Saturday, September 9, 2017

Downloading Snort rules

Downloading Snort rules


After we installed Snort we have to add some rules to it which Snort can use for comparison with Internet packages and generate alerts if any of them match.
Knowing that, it is in our interest to check rules for which we want to get alert. 
For start we will download official rules and after we get all the rules we can go through them and see which ones are useful to us. To download official rules we will use a script called PulledPork which is a tool written in perl and used to automatically download and install official Snort rules.
To install PulledPork we just need to run few commands in terminal
# wget http://pulledpork.googlecode.com/files/pulledpork-0.5.0.tar.gz
# tar -zxf pulledpork-0.5.0.tar.gz && cd pulledpork-0.5.0
# sudo su
# cp pulledpork.pl /usr/local/bin && cp etc/*.conf /etc/snort
# vi /etc/snort/pulledpork.conf
With those commands we have downloaded PulledPork, extracted its content and opened configuration file which we must edit in order to work.

But before that, in order to download rules from Snort official site we must get our Oinkcode. Every registered user gets an Oinkcode which needs to be specified in pulledpork.conf in order to download the rules.
Once we get our Oinkcode, in configuration file (pulledpork.conf) we must comment out line 20. and replace <oinkcode> with the code we got. You need to make other changes to that file:
Line 56: change to: rule_path=/etc/snort/rules/snort.rules
Line 64: change to: rule_path=/etc/snort/rules/local.rules
Line 67: change to: sid_msg=/etc/snort/sid-msg.map
Line 90: change to: config_path=/etc/snort/snort.conf
Line 101: change to: distro=Lucid-Lynx
Line 133: Uncomment and change to: snort_version=2.9.0.4
Line 137: Uncomment and change to: /etc/snort/enablesid.conf
Line 139: Uncomment and change to: /etc/snort/disablesid.conf
Line 140: Uncomment and change to: /etc/snort/modifysid.conf
With these changes we specified where our Snort installation is so that PulledPork knows where to install Snort rules.
After we changed configuration file we are ready to use PulledPork. A simple way of running PullerPork is:
$ perl /usr/local/bin/pulledpork.pl -c          /etc/snort/pulledpork.conf -o                   /etc/snort/rules/snort.rules
Rules should be written in file /etc/snort/rules/snort.rules .
Some of the rules may be commented so we need to uncomment the ones we choose to use.


download file now

Posted by at
Labels: , ,