Updating Snort Rules using Pulled Pork

In this previous post, I explained how to install Snort on Ubuntu 12.04. The next step is to make sure that your rules are up-to-date. This is accomplished by updating SNORT rules using Pulled Pork.  An IDS with an outdated rule set is as effective as an Antivirus product which hasn’t been updated for a couple of months. It only gives you a false sense of security. We’ll describe the steps you have to take for Updating Snort Rules using Pulled Pork.

This tool is not available for installation from the Ubuntu repositories. Therefor have to install the tool and any prerequisites on our own.

Install prerequisites

Pulled Pork requires 2 perl libraries. On Ubuntu, you can install them like this.

# apt-get install libcrypt-ssleay-perl liblwp-protocol-https-perl

Install Pulled Pork

I downloaded the most recent version. It’s critical to download the latest version from the trunk. Version 0.6.1 which is available for download doesn’t work anymore due to changes on the Emerging Threats website. You’ll get an error because the certificate isn’t valid.

root@ids:~# cd /usr/local/bin
root@ids:/usr/local/bin# wget http://pulledpork.googlecode.com/svn/trunk/pulledpork.pl
--2013-03-07 19:14:12--  http://pulledpork.googlecode.com/svn/trunk/pulledpork.pl
Resolving pulledpork.googlecode.com (pulledpork.googlecode.com)... 173.194.67.82, 2a00:1450:400c:c05::52
Connecting to pulledpork.googlecode.com (pulledpork.googlecode.com)|173.194.67.82|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 35444 (35K) [application/x-gzip]
Saving to: `pulledpork.pl'

100%[=====================================================================================================================================================================>] 35,444      --.-K/s   in 0.1s    

2013-03-07 19:14:12 (276 KB/s) - `pulledpork.pl' saved [35444/35444]

root@ids:/usr/local/bin# chmod 755 pulledpork.pl

Next I created a new directory in /etc for the configuration files.

root@ids:/usr/local/bin# mkdir /etc/pulledpork
root@ids:/usr/local/bin# cd /etc/pulledpork
root@ids:/etc/pulledpork# wget http://www.rivy.org/custom/pulledpork.conf

After fetching the config file, you still have to go to snort.conf, make an account to become a registered user and create your own personal oinkcode. You have the choice between getting the most recent signatures and signatures which are one month old. If you want to have the most recent signature, you have to pay a small fee. When you have your oinkcode, you can place it in pulledpork.conf.

Configuration of Snort

Since we want to enable the dynamic rules, we make sure the second line in /etc/snort/snort.conf is not commented anymore.

# path to dynamic rules libraries
dynamicdetection directory /usr/lib/snort_dynamicrules

And we also want to create that directory.

# mkdir /usr/lib/snort_dynamicrules

Remove all include rules from the main config by executing this.

sed -i '/^include $RULE_PATH/d' /etc/snort/snort.conf

And execute the following 2 commands to add the include rules.

echo "include \$RULE_PATH/snort.rules" >> /etc/snort/snort.conf
echo "include \$RULE_PATH/local.rules" >> /etc/snort/snort.conf

Delete the current rules

rm /etc/snort/rules/*.rules

Add the following variable to /etc/snort/snort.conf (first part of the file)

# List of file data ports for file inspection
portvar FILE_DATA_PORTS [$HTTP_PORTS,110,143]

Running of pulledpork

This command will run pulledpork and update your rules.

# pulledpork.pl -c /etc/pulledpork/pulledpork.conf
...
Rule Stats...
	New:-------185
	Deleted:---3
	Enabled Rules:----16662
	Dropped Rules:----0
	Disabled Rules:---15312
	Total Rules:------31974
No IP Blacklist Changes

Done
Please review /var/log/sid_changes.log for additional details
Fly Piggy Fly!

After updating your rules, you always have to restart snort. Make sure that you didn’t get any errors during the restart. If you received errors, check the /var/log/syslog file and try to fix the issue.

# service snort restart
Updating Snort Rules using Pulled Pork

31 thoughts on “Updating Snort Rules using Pulled Pork

  1. Pingback: Howto install Snort | The A to Z of IT

  2. skylite

    When you removed all the include rules from the main config except snort.rules and local.rules:
    What about all the others? Is that all that’s needed? If i take a look at the snortrules-snapshot downloaded from snort.org there are a lot of rule files.

    How do i know if I enabled them all? according to pulledpork I have Disabled:–21744 rules. How do I enable those rules?

    Reply
    1. Thomas Elsen Post author

      All the rest of the includes are not needed. pulledpork combines all the rules in 1 file. : snort.rules.

      Those 21744 are disabled by default. You can manually enable them via the pulledpork config files.

      Reply
  3. Gary

    I followed your instructions and am getting this error. I tried updating the pulledpork.conf to the latest version (v0.7.0) and then it gives me a different error.
    Any suggestions?

    `—-,\ )
    `–==\\ / PulledPork v0.7.0 – Swine Flu!
    `–==\\/
    .-~~~~-.Y|\\_ Copyright (C) 2009-2013 JJ Cummings
    @_/ / 66\_ cummingsj@gmail.com
    | \ \ _(“)
    \ /-| ||’–‘ Rules give me wings!
    \_\ \_\\
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    You are not using the current version of pulledpork.conf!
    Please use the version of pulledpork.conf that shipped with PulledPork v0.7.0 – Swine Flu!!

    at /usr/local/bin/pulledpork.pl line 1533

    Reply
  4. Robin

    In the configuring snort section you say

    “And execute the following 3 commands to add the include rules.”

    then only give two commands. Is it the number that is wrong or are you missing a command?

    Reply
  5. roland

    The snort package that comes with ubuntu repo has reached its eol. in other rules, new rules will not support this version.

    our only option is to compile from source. is that correct?

    Reply
  6. Jason

    I got this

    service snort start
    [….] Starting Network Intrusion Detection System : snort (eth0 using /etc/snort/snort.conf …ERROR: failed (check /var/log/daemon.log, /var/log/syslog an[FAILr/log/snort/)) failed!

    Reply
  7. karan kapoor

    Please give the solution as when i able to start the pulledpork.pl and tries to execute the same the rules are not able to download but the it give the error as below:–>>
    http://code.google.com/p/pulledpork/
    _____ ____
    `—-,\ )
    `–==\\ / PulledPork v0.7.0 – Swine Flu!
    `–==\\/
    .-~~~~-.Y|\\_ Copyright (C) 2009-2013 JJ Cummings
    @_/ / 66\_ cummingsj@gmail.com
    | \ \ _(“)
    \ /-| ||’–‘ Rules give me wings!
    \_\ \_\\
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    Checking latest MD5 for snortrules-snapshot-2920.tar.gz….
    Rules tarball download of snortrules-snapshot-2920.tar.gz….
    A 500 error occurred, please verify that you have recently updated your root certificates!

    —–ERROR—Rules tarball download of snortrules-snapshot-2920.tar.gz….
    A 500 error occurred, please verify that you have recently updated your root certificates!

    Reply
      1. karan

        i already installed all certificates (RHEL 5.3 machine)
        now i am getting error 403 even i tried 15 minutes later as well
        please tell me how can i resolve the same…
        Regards
        karan

        Reply
  8. Jeff

    Hi,
    I’m currently installing this in Ubuntu 14 and so far the steps are almost the same minus the version which is now 0.7.0, when I started pulledpork.pl, the other configuration is ok.. but later down the line I would get this…

    FATAL ERROR: /etc/snort//etc/snort/rules/snort.rules(0) Unable to open rules file “/etc/snort//etc/snort/rules/snort.rules”: No such file or directory.

    why is the parent path “/etc/snort/” being added twice?

    thanks

    Reply
  9. Kirk

    I figured out that if you do a touch on /etc/snort/rules/snort.rules and local.rules that the dual root directory goes away….

    Kirk

    Reply
  10. Jonathan

    Compiled snort from scratch, but I can’t get pulledpork to download anything:

    rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|xxx
    rule_url=https://www.snort.org/reg-rules/|opensource.gz|xxx
    rule_url=https://rules.emergingthreatspro.com/|emerging.rules.tar.gz|open-nogpl
    ignore=deleted.rules,experimental.rules,local.rules
    temp_path=/tmp
    rule_path=/etc/snort/rules/snort.rules
    local_rules=/etc/snort/rules/local.rules
    sid_msg=/etc/snort/sid-msg.map
    sid_msg_version=1
    sid_changelog=/var/log/sid_changes.log
    sorule_path=/usr/local/lib/snort_dynamicrules
    snort_path=/usr/local/bin/snort
    config_path=/etc/snort/snort.conf
    black_list=/etc/snort/rules/iplists/default.blacklist
    IPRVersion=/etc/snort/rules/iplists
    sostub_path=/etc/snort/rules/so_rules.rules
    distro=Ubuntu-12.04
    backup_file=/tmp/pp_backup
    pid_path=/var/run/snort_eth1.pid
    snort_version=2.9.6.2
    # enablesid=/usr/local/etc/snort/enablesid.conf
    # dropsid=/usr/local/etc/snort/dropsid.conf
    # disablesid=/usr/local/etc/snort/disablesid.conf
    # modifysid=/usr/local/etc/snort/modifysid.conf
    version=0.7.0

    http://code.google.com/p/pulledpork/
    _____ ____
    `—-,\ )
    `–==\\ / PulledPork v0.7.0 – Swine Flu!
    `–==\\/
    .-~~~~-.Y|\\_ Copyright (C) 2009-2013 JJ Cummings
    @_/ / 66\_ cummingsj@gmail.com
    | \ \ _(“)
    \ /-| ||’–‘ Rules give me wings!
    \_\ \_\\
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    Checking latest MD5 for snortrules-snapshot-2962.tar.gz….
    They Match
    Done!
    Checking latest MD5 for opensource.gz….
    They Match
    Done!
    Checking latest MD5 for emerging.rules.tar.gz….
    They Match
    Done!
    Writing /var/log/sid_changes.log….
    Done

    No Rule Changes

    No IP Blacklist Changes

    Done
    Please review /var/log/sid_changes.log for additional details
    Fly Piggy Fly!

    however, if you cat /etc/snort/rules/snort.rules it’s empty. What gives?

    Reply
  11. Rolo1128

    pulledpork.conf worked.

    Just had to edit these lines:
    insert oinkcode
    distro=Ubuntu-14-04
    snort_version=2.9.7.0
    version=0.7.1

    Thanks!!!

    Reply
  12. Craig

    Hi I have followed your steps and have created an account so i have an oinkcode, however when i get to this step;

    After fetching the config file, you still have to go to snort.conf, make an account to become a registered user and create your own personal oinkcode. You have the choice between getting the most recent signatures and signatures which are one month old. If you want to have the most recent signature, you have to pay a small fee. When you have your oinkcode, you can place it in pulledpork.conf.

    Im not sure what I have to do and when i try and reload snort im getting this error;

    FATAL ERROR: unable to open rules file “/etc/snort//etc/snort/rules/snort.rules”: No such file or directory

    I have looked on https://www.snort.org/ for help and it says to download the rule package for the version of snort you have and the options available are 2962 or 2970 but when i run snort –version it says i have version 2.9.2.2

    Reply
  13. Mike Stoico

    I installed pulled pork, but inadvertently (okay, stupidly) pointed it to the wrong directory for sid-msg.map file, so when I ran pulledpork, it complained. I corrected it in the conf file, re-ran pulledpork, and it ran saying it’s already at the current ruleset, which I expected but sid-msg.map is still empty. Is this going to be an issue or is there a way to reset the state of pulled pork so it does a complete reload without having to wait for the next ruleset update?

    Reply
  14. Pingback: Installing Snort | Pramod The Network Guy

  15. Rob Kudyba

    I installed the Fedora RPM and I keep getting:
    pulledpork.pl -c /etc/snort/pulledpork/pulledpork.conf
    Command: /usr/bin/snort_control /etc/snort/rules/iplists 1361
    Unable to connect to UNIX socket at /etc/snort/rules/iplists/SNORT.sock: Connection refused

    Any ideas why?

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *