In this previous post, I explained how to install Snort on Ubuntu 12.04. The next step is to make sure that your rules are up-to-date. This is accomplished by updating SNORT rules using Pulled Pork. An IDS with an outdated rule set is as effective as an Antivirus product which hasn’t been updated for a couple of months. It only gives you a false sense of security. We’ll describe the steps you have to take for Updating Snort Rules using Pulled Pork.
This tool is not available for installation from the Ubuntu repositories. Therefor have to install the tool and any prerequisites on our own.
Pulled Pork requires 2 perl libraries. On Ubuntu, you can install them like this.
# apt-get install libcrypt-ssleay-perl liblwp-protocol-https-perl
Install Pulled Pork
I downloaded the most recent version. It’s critical to download the latest version from the trunk. Version 0.6.1 which is available for download doesn’t work anymore due to changes on the Emerging Threats website. You’ll get an error because the certificate isn’t valid.
root@ids:~# cd /usr/local/bin
root@ids:/usr/local/bin# wget http://pulledpork.googlecode.com/svn/trunk/pulledpork.pl
--2013-03-07 19:14:12-- http://pulledpork.googlecode.com/svn/trunk/pulledpork.pl
Resolving pulledpork.googlecode.com (pulledpork.googlecode.com)... 220.127.116.11, 2a00:1450:400c:c05::52
Connecting to pulledpork.googlecode.com (pulledpork.googlecode.com)|18.104.22.168|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 35444 (35K) [application/x-gzip]
Saving to: `pulledpork.pl'
100%[=====================================================================================================================================================================>] 35,444 --.-K/s in 0.1s
2013-03-07 19:14:12 (276 KB/s) - `pulledpork.pl' saved [35444/35444]
root@ids:/usr/local/bin# chmod 755 pulledpork.pl
Next I created a new directory in /etc for the configuration files.
root@ids:/usr/local/bin# mkdir /etc/pulledpork
root@ids:/usr/local/bin# cd /etc/pulledpork
root@ids:/etc/pulledpork# wget http://www.rivy.org/custom/pulledpork.conf
After fetching the config file, you still have to go to snort.conf, make an account to become a registered user and create your own personal oinkcode. You have the choice between getting the most recent signatures and signatures which are one month old. If you want to have the most recent signature, you have to pay a small fee. When you have your oinkcode, you can place it in pulledpork.conf.
Configuration of Snort
Since we want to enable the dynamic rules, we make sure the second line in /etc/snort/snort.conf is not commented anymore.
# path to dynamic rules libraries
dynamicdetection directory /usr/lib/snort_dynamicrules
And we also want to create that directory.
# mkdir /usr/lib/snort_dynamicrules
Remove all include rules from the main config by executing this.
sed -i '/^include $RULE_PATH/d' /etc/snort/snort.conf
And execute the following 2 commands to add the include rules.
echo "include \$RULE_PATH/snort.rules" >> /etc/snort/snort.conf
echo "include \$RULE_PATH/local.rules" >> /etc/snort/snort.conf
Delete the current rules
Add the following variable to /etc/snort/snort.conf (first part of the file)
# List of file data ports for file inspection
portvar FILE_DATA_PORTS [$HTTP_PORTS,110,143]
Running of pulledpork
This command will run pulledpork and update your rules.
# pulledpork.pl -c /etc/pulledpork/pulledpork.conf
No IP Blacklist Changes
Please review /var/log/sid_changes.log for additional details
Fly Piggy Fly!
After updating your rules, you always have to restart snort. Make sure that you didn’t get any errors during the restart. If you received errors, check the /var/log/syslog file and try to fix the issue.
# service snort restart
Updating Snort Rules using Pulled Pork