Snort using PulledPork?

  • Does Snort currently use PulledPork? If not, are there any plans to start using PulledPork?

    I ask because of this:


  • Guess nobody knows or can't answer. ;)

  • Probably not.  They are still on 2.9.1 while the last is (as 01/18).

  • No its not using that.
    Also it uses what makes it work!

    I have not given a look at pulled pork, but the idea behind these scripts its none of them allow customization easy enough.

  • @ermal:

    No its not using that.
    Also it uses what makes it work!

    I figured Snort was not using PulledPork now, but thought I'd ask just in case. ;)


    I have not given a look at pulled pork, but the idea behind these scripts its none of them allow customization easy enough.

    Ok, but it seems from what I have read PulledPork is the future. Hopefully it can be used in pfSense in the future.


  • From experience with this kind of tools is that they are not made to easy the job of people like me(pfSense) that customize/wrap/reuse things.

    They are just made to look nice on blogs.
    Usually the best way is to re-write them to your needs since even the list of dependencies makes them hard too.

    Saying that its not that i have not considered PulledPork but just not had time to make all the features in snort stable.
    There is still some work to do.

  • I have PulledPork working on my setup.  Be warned you can no longer use the web interface to update your rules or enable/disable individual rules, this has to be done through the command line.  I ran into an issue where individual rules would enable themselves after restarting an interface (using vlans) because it would copy the original rule set into the interfaces rule set every time the interface was restarted.

    Configuration notes
    Install Snort

    (I install Squid and SquidGuard first which gives some of the needed Perl install you could use the below pkg_add commands to install them separately)

    We need to install some perl modules - these commands take care of that







    Next download pulled pork and copy it onto a system running ssh (this is the only way I know how to get files transferred onto pfsense boxes)

    From the command line on the pfsense box run

    scp root@"server with pulledpork"/path/to/pulledpork-0.6.1 /usr/local/etc/

    cd /usr/local/etc

    mv pulledpork-0.6.1 pulledpork

    cd /usr/local/etc/pulledpork/etc/

    Edit pulledpork.conf

    Configure the following

    rule_url=|snortrules-snapshot.tar.gz|"Your oink code here"

    rule_url=|opensource.gz|"Your oink code here"

    Note the https is changed to http on this one they don't have a valid ssl cert


    Comment out the #rule_url for etpro downloads, we don't have that

    Leave ignore= line alone, sounds good already









    distro=FreeBSD-8-1 #I don't know if this is actually correct but I saw it mentioned on somewhere



    This will change per system and interface but for FlameServer? this seemed to be correct




    Configuring disablesid.conf

    Add the following to disablesid.conf to disable checking of Skype connections


    Running PulledPork

    perl5.12.4 /usr/local/etc/pulledpork/pulledpork -c /usr/local/etc/pulledpork/etc/pulledpork.conf -k -H -T

  • ermal,

    I understand all this takes time, implementing, testing, etc… Keep up the good work! Will donate again when I can.


    Nice writeup thanks, may give this a try; if/when I have time ;)

Log in to reply