pulledpork 0.7.4 releases: Snort and Suricata rule management
PulledPork for Snort and Suricata rule management (from Google code)
Features and Capabilities
- Automated downloading, parsing, state modification and rule modification for all of your snort rulesets.
- Checksum verification for all major rule downloads
- Automatic generation of updated sid-msg.map file
- Capability to include your local.rules in sid-msg.map file
- Capability to pull rules tarballs from custom urls
- Complete Shared Object support
- Complete IP Reputation List support
- Capability to download multiple disparate rulesets at once
- Maintains accurate changelog
- Capability to HUP processes after rules download and process
- Aids in tuning of rulesets
- Verbose output so that you know EXACTLY what is happening
- Minimal Perl Module dependencies
- Support for Suricata, and ETOpen/ETPro rulesets
- A sweet smokey flavor throughout the pork!
This release includes numerous bug fixes for some issues that have been around for some time. PulledPork v0.7.4 has been tested with Snort 2.16.1 and Snort 3.0.1.
- Supports updating of Snort 3.0 signatures (0.8 will be released when Snort 3.0 moves out of BETA).
- Fixed some of the logic to allow updating with Perl on Windows
- ability to modify rules via regex in modifysid.conf
- Removal of opensource.gz processing (will speed up signature updating)
- Updated OS Distro list to match so_rules
- Added error checking around writing to directories that do not exist (i.e., block_list)
- Updated for new location of block list
git clone https://github.com/shirkdog/pulledpork.git
Command Usage Reference
A simple example of how to use PulledPork would be to specify all of your configuration directives inside of the PulledPork.conf file. Specifically for minimal function, i.e. NO Shared Object rule processing you must define at a minimum the rule_file, oinkcode, temp_path, tar_path, and rule_path values. Below are some examples of this.
The above will fetch the snortrules-snapshot-2973.tar.gz tarball from snort.org using the specified oinkcode of 12345667778523452344234234 and put the rules files from that tarball into the output path of /usr/local/etc/snort/rules/ while the -i option tells pulledpork where the disablesid.conf lives and the -T option tells pulledpork to not process for any shared object rules and the final -H option tells pulledpork to send a Hangup signal to the snort pid that you defined in the pulledpork.conf.
Similar to the first example but all options specified in the pulledpork.conf file (other than disablesid and -H)…
The above will simply read the disablesid and disable as defined, then send a Hangup signal after generating the sid-msg.map at the specified location without downloading anything. Highly useful when tuning/making changes etc..
Next example, snort inline with rules that we want to drop and disable, then HUP our daemons after creating a sid-msg.map and writing change info to sid_changes.log!
Next example, same as the previous but specifying that we want to run the default “security” based ruleset and that we want to enable rules specified in enablesid.conf.
Next example, same as the previous but specifying that we want to -K (Keep) the originating tarball names. and write them to /usr/local/etc/snort/rules/
For users of Suricata, the same steps are necessary for where your installation files reside, but all that pulledpork needs to process rule files is the -S flag is set to Suricata-3.1.3 or whatever version of Suricata you are using
Copyright (C) 2009-2017 JJ Cummings, Michael Shirk and the PulledPork Team!