Snort using PulledPork?



  • Does Snort currently use PulledPork? If not, are there any plans to start using PulledPork?

    I ask because of this: http://blog.snort.org/2012/01/importance-of-pulledpork.html

    Thanks



  • Guess nobody knows or can't answer. ;)



  • Probably not.  They are still on 2.9.1 while the last is 2.9.2.1 (as 01/18).



  • No its not using that.
    Also it uses what makes it work!

    I have not given a look at pulled pork, but the idea behind these scripts its none of them allow customization easy enough.



  • @ermal:

    No its not using that.
    Also it uses what makes it work!

    I figured Snort was not using PulledPork now, but thought I'd ask just in case. ;)

    @ermal:

    I have not given a look at pulled pork, but the idea behind these scripts its none of them allow customization easy enough.

    Ok, but it seems from what I have read PulledPork is the future. Hopefully it can be used in pfSense in the future.

    Thanks



  • From experience with this kind of tools is that they are not made to easy the job of people like me(pfSense) that customize/wrap/reuse things.

    They are just made to look nice on blogs.
    Usually the best way is to re-write them to your needs since even the list of dependencies makes them hard too.

    Saying that its not that i have not considered PulledPork but just not had time to make all the features in snort stable.
    There is still some work to do.



  • I have PulledPork working on my setup.  Be warned you can no longer use the web interface to update your rules or enable/disable individual rules, this has to be done through the command line.  I ran into an issue where individual rules would enable themselves after restarting an interface (using vlans) because it would copy the original rule set into the interfaces rule set every time the interface was restarted.

    Configuration notes
    Install Snort

    (I install Squid and SquidGuard first which gives some of the needed Perl install you could use the below pkg_add commands to install them separately)

    We need to install some perl modules - these commands take care of that

    pkg_add ftp://ftp.freebsd.org/pub/FreeBSD/ports/amd64/packages-8-stable/perl5/p5-Crypt-SSLeay-0.58_1.tbz

    pkg_add ftp://ftp.freebsd.org/pub/FreeBSD/ports/amd64/packages-8-stable/perl5/p5-HTTP-Request-Params-1.01_2.tbz

    pkg_add ftp://ftp.freebsd.org/pub/FreeBSD/ports/amd64/packages-8-stable/perl5/p5-Parse-HTTP-UserAgent-0.33.tbz

    pkg_add ftp://ftp.freebsd.org/pub/FreeBSD/ports/amd64/packages-8-stable/perl5/p5-LWP-Protocol-https-6.02.tbz

    pkg_add ftp://ftp.freebsd.org/pub/FreeBSD/ports/amd64/packages-8-stable/perl5/p5-Mozilla-CA-20111025.tbz

    pkg_add ftp://ftp.freebsd.org/pub/FreeBSD/ports/amd64/packages-8-stable/perl5/p5-IO-Socket-SSL-1.53.tb

    Next download pulled pork and copy it onto a system running ssh (this is the only way I know how to get files transferred onto pfsense boxes)

    From the command line on the pfsense box run

    scp root@"server with pulledpork"/path/to/pulledpork-0.6.1 /usr/local/etc/

    cd /usr/local/etc

    mv pulledpork-0.6.1 pulledpork

    cd /usr/local/etc/pulledpork/etc/

    Edit pulledpork.conf

    Configure the following

    rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|"Your oink code here"

    rule_url=https://www.snort.org/reg-rules/|opensource.gz|"Your oink code here"

    Note the https is changed to http on this one they don't have a valid ssl cert

    rule_url=http://rules.emergingthreats.net/|emerging.rules.tar.gz|open

    Comment out the #rule_url for etpro downloads, we don't have that

    Leave ignore= line alone, sounds good already

    temp_path=/tmp

    rule_path=/usr/local/etc/snort/rules/snort.rules

    out_path=/usr/local/etc/snort/rules/

    sid_msg=/usr/local/etc/snort/sid-msg.map

    sid_changelog=/var/log/sid_changes.log

    snort_path=/usr/local/bin/snort

    config_path=/usr/local/etc/snort/snort.conf

    sostub_path=/usr/local/etc/snort/rules/so_rules.rules

    distro=FreeBSD-8-1 #I don't know if this is actually correct but I saw it mentioned on pfsense.org somewhere

    backup=/usr/local/etc/snort,/usr/local/etc/pulledpork

    backup_file=/tmp/pp_backup

    This will change per system and interface but for FlameServer? this seemed to be correct

    pid_path=/var/log/snort/run/snort_bce0_vlan2247633.pid,/var/log/snort/run/snort_bce0_vlan2329817.pid,/var/log/snort/run/snort_bce0_vlan69651.pid

    Uncomment

    disablesid=/usr/local/etc/pulledpork/etc/disablesid.conf

    Configuring disablesid.conf

    Add the following to disablesid.conf to disable checking of Skype connections

    1:5692-1:5694,1:5998,1:5999

    Running PulledPork

    perl5.12.4 /usr/local/etc/pulledpork/pulledpork -c /usr/local/etc/pulledpork/etc/pulledpork.conf -k -H -T



  • ermal,

    I understand all this takes time, implementing, testing, etc… Keep up the good work! Will donate again when I can.

    atpoirie,

    Nice writeup thanks, may give this a try; if/when I have time ;)


Log in to reply