Setting up Snort - Part 4 - Installing PulledPork

< Part 3 - Installing Snort | Part 5 - Installing Barnyard2 and MySQL >

1. Setting up PulledPork

PulledPork allows us to receive up to date rule definitions when new vulnerabilities and exploits are discovered and disclosed.

1.1 Install Build Dependencies

# sudo apt-get install -y libcrypt-ssleay-perl liblwp-useragent-determined-perl

1.2 Install PulledPork

At the time of writing, 0.7.0 is the latest release. Update this when new version gets released in the future.

# cd ~/ snort_src
# wget https://pulledpork.googlecode.com/files/pulledpork-0.7.0.tar.gz
# tar zxvf pulledpork-0.7.0.tar.gz
# cd pulledpork-0.7.0/
# sudo cp pulledpork.pl /usr/local/bin
# sudo chmod +x /usr/local/bin/pulledpork.pl
# sudo cp etc/*.conf /etc/snort

1.3 Initialize PulledPork

# sudo mkdir /etc/snort/rules/iplists
# sudo touch /etc/snort/rules/iplists/default.blacklist

1.4 Test PulledPork installation

Run the following command, and verify the expected output.

# /usr/local/bin/pulledpork.pl -V

Output

PulledPork v0.7.0 - Swine Flu!

2. Setting up PulledPork

2.1 Obtain an Oinkcode

You need an account on snort.org in order for PulledPork to automatically download and apply the latest rules generated by the community.

Goto snort.org and register an account.
You will receive a confirmation email - open it and confirm your account.
Log into your account, if it does not automatically log you in.
Once logged in, click your email at the top right of the Snort home page.
On the next screen, you should see a few menu items to the left, click on Oinkcode.
Copy this string. You will need to paste it into the conf files in the following section.

2.2 Configuring PulledPork

With Oinkcode in hand, let us edit /etc/snort/pulledpork.conf to configure your PulledPork installation.

Note that future version releases may add extra lines and the line numbers below may be off.

The code blocks below are in the following format:

Line Number: Line Contents

Replace with your Oinkcode.

19: rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|<oinkcode>
26: rule_url=https://www.snort.org/reg-rules/|opensource.gz|<oinkcode>

Update the file paths in the lines below.

72: rule_path=/etc/snort/rules/snort.rules
87: local_rules=/etc/snort/rules/local.rules
90: sid_msg=/etc/snort/sid-msg.map
117: config_path=/etc/snort/snort.conf
131: distro=Ubuntu-10-4
139: black_list=/etc/snort/rules/iplists/default.blacklist
148: IPRVersion=/etc/snort/rules/iplists
194: enablesid=/etc/snort/enablesid.conf
195: dropsid=/etc/snort/dropsid.conf
196: disablesid=/etc/snort/disablesid.conf
197: modifysid=/etc/snort/modifysid.conf

2.3 Running PulledPork for the first time

Let us test that the config changes work.

If you receive error messages, double check you have put the right Oinkcode in lines 19 and 26 as well as the other lines edited with the path to conf files.

# sudo /usr/local/bin/pulledpork.pl -c /etc/snort/pulledpork.conf -l

If all goes well, PulledPork consolidated all rules into one file at /etc/snort/rules/snort.rules

At the time of writing, the file size was around 12 MB.

We now need to tell Snort to use this rules file.

Edit /etc/snort/snort.conf.

In a new line at the end of the file, add the following.:

include $RULE_PATH/snort.rules

Test the new Snort configuration. Stop all other instance of Snort you may have running.

# sudo snort -T -c /etc/snort/snort.conf

2.4 Schedule PulledPork with cron

Schedule PulledPork in crontab so it runs daily, or as often as you like.

# sudo crontab -e

Add the following line.

01 04 * * * /usr/local/bin/pulledpork.pl -c /etc/snort/pulledpork.conf -l

This crom notation means to run PulledPork at 4:01 am daily.

Feel free to adjust the time as appropriate.

PulledPork will now download new rule updates daily, and protect you from 0-day vulnerabilities as they are disclosed!

The next part will cover setting up Barnyard2 and MySQL, so you can make use of the data that Snort has logged!