install dependencies via CPAN:

# perl -MCPAN -e 'install Crypt::SSLeay'
# perl -MCPAN -e 'install LWP::Simple'

or via packages:

# aptitude install libcrypt-ssleay-perl
# aptitude install liblwp-protocol-https-perl

Installation of PulledPork

From Subversion repository

This is the recommended method since it will ensure you have last version.

$ cd /data/src/
$ svn checkout http://pulledpork.googlecode.com/svn/trunk/ pulledpork-read-only

Copy necessary files:

$ cd /data/src/pulledpork-read-only/
# cp pulledpork.pl /usr/local/bin/
# mkdir -p /usr/local/etc/pulledpork/
# cp etc/* /usr/local/etc/pulledpork/

Make pulledpork executable:

# chmod +x /usr/local/bin/pulledpork.pl

From tarball

Download and uncompress:

$ cd /data/src/
$ wget http://pulledpork.googlecode.com/files/pulledpork-0.6.1.tar.gz
$ tar xzvf pulledpork-0.6.1.tar.gz

Copy necessary files:

$ cd /data/src/pulledpork-0.6.1/
# cp pulledpork.pl /usr/local/bin/
# mkdir -p /usr/local/etc/pulledpork/
# cp etc/* /usr/local/etc/pulledpork/

Make pulledpork executable:

# chmod +x /usr/local/bin/pulledpork.pl

Configuration

Now that we have copied all configuration files in /usr/local/etc/pulledpork/, we must at least configure pulledpork.conf.

Edit the configuration file:

$ sudo vim /usr/local/etc/pulledpork/pulledpork.conf

Provide pulledpork with a URLs depending on your needs (VRT Snort rules and EmergingThreats rules, free and commercial editions). Notice that there is a special configuration for SO rules, that will be explained further in the configuration file.

rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|<oinkcode>
# get the rule docs!
rule_url=https://www.snort.org/reg-rules/|opensource.gz|<oinkcode>
rule_url=https://rules.emergingthreats.net/|emerging.rules.tar.gz|open
# THE FOLLOWING URL is for etpro downloads, note the tarball name change!
# and the et oinkcode requirement!
rule_url=https://rules.emergingthreats.net/|etpro.rules.tar.gz|<et oinkcode>

Specify the path of your rules:

rule_path=/usr/local/etc/snort/rules/snort.rules

If you are running local rules, uncomment this and update the path:

local_rules=/usr/local/etc/snort/rules/local.rules

Specify the path where to place map files:

# Where should I put the sid-msg.map file?
sid_msg=/usr/local/etc/snort/sid-msg.map
# Where do you want me to put the sid changelog?  This is a changelog
# that pulledpork maintains of all new sids that are imported
sid_changelog=/var/log/snort/sid_changes.log

Everything that follows only concerns SharedObject (SO) rules. If you don't use them, comment out all of these lines.

# What path you want the .so files to actually go to *i.e. where is it
# defined in your snort.conf, needs a trailing slash
sorule_path=/usr/local/lib/snort_dynamicrules/

# Path to the snort binary, we need this to generate the stub files
snort_path=/usr/local/bin/snort

# We need to know where your snort.conf file lives so that we can
# generate the stub files
config_path=/usr/local/etc/snort/snort.conf

# This is the file that contains all of the shared object rules that pulledpork
# has processed, note that this has changed as of 0.4.0 just like the rules_path!
sostub_path=/usr/local/etc/snort/rules/so_rules.rules

# Define your distro, this is for the precompiled shared object libs!
# Valid Distro Types=Debian-Lenny, Ubuntu-6.01.1, Ubuntu-8.04
# CentOS-4.6, Centos-4-8, CentOS-5.0, Centos-5-4
# FC-5, FC-9, FC-11, FC-12, RHEL-5.0
# FreeBSD-6.3, FreeBSD-7-2, FreeBSD-7-3, FreeBSD-7.0, FreeBSD-8-0, FreeBSD-8-1
# OpenSUSE-11-3
distro=Debian-Lenny

Usage

Syntax

$ ./pulledpork.pl [options]

Options

-b <path_to_dropsid.conf>
Where the dropsid config file lives.
-C <path_to_snort.conf>
Path to your snort.conf
-c <config_file>
Where the pulledpork config file lives.
-D <distro>
What Distro are you running on, for the so_rules
Valid Distro Types:
  • Debian-Lenny, Ubuntu-6.01.1, Ubuntu-8.04
  • CentOS-4.6, Centos-4-8, CentOS-5.0, Centos-5-4
  • FC-5, FC-9, FC-11, FC-12, RHEL-5.0
  • FreeBSD-6.3, FreeBSD-7-2, FreeBSD-7-3, FreeBSD-7.0, FreeBSD-8-0, FreeBSD-8-1
-d
Do not verify signature of rules tarball, i.e. downloading fron non VRT or ET locations.
-E
Write ONLY the enabled rules to the output files.
-e <path_to_enablesid.conf>
Where the enablesid config file lives.
-g
Grabonly (download tarball rule file(s) and do NOT process)
-H
Send a SIGHUP to the pids listed in the config file
-h <path_to_changelog>
path to the sid_changelog if you want to keep one?
-help/?
Print this help info.
-I <security|connectivity|balanced>
Specify a base ruleset( -I security,connectivity,or balanced, see README.RULESET)
-i <path_to_disablesid.conf>
Where the disablesid config file lives.
-K <directory for separate rules files>
Where (what directory) do you want me to put the separate rules files?
-k
Keep the rules in separate files (using same file names as found when reading)
-L <path_to_local.rules>
Where do you want to read your local.rules for inclusion in sid-msg.map
-l
Log Important Info to Syslog (Errors, Successful run etc, all items logged as WARN or higher)
-M <path to modifysid.conf>
Where the modifysid config file lives.
-m <path_to_sid-msg.map>
Where do you want to put the sid-msg.map file?
-n
Do everything other than download of new files (disablesid, etc)
-O <oinkcode>
What is your Oinkcode?
-o <rule_output_path>
Where do you want to put generic rules file?
-p <path_to_snort>
Path to your Snort binary
-R
When processing enablesid, return the rules to their ORIGINAL state
-r <path to docs folder>
Where do you want to put the reference files (xxxx.txt)
-S <SnortVer>
What version of snort are you using (2.8.6 or 2.9.0) are valid values
-s <so_rule output directory>
Where do you want to put the so_rules?
-T
Process text based rules files only, i.e. DO NOT process so_rules
-t <sostub output path>
Where do you want to put the so_rule stub files?
Thus MUST be uniquely different from the -o option value
-u <path_to_rules_tarball>
Where do you want to pull the rules tarball from (ET, Snort.org, see pulledpork config rule_url option for value ideas)
-V
Print Version and exit
-v
Verbose mode, you know.. for troubleshooting and such nonsense.
-vv
EXTRA Verbose mode, you know.. for in-depth troubleshooting and other such nonsense.

Usage Example

Provided you have entered all necessary parameters in /usr/local/etc/pulledpork/pulledpork.conf file, the simplest usage can be as follows:

$ perl /usr/local/bin/pulledpork.pl \
  -c /usr/local/etc/pulledpork/pulledpork.conf \
  -o /usr/local/etc/snort/rules/snort.rules

If you have any error, please refer to this section.

Automatize Pulledpork

Edit your crontab:

$ crontab -e

And add following line (the example automatically checks for the presence of new rules every day at 2:30am):

30 2 * * * /usr/bin/perl /usr/local/bin/pulledpork.pl \
           -c /usr/local/etc/pulledpork/pulledpork.conf \
           -o /usr/local/etc/snort/rules/snort.rules

Errors

403 error

If you have such an error, just wait 15 minutes and try again:

A 403 error occurred, please wait for the 15 minute timeout
to expire before trying again or specify the -n runtime switch
You may also wish to verfiy your oinkcode, tarball name, and other
configuration options

500 error

If you have such an error while issuing the command with the -vv parameter:

500 Can't connect to www.snort.org:443 (Crypt-SSLeay can't verify hostnames

Then add this environment variable:

export HTTPS_CA_DIR=/usr/share/ca-certificates/

Comments

blog comments powered by Disqus