In this previous post, I explained how to install Snort on Ubuntu 12.04. The next step is to make sure that your rules are up-to-date. This is accomplished by updating SNORT rules using Pulled Pork. An IDS with an outdated rule set is as effective as an Antivirus product which hasn’t been updated for a couple of months. It only gives you a false sense of security. We’ll describe the steps you have to take for Updating Snort Rules using Pulled Pork.
This tool is not available for installation from the Ubuntu repositories. Therefor have to install the tool and any prerequisites on our own.
Pulled Pork requires 2 perl libraries. On Ubuntu, you can install them like this.
# apt-get install libcrypt-ssleay-perl liblwp-protocol-https-perl
Install Pulled Pork
I downloaded the most recent version. It’s critical to download the latest version from the trunk. Version 0.6.1 which is available for download doesn’t work anymore due to changes on the Emerging Threats website. You’ll get an error because the certificate isn’t valid.
root@ids:~# cd /usr/local/bin root@ids:/usr/local/bin# wget http://pulledpork.googlecode.com/svn/trunk/pulledpork.pl --2013-03-07 19:14:12-- http://pulledpork.googlecode.com/svn/trunk/pulledpork.pl Resolving pulledpork.googlecode.com (pulledpork.googlecode.com)... 22.214.171.124, 2a00:1450:400c:c05::52 Connecting to pulledpork.googlecode.com (pulledpork.googlecode.com)|126.96.36.199|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 35444 (35K) [application/x-gzip] Saving to: `pulledpork.pl' 100%[=====================================================================================================================================================================>] 35,444 --.-K/s in 0.1s 2013-03-07 19:14:12 (276 KB/s) - `pulledpork.pl' saved [35444/35444] root@ids:/usr/local/bin# chmod 755 pulledpork.pl
Next I created a new directory in /etc for the configuration files.
root@ids:/usr/local/bin# mkdir /etc/pulledpork root@ids:/usr/local/bin# cd /etc/pulledpork root@ids:/etc/pulledpork# wget http://www.rivy.org/custom/pulledpork.conf
After fetching the config file, you still have to go to snort.conf, make an account to become a registered user and create your own personal oinkcode. You have the choice between getting the most recent signatures and signatures which are one month old. If you want to have the most recent signature, you have to pay a small fee. When you have your oinkcode, you can place it in pulledpork.conf.
Configuration of Snort
Since we want to enable the dynamic rules, we make sure the second line in /etc/snort/snort.conf is not commented anymore.
# path to dynamic rules libraries dynamicdetection directory /usr/lib/snort_dynamicrules
And we also want to create that directory.
# mkdir /usr/lib/snort_dynamicrules
Remove all include rules from the main config by executing this.
sed -i '/^include $RULE_PATH/d' /etc/snort/snort.conf
And execute the following 2 commands to add the include rules.
echo "include \$RULE_PATH/snort.rules" >> /etc/snort/snort.conf echo "include \$RULE_PATH/local.rules" >> /etc/snort/snort.conf
Delete the current rules
Add the following variable to /etc/snort/snort.conf (first part of the file)
# List of file data ports for file inspection portvar FILE_DATA_PORTS [$HTTP_PORTS,110,143]
Running of pulledpork
This command will run pulledpork and update your rules.
# pulledpork.pl -c /etc/pulledpork/pulledpork.conf ... Rule Stats... New:-------185 Deleted:---3 Enabled Rules:----16662 Dropped Rules:----0 Disabled Rules:---15312 Total Rules:------31974 No IP Blacklist Changes Done Please review /var/log/sid_changes.log for additional details Fly Piggy Fly!
After updating your rules, you always have to restart snort. Make sure that you didn’t get any errors during the restart. If you received errors, check the /var/log/syslog file and try to fix the issue.
# service snort restart Updating Snort Rules using Pulled Pork