Snort using PulledPork?
-
Does Snort currently use PulledPork? If not, are there any plans to start using PulledPork?
I ask because of this: http://blog.snort.org/2012/01/importance-of-pulledpork.html
Thanks
-
Guess nobody knows or can't answer. ;)
-
Probably not. They are still on 2.9.1 while the last is 2.9.2.1 (as 01/18).
-
No its not using that.
Also it uses what makes it work!I have not given a look at pulled pork, but the idea behind these scripts its none of them allow customization easy enough.
-
@ermal:
No its not using that.
Also it uses what makes it work!I figured Snort was not using PulledPork now, but thought I'd ask just in case. ;)
@ermal:
I have not given a look at pulled pork, but the idea behind these scripts its none of them allow customization easy enough.
Ok, but it seems from what I have read PulledPork is the future. Hopefully it can be used in pfSense in the future.
Thanks
-
From experience with this kind of tools is that they are not made to easy the job of people like me(pfSense) that customize/wrap/reuse things.
They are just made to look nice on blogs.
Usually the best way is to re-write them to your needs since even the list of dependencies makes them hard too.Saying that its not that i have not considered PulledPork but just not had time to make all the features in snort stable.
There is still some work to do. -
I have PulledPork working on my setup. Be warned you can no longer use the web interface to update your rules or enable/disable individual rules, this has to be done through the command line. I ran into an issue where individual rules would enable themselves after restarting an interface (using vlans) because it would copy the original rule set into the interfaces rule set every time the interface was restarted.
Configuration notes
Install Snort(I install Squid and SquidGuard first which gives some of the needed Perl install you could use the below pkg_add commands to install them separately)
We need to install some perl modules - these commands take care of that
pkg_add ftp://ftp.freebsd.org/pub/FreeBSD/ports/amd64/packages-8-stable/perl5/p5-Crypt-SSLeay-0.58_1.tbz
pkg_add ftp://ftp.freebsd.org/pub/FreeBSD/ports/amd64/packages-8-stable/perl5/p5-HTTP-Request-Params-1.01_2.tbz
pkg_add ftp://ftp.freebsd.org/pub/FreeBSD/ports/amd64/packages-8-stable/perl5/p5-Parse-HTTP-UserAgent-0.33.tbz
pkg_add ftp://ftp.freebsd.org/pub/FreeBSD/ports/amd64/packages-8-stable/perl5/p5-LWP-Protocol-https-6.02.tbz
pkg_add ftp://ftp.freebsd.org/pub/FreeBSD/ports/amd64/packages-8-stable/perl5/p5-Mozilla-CA-20111025.tbz
pkg_add ftp://ftp.freebsd.org/pub/FreeBSD/ports/amd64/packages-8-stable/perl5/p5-IO-Socket-SSL-1.53.tb
Next download pulled pork and copy it onto a system running ssh (this is the only way I know how to get files transferred onto pfsense boxes)
From the command line on the pfsense box run
scp root@"server with pulledpork"/path/to/pulledpork-0.6.1 /usr/local/etc/
cd /usr/local/etc
mv pulledpork-0.6.1 pulledpork
cd /usr/local/etc/pulledpork/etc/
Edit pulledpork.conf
Configure the following
rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|"Your oink code here"
rule_url=https://www.snort.org/reg-rules/|opensource.gz|"Your oink code here"
Note the https is changed to http on this one they don't have a valid ssl cert
rule_url=http://rules.emergingthreats.net/|emerging.rules.tar.gz|open
Comment out the #rule_url for etpro downloads, we don't have that
Leave ignore= line alone, sounds good already
temp_path=/tmp
rule_path=/usr/local/etc/snort/rules/snort.rules
out_path=/usr/local/etc/snort/rules/
sid_msg=/usr/local/etc/snort/sid-msg.map
sid_changelog=/var/log/sid_changes.log
snort_path=/usr/local/bin/snort
config_path=/usr/local/etc/snort/snort.conf
sostub_path=/usr/local/etc/snort/rules/so_rules.rules
distro=FreeBSD-8-1 #I don't know if this is actually correct but I saw it mentioned on pfsense.org somewhere
backup=/usr/local/etc/snort,/usr/local/etc/pulledpork
backup_file=/tmp/pp_backup
This will change per system and interface but for FlameServer? this seemed to be correct
pid_path=/var/log/snort/run/snort_bce0_vlan2247633.pid,/var/log/snort/run/snort_bce0_vlan2329817.pid,/var/log/snort/run/snort_bce0_vlan69651.pid
Uncomment
disablesid=/usr/local/etc/pulledpork/etc/disablesid.conf
Configuring disablesid.conf
Add the following to disablesid.conf to disable checking of Skype connections
1:5692-1:5694,1:5998,1:5999
Running PulledPork
perl5.12.4 /usr/local/etc/pulledpork/pulledpork -c /usr/local/etc/pulledpork/etc/pulledpork.conf -k -H -T
-
ermal,
I understand all this takes time, implementing, testing, etc… Keep up the good work! Will donate again when I can.
atpoirie,
Nice writeup thanks, may give this a try; if/when I have time ;)