{"id":4262,"date":"2016-11-29T03:03:45","date_gmt":"2016-11-28T19:03:45","guid":{"rendered":"https:\/\/www.darknet.org.uk\/?p=4262"},"modified":"2016-11-29T03:03:55","modified_gmt":"2016-11-28T19:03:55","slug":"pulled-pork-suricata-snort-rule-management","status":"publish","type":"post","link":"https:\/\/www.darknet.org.uk\/2016\/11\/pulled-pork-suricata-snort-rule-management\/","title":{"rendered":"Pulled Pork &#8211; Suricata &#038; Snort Rule Management"},"content":{"rendered":"<p>Pulled Pork is a PERL based tool for <a href=\"https:\/\/www.darknet.org.uk\/2010\/05\/suricata-open-source-next-generation-intrusion-detection-and-prevention-engine\/\">Suricata<\/a> and <a href=\"https:\/\/www.darknet.org.uk\/2016\/11\/snort-free-network-intrusion-detection-prevention-system\/\">Snort<\/a> rule management &#8211; it can determine your version of Snort and automatically download the latest rules for you.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/www.darknet.org.uk\/wp-content\/uploads\/2016\/11\/Pulled-Pork-Suricata-Snort-Rule-Management-640x415.png\" alt=\"Pulled Pork - Suricata &amp; Snort Rule Management\" width=\"640\" height=\"415\" class=\"aligncenter size-medium wp-image-4348\" srcset=\"https:\/\/www.darknet.org.uk\/wp-content\/uploads\/2016\/11\/Pulled-Pork-Suricata-Snort-Rule-Management-640x415.png 640w, https:\/\/www.darknet.org.uk\/wp-content\/uploads\/2016\/11\/Pulled-Pork-Suricata-Snort-Rule-Management.png 794w\" sizes=\"(max-width: 640px) 100vw, 640px\" \/><\/p>\n<p>The name was chosen because simply speaking, it Pulls the rules. Using a regular crontab you can keep your Snort or Suricata rules up to date automatically.<\/p>\n<h3>Features and Capabilities<\/h3>\n<p>Pulledpork 0.7.2 has been tested and works with Snort 2.9.8.3\/Suricata 3.1.3 and the Snort Registered rules\/ETOpen\/ETPro rulesets.<\/p>\n<ul>\n<li>Automated downloading, parsing, state modification and rule modification for all of your snort rulesets.<\/li>\n<li>Checksum verification for all major rule downloads<\/li>\n<li>Automatic generation of updated sid-msg.map file<\/li>\n<li>Capability to include your local.rules in sid-msg.map file<\/li>\n<li>Capability to pull rules tarballs from custom urls<\/li>\n<li>Complete Shared Object support<\/li>\n<li>Complete IP Reputation List support<\/li>\n<li>Capability to download multiple disparate rulesets at once<\/li>\n<li>Maintains accurate changelog<\/li>\n<li>Capability to HUP processes after rules download and process<\/li>\n<li>Aids in tuning of rulesets<\/li>\n<li>Verbose output so that you know EXACTLY what is happening<\/li>\n<li>Minimal Perl Module dependencies<\/li>\n<li>Support for Suricata, and ETOpen\/ETPro rulesets<\/li>\n<\/ul>\n<script async src=\"https:\/\/pagead2.googlesyndication.com\/pagead\/js\/adsbygoogle.js?client=ca-pub-3033787195489589\"\r\n     crossorigin=\"anonymous\"><\/script>\r\n<!-- Darknet Responsive Post Ad Links [previously link ad unit] -->\r\n<ins class=\"adsbygoogle\"\r\n     style=\"display:block\"\r\n     data-ad-client=\"ca-pub-3033787195489589\"\r\n     data-ad-slot=\"5456620019\"\r\n     data-ad-format=\"auto\"><\/ins>\r\n<script>\r\n     (adsbygoogle = window.adsbygoogle || []).push({});\r\n<\/script>\n<h3>Usage<\/h3>\n<pre>Usage: .\/pulledpork.pl [-dEgHklnRTPVvv? -help] -c <config filename> -o <rule output path>\r\n   -O <oinkcode> -s <so_rule output directory> -D <Distro> -S <SnortVer>\r\n   -p <path to your snort binary> -C <path to your snort.conf> -t <sostub output path>\r\n   -h <changelog path> -I (security|connectivity|balanced) -i <path to disablesid.conf>\r\n   -b <path to dropsid.conf> -e <path to enablesid.conf> -M <path to modifysid.conf>\r\n   -r <path to docs folder> -K <directory for separate rules files>\r\n\r\nOptions:\r\n\r\n-help\/? Print this help info.\r\n-b Where the dropsid config file lives.\r\n-C Path to your snort.conf\r\n-c Where the pulledpork config file lives.\r\n-d Do not verify signature of rules tarball, i.e. downloading fron non VRT or ET locations.\r\n-D What Distro are you running on, for the so_rules\r\n   Valid Distro Types:\r\n     Debian-6-0, Ubuntu-10-4, Ubuntu-12-04, Centos-5-4\r\n     FC-12, FC-14, RHEL-5-5, RHEL-6-0\r\n     FreeBSD-8-1, FreeBSD-9-0, FreeBSD-10-0, OpenBSD-5-2, OpenBSD-5-3\r\n     OpenSUSE-11-4, OpenSUSE-12-1, Slackware-13-1   \r\n-e Where the enablesid config file lives.\r\n-E Write ONLY the enabled rules to the output files.\r\n-g grabonly (download tarball rule file(s) and do NOT process)\r\n-h path to the sid_changelog if you want to keep one?\r\n-H Send a SIGHUP to the pids listed in the config file\r\n-I Specify a base ruleset( -I security,connectivity,or balanced, see README.RULESET)\r\n-i Where the disablesid config file lives.\r\n-k Keep the rules in separate files (using same file names as found when reading)\r\n-K Where (what directory) do you want me to put the separate rules files?\r\n-l Log Important Info to Syslog (Errors, Successful run etc, all items logged as WARN or higher) \r\n-L Where do you want me to read your local.rules for inclusion in sid-msg.map\r\n-m where do you want me to put the sid-msg.map file?\r\n-M where the modifysid config file lives.\r\n-n Do everything other than download of new files (disablesid, etc)\r\n-o Where do you want me to put generic rules file?\r\n-p Path to your Snort binary\r\n-P Process rules even if no new rules were downloaded\r\n-R When processing enablesid, return the rules to their ORIGINAL state\r\n-r Where do you want me to put the reference docs (xxxx.txt)\r\n-S What version of snort are you using\r\n-s Where do you want me to put the so_rules?\r\n-T Process text based rules files only, i.e. DO NOT process so_rules\r\n-u Where do you want me to pull the rules tarball from\r\n** E.g., ET, Snort.org. See pulledpork config rule_url option for value ideas\r\n-V Print Version and exit\r\n-v Verbose mode, you know.. for troubleshooting and such nonsense.\r\n-vv EXTRA Verbose mode, you know.. for in-depth troubleshooting and other such nonsense.\r\n-w Skip the SSL verification (if there are issues pulling down rule files)\r\n-W Where you want to work around the issue where some implementations of LWP do not work with pulledpork's proxy configuration.<\/pre>\n<p>You can download Pulled Pork here:<\/p>\n<p><a href=\"https:\/\/github.com\/shirkdog\/pulledpork\/archive\/v0.7.2.zip\">pulledpork-v0.7.2.zip<\/a><\/p>\n<p>Or read more <a href=\"https:\/\/github.com\/shirkdog\/pulledpork\">here<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Pulled Pork is a PERL based tool for Suricata and Snort rule management &#8211; it can determine your version of Snort and automatically download the latest rules for you. The name was chosen because simply speaking, it Pulls the rules. Using a regular crontab you can keep your Snort or Suricata rules up to date [&hellip;]<\/p>\n","protected":false},"author":25,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_seopress_robots_primary_cat":"","_seopress_titles_title":"","_seopress_titles_desc":"Pulled Pork is a PERL based tool for Suricata and Snort rule management - it can determine your version of Snort and download the rules for you.","_seopress_robots_index":"","_genesis_hide_title":false,"_genesis_hide_breadcrumbs":false,"_genesis_hide_singular_image":false,"_genesis_hide_footer_widgets":false,"_genesis_custom_body_class":"","_genesis_custom_post_class":"","_genesis_layout":"","footnotes":""},"categories":[12,5,11],"tags":[360,5280],"featured_image_src":null,"featured_image_src_square":null,"author_info":{"display_name":"Darknet","author_link":"https:\/\/www.darknet.org.uk\/author\/darknet\/"},"_links":{"self":[{"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/posts\/4262"}],"collection":[{"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/users\/25"}],"replies":[{"embeddable":true,"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/comments?post=4262"}],"version-history":[{"count":0,"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/posts\/4262\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/media?parent=4262"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/categories?post=4262"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/tags?post=4262"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}