In this previous post, I explained how to install Snort on Ubuntu 12.04. The next step is to make sure that your rules are up-to-date. This is accomplished by updating SNORT rules using Pulled Pork. An IDS with an outdated rule set is as effective as an Antivirus product which hasn’t been updated for a couple of months. It only gives you a false sense of security. We’ll describe the steps you have to take for Updating Snort Rules using Pulled Pork.
This tool is not available for installation from the Ubuntu repositories. Therefor have to install the tool and any prerequisites on our own.
Install prerequisites
Pulled Pork requires 2 perl libraries. On Ubuntu, you can install them like this.
# apt-get install libcrypt-ssleay-perl liblwp-protocol-https-perl
Install Pulled Pork
I downloaded the most recent version. It’s critical to download the latest version from the trunk. Version 0.6.1 which is available for download doesn’t work anymore due to changes on the Emerging Threats website. You’ll get an error because the certificate isn’t valid.
root@ids:~# cd /usr/local/bin root@ids:/usr/local/bin# wget http://pulledpork.googlecode.com/svn/trunk/pulledpork.pl --2013-03-07 19:14:12-- http://pulledpork.googlecode.com/svn/trunk/pulledpork.pl Resolving pulledpork.googlecode.com (pulledpork.googlecode.com)... 173.194.67.82, 2a00:1450:400c:c05::52 Connecting to pulledpork.googlecode.com (pulledpork.googlecode.com)|173.194.67.82|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 35444 (35K) [application/x-gzip] Saving to: `pulledpork.pl' 100%[=====================================================================================================================================================================>] 35,444 --.-K/s in 0.1s 2013-03-07 19:14:12 (276 KB/s) - `pulledpork.pl' saved [35444/35444] root@ids:/usr/local/bin# chmod 755 pulledpork.pl
Next I created a new directory in /etc for the configuration files.
root@ids:/usr/local/bin# mkdir /etc/pulledpork root@ids:/usr/local/bin# cd /etc/pulledpork root@ids:/etc/pulledpork# wget http://www.rivy.org/custom/pulledpork.conf
After fetching the config file, you still have to go to snort.conf, make an account to become a registered user and create your own personal oinkcode. You have the choice between getting the most recent signatures and signatures which are one month old. If you want to have the most recent signature, you have to pay a small fee. When you have your oinkcode, you can place it in pulledpork.conf.
Configuration of Snort
Since we want to enable the dynamic rules, we make sure the second line in /etc/snort/snort.conf is not commented anymore.
# path to dynamic rules libraries dynamicdetection directory /usr/lib/snort_dynamicrules
And we also want to create that directory.
# mkdir /usr/lib/snort_dynamicrules
Remove all include rules from the main config by executing this.
sed -i '/^include $RULE_PATH/d' /etc/snort/snort.conf
And execute the following 2 commands to add the include rules.
echo "include \$RULE_PATH/snort.rules" >> /etc/snort/snort.conf echo "include \$RULE_PATH/local.rules" >> /etc/snort/snort.conf
Delete the current rules
rm /etc/snort/rules/*.rules
Add the following variable to /etc/snort/snort.conf (first part of the file)
# List of file data ports for file inspection portvar FILE_DATA_PORTS [$HTTP_PORTS,110,143]
Running of pulledpork
This command will run pulledpork and update your rules.
# pulledpork.pl -c /etc/pulledpork/pulledpork.conf ... Rule Stats... New:-------185 Deleted:---3 Enabled Rules:----16662 Dropped Rules:----0 Disabled Rules:---15312 Total Rules:------31974 No IP Blacklist Changes Done Please review /var/log/sid_changes.log for additional details Fly Piggy Fly!
After updating your rules, you always have to restart snort. Make sure that you didn’t get any errors during the restart. If you received errors, check the /var/log/syslog file and try to fix the issue.
# service snort restart Updating Snort Rules using Pulled Pork
Pingback: Howto install Snort | The A to Z of IT
When you removed all the include rules from the main config except snort.rules and local.rules:
What about all the others? Is that all that’s needed? If i take a look at the snortrules-snapshot downloaded from snort.org there are a lot of rule files.
How do i know if I enabled them all? according to pulledpork I have Disabled:–21744 rules. How do I enable those rules?
All the rest of the includes are not needed. pulledpork combines all the rules in 1 file. : snort.rules.
Those 21744 are disabled by default. You can manually enable them via the pulledpork config files.
I followed your instructions and am getting this error. I tried updating the pulledpork.conf to the latest version (v0.7.0) and then it gives me a different error.
Any suggestions?
`—-,\ )
`–==\\ / PulledPork v0.7.0 – Swine Flu!
`–==\\/
.-~~~~-.Y|\\_ Copyright (C) 2009-2013 JJ Cummings
@_/ / 66\_ cummingsj@gmail.com
| \ \ _(“)
\ /-| ||’–‘ Rules give me wings!
\_\ \_\\
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
You are not using the current version of pulledpork.conf!
Please use the version of pulledpork.conf that shipped with PulledPork v0.7.0 – Swine Flu!!
at /usr/local/bin/pulledpork.pl line 1533
My configuration file doesn’t work with the newer version unless you adapt the “version” variable at the end of the config file.
Regards
In the configuring snort section you say
“And execute the following 3 commands to add the include rules.”
then only give two commands. Is it the number that is wrong or are you missing a command?
You’re right. I’ve corrected the post.
The snort package that comes with ubuntu repo has reached its eol. in other rules, new rules will not support this version.
our only option is to compile from source. is that correct?
That’s right. It’s possible that the newest rules won’t be supported by the current Ubuntu version.
After this step, my merged.log empty, and there is no data even if i leave server to work more than 4 hours.
I got this
service snort start
[….] Starting Network Intrusion Detection System : snort (eth0 using /etc/snort/snort.conf …ERROR: failed (check /var/log/daemon.log, /var/log/syslog an[FAILr/log/snort/)) failed!
And can you find an explanation for the error in the logfiles mentioned?
Please give the solution as when i able to start the pulledpork.pl and tries to execute the same the rules are not able to download but the it give the error as below:–>>
http://code.google.com/p/pulledpork/
_____ ____
`—-,\ )
`–==\\ / PulledPork v0.7.0 – Swine Flu!
`–==\\/
.-~~~~-.Y|\\_ Copyright (C) 2009-2013 JJ Cummings
@_/ / 66\_ cummingsj@gmail.com
| \ \ _(“)
\ /-| ||’–‘ Rules give me wings!
\_\ \_\\
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Checking latest MD5 for snortrules-snapshot-2920.tar.gz….
Rules tarball download of snortrules-snapshot-2920.tar.gz….
A 500 error occurred, please verify that you have recently updated your root certificates!
—–ERROR—Rules tarball download of snortrules-snapshot-2920.tar.gz….
A 500 error occurred, please verify that you have recently updated your root certificates!
Have you installed your ca-certificates:
On a debian machine:
apt-get install ca-certificates
i already installed all certificates (RHEL 5.3 machine)
now i am getting error 403 even i tried 15 minutes later as well
please tell me how can i resolve the same…
Regards
karan
You can find an answer to that question in the corresponding FAQ.
http://code.google.com/p/pulledpork/wiki/FAQ
If you are a subscriber, be sure that your subscription has not expired.
If you are a registered user, there is a 15 minute timeout period that must timeout before you can download rules again.
I fixed by running:
update-ca-certificates
Hi,
I’m currently installing this in Ubuntu 14 and so far the steps are almost the same minus the version which is now 0.7.0, when I started pulledpork.pl, the other configuration is ok.. but later down the line I would get this…
FATAL ERROR: /etc/snort//etc/snort/rules/snort.rules(0) Unable to open rules file “/etc/snort//etc/snort/rules/snort.rules”: No such file or directory.
why is the parent path “/etc/snort/” being added twice?
thanks
Thanks for the info. I’m planning an update on that article. Your question will be answered after the update.
Best regards,
Thomas
I figured out that if you do a touch on /etc/snort/rules/snort.rules and local.rules that the dual root directory goes away….
Kirk
Kirk,
Well done! This fixed my problem as well.
Compiled snort from scratch, but I can’t get pulledpork to download anything:
rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|xxx
rule_url=https://www.snort.org/reg-rules/|opensource.gz|xxx
rule_url=https://rules.emergingthreatspro.com/|emerging.rules.tar.gz|open-nogpl
ignore=deleted.rules,experimental.rules,local.rules
temp_path=/tmp
rule_path=/etc/snort/rules/snort.rules
local_rules=/etc/snort/rules/local.rules
sid_msg=/etc/snort/sid-msg.map
sid_msg_version=1
sid_changelog=/var/log/sid_changes.log
sorule_path=/usr/local/lib/snort_dynamicrules
snort_path=/usr/local/bin/snort
config_path=/etc/snort/snort.conf
black_list=/etc/snort/rules/iplists/default.blacklist
IPRVersion=/etc/snort/rules/iplists
sostub_path=/etc/snort/rules/so_rules.rules
distro=Ubuntu-12.04
backup_file=/tmp/pp_backup
pid_path=/var/run/snort_eth1.pid
snort_version=2.9.6.2
# enablesid=/usr/local/etc/snort/enablesid.conf
# dropsid=/usr/local/etc/snort/dropsid.conf
# disablesid=/usr/local/etc/snort/disablesid.conf
# modifysid=/usr/local/etc/snort/modifysid.conf
version=0.7.0
http://code.google.com/p/pulledpork/
_____ ____
`—-,\ )
`–==\\ / PulledPork v0.7.0 – Swine Flu!
`–==\\/
.-~~~~-.Y|\\_ Copyright (C) 2009-2013 JJ Cummings
@_/ / 66\_ cummingsj@gmail.com
| \ \ _(“)
\ /-| ||’–‘ Rules give me wings!
\_\ \_\\
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Checking latest MD5 for snortrules-snapshot-2962.tar.gz….
They Match
Done!
Checking latest MD5 for opensource.gz….
They Match
Done!
Checking latest MD5 for emerging.rules.tar.gz….
They Match
Done!
Writing /var/log/sid_changes.log….
Done
No Rule Changes
No IP Blacklist Changes
Done
Please review /var/log/sid_changes.log for additional details
Fly Piggy Fly!
however, if you cat /etc/snort/rules/snort.rules it’s empty. What gives?
Why do you get pulledportk.conf from your own site?
Where should be get ours from?
root@ids:/usr/local/bin# mkdir /etc/pulledpork
root@ids:/usr/local/bin# cd /etc/pulledpork
root@ids:/etc/pulledpork# wget http://www.rivy.org/custom/pulledpork.conf
It’s just a example that should work for everyone.
pulledpork.conf worked.
Just had to edit these lines:
insert oinkcode
distro=Ubuntu-14-04
snort_version=2.9.7.0
version=0.7.1
Thanks!!!
Hi I have followed your steps and have created an account so i have an oinkcode, however when i get to this step;
After fetching the config file, you still have to go to snort.conf, make an account to become a registered user and create your own personal oinkcode. You have the choice between getting the most recent signatures and signatures which are one month old. If you want to have the most recent signature, you have to pay a small fee. When you have your oinkcode, you can place it in pulledpork.conf.
Im not sure what I have to do and when i try and reload snort im getting this error;
FATAL ERROR: unable to open rules file “/etc/snort//etc/snort/rules/snort.rules”: No such file or directory
I have looked on https://www.snort.org/ for help and it says to download the rule package for the version of snort you have and the options available are 2962 or 2970 but when i run snort –version it says i have version 2.9.2.2
Your path is wrong. It shouldn’t be “/etc/snort//etc/snort/rules/snort.rules” but “/etc/snort/rules/snort.rules”.
I installed pulled pork, but inadvertently (okay, stupidly) pointed it to the wrong directory for sid-msg.map file, so when I ran pulledpork, it complained. I corrected it in the conf file, re-ran pulledpork, and it ran saying it’s already at the current ruleset, which I expected but sid-msg.map is still empty. Is this going to be an issue or is there a way to reset the state of pulled pork so it does a complete reload without having to wait for the next ruleset update?
Pingback: Installing Snort | Pramod The Network Guy
I installed the Fedora RPM and I keep getting:
pulledpork.pl -c /etc/snort/pulledpork/pulledpork.conf
Command: /usr/bin/snort_control /etc/snort/rules/iplists 1361
Unable to connect to UNIX socket at /etc/snort/rules/iplists/SNORT.sock: Connection refused
Any ideas why?
wget http://pulledpork.googlecode.. url for download at the top of this post fails. Is there an updated download?