Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort using PulledPork?

    Scheduled Pinned Locked Moved pfSense Packages
    8 Posts 4 Posters 6.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      taryezveb
      last edited by

      Does Snort currently use PulledPork? If not, are there any plans to start using PulledPork?

      I ask because of this: http://blog.snort.org/2012/01/importance-of-pulledpork.html

      Thanks

      1 Reply Last reply Reply Quote 0
      • T
        taryezveb
        last edited by

        Guess nobody knows or can't answer. ;)

        1 Reply Last reply Reply Quote 0
        • G
          Gradius
          last edited by

          Probably not.  They are still on 2.9.1 while the last is 2.9.2.1 (as 01/18).

          1 Reply Last reply Reply Quote 0
          • E
            eri--
            last edited by

            No its not using that.
            Also it uses what makes it work!

            I have not given a look at pulled pork, but the idea behind these scripts its none of them allow customization easy enough.

            1 Reply Last reply Reply Quote 0
            • T
              taryezveb
              last edited by

              @ermal:

              No its not using that.
              Also it uses what makes it work!

              I figured Snort was not using PulledPork now, but thought I'd ask just in case. ;)

              @ermal:

              I have not given a look at pulled pork, but the idea behind these scripts its none of them allow customization easy enough.

              Ok, but it seems from what I have read PulledPork is the future. Hopefully it can be used in pfSense in the future.

              Thanks

              1 Reply Last reply Reply Quote 0
              • E
                eri--
                last edited by

                From experience with this kind of tools is that they are not made to easy the job of people like me(pfSense) that customize/wrap/reuse things.

                They are just made to look nice on blogs.
                Usually the best way is to re-write them to your needs since even the list of dependencies makes them hard too.

                Saying that its not that i have not considered PulledPork but just not had time to make all the features in snort stable.
                There is still some work to do.

                1 Reply Last reply Reply Quote 0
                • A
                  atpoirie
                  last edited by

                  I have PulledPork working on my setup.  Be warned you can no longer use the web interface to update your rules or enable/disable individual rules, this has to be done through the command line.  I ran into an issue where individual rules would enable themselves after restarting an interface (using vlans) because it would copy the original rule set into the interfaces rule set every time the interface was restarted.

                  Configuration notes
                  Install Snort

                  (I install Squid and SquidGuard first which gives some of the needed Perl install you could use the below pkg_add commands to install them separately)

                  We need to install some perl modules - these commands take care of that

                  pkg_add ftp://ftp.freebsd.org/pub/FreeBSD/ports/amd64/packages-8-stable/perl5/p5-Crypt-SSLeay-0.58_1.tbz

                  pkg_add ftp://ftp.freebsd.org/pub/FreeBSD/ports/amd64/packages-8-stable/perl5/p5-HTTP-Request-Params-1.01_2.tbz

                  pkg_add ftp://ftp.freebsd.org/pub/FreeBSD/ports/amd64/packages-8-stable/perl5/p5-Parse-HTTP-UserAgent-0.33.tbz

                  pkg_add ftp://ftp.freebsd.org/pub/FreeBSD/ports/amd64/packages-8-stable/perl5/p5-LWP-Protocol-https-6.02.tbz

                  pkg_add ftp://ftp.freebsd.org/pub/FreeBSD/ports/amd64/packages-8-stable/perl5/p5-Mozilla-CA-20111025.tbz

                  pkg_add ftp://ftp.freebsd.org/pub/FreeBSD/ports/amd64/packages-8-stable/perl5/p5-IO-Socket-SSL-1.53.tb

                  Next download pulled pork and copy it onto a system running ssh (this is the only way I know how to get files transferred onto pfsense boxes)

                  From the command line on the pfsense box run

                  scp root@"server with pulledpork"/path/to/pulledpork-0.6.1 /usr/local/etc/

                  cd /usr/local/etc

                  mv pulledpork-0.6.1 pulledpork

                  cd /usr/local/etc/pulledpork/etc/

                  Edit pulledpork.conf

                  Configure the following

                  rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|"Your oink code here"

                  rule_url=https://www.snort.org/reg-rules/|opensource.gz|"Your oink code here"

                  Note the https is changed to http on this one they don't have a valid ssl cert

                  rule_url=http://rules.emergingthreats.net/|emerging.rules.tar.gz|open

                  Comment out the #rule_url for etpro downloads, we don't have that

                  Leave ignore= line alone, sounds good already

                  temp_path=/tmp

                  rule_path=/usr/local/etc/snort/rules/snort.rules

                  out_path=/usr/local/etc/snort/rules/

                  sid_msg=/usr/local/etc/snort/sid-msg.map

                  sid_changelog=/var/log/sid_changes.log

                  snort_path=/usr/local/bin/snort

                  config_path=/usr/local/etc/snort/snort.conf

                  sostub_path=/usr/local/etc/snort/rules/so_rules.rules

                  distro=FreeBSD-8-1 #I don't know if this is actually correct but I saw it mentioned on pfsense.org somewhere

                  backup=/usr/local/etc/snort,/usr/local/etc/pulledpork

                  backup_file=/tmp/pp_backup

                  This will change per system and interface but for FlameServer? this seemed to be correct

                  pid_path=/var/log/snort/run/snort_bce0_vlan2247633.pid,/var/log/snort/run/snort_bce0_vlan2329817.pid,/var/log/snort/run/snort_bce0_vlan69651.pid

                  Uncomment

                  disablesid=/usr/local/etc/pulledpork/etc/disablesid.conf

                  Configuring disablesid.conf

                  Add the following to disablesid.conf to disable checking of Skype connections

                  1:5692-1:5694,1:5998,1:5999

                  Running PulledPork

                  perl5.12.4 /usr/local/etc/pulledpork/pulledpork -c /usr/local/etc/pulledpork/etc/pulledpork.conf -k -H -T

                  1 Reply Last reply Reply Quote 0
                  • T
                    taryezveb
                    last edited by

                    ermal,

                    I understand all this takes time, implementing, testing, etc… Keep up the good work! Will donate again when I can.

                    atpoirie,

                    Nice writeup thanks, may give this a try; if/when I have time ;)

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.