Snort 2.9.9.x on Ubuntu – Part 5: Installing PulledPork
- Installing Snort
- Configuring Snort to Run as a NIDS
- Writing and Testing a Single Rule With Snort
- Installing Barnyard2
- Installing PulledPork
- Creating Upstart Scripts for Snort on Ubuntu 14
- Creating systemD Scripts for Snort on Ubuntu 16
- Installing BASE
In the previous two sections of this article, we installed Snort and configured it to work as a NIDS with Barnyard2 processing packets that generated alerts based on a rule. In this article, we are going to install a Perl script called PulledPork, which will automatically download the latest rulesets from the Snort website.
To download the main free ruleset from Snort, you need an oinkcode. Register on the Snort website and save your oinkcode before continuing, as the oinkcode is required for the most popular free ruleset.
Install the PulledPork pre-requisites:
sudo apt-get install -y libcrypt-ssleay-perl liblwp-useragent-determined-perl
Download the latest PulledPork and install. Here we copy the actual perl file to /usr/local/bin and the needed configuration files to /etc/snort:
cd ~/snort_src wget https://github.com/shirkdog/pulledpork/archive/master.tar.gz -O pulledpork-master.tar.gz tar xzvf pulledpork-master.tar.gz cd pulledpork-master/ sudo cp pulledpork.pl /usr/local/bin sudo chmod +x /usr/local/bin/pulledpork.pl sudo cp etc/*.conf /etc/snort
Test that PulledPork runs by running the following command, looking for the output below:
user@snortserver:~$ /usr/local/bin/pulledpork.pl -V PulledPork v0.7.3 - Making signature updates great again! user@snortserver:~$
Now that we are sure that PulledPork works, we need to configure it:
sudo vi /etc/snort/pulledpork.conf
Make the following changes to the pulledpork.conf file. Anywhere you see ‹oinkcode› enter your oinkcode from the Snort website. I have included line numbers to help you identify the location of these lines in the configuration file.
Line 19: enter your oinkcode where appropriate (or comment out if no oinkcode) Line 29: Un-comment for Emerging threats ruleset (not tested with this guide) Line 74: change to: rule_path=/etc/snort/rules/snort.rules Line 89: change to: local_rules=/etc/snort/rules/local.rules Line 92: change to: sid_msg=/etc/snort/sid-msg.map Line 96: change to: sid_msg_version=2 Line 119: change to: config_path=/etc/snort/snort.conf Line 133: change to: distro=Ubuntu-12-04 Line 141: change to: black_list=/etc/snort/rules/iplists/black_list.rules Line 150: change to: IPRVersion=/etc/snort/rules/iplists
We want to run PulledPork once manually to make sure it works. We use the following flags:
-c /etc/snort/pulledpork.conf the location of the snort.conf file -l Write detailed logs to /var/log
Run the following command:
sudo /usr/local/bin/pulledpork.pl -c /etc/snort/pulledpork.conf -l
After this command runs (it takes some time), you should now see snort.rules in /etc/snort/rules, and .so rules in /usr/local/lib/snort_dynamicrules. Pulled Pork combines all the rulesets that it downloads into these two files. You need to make sure to add the line: include $RULE_PATH/snort.rules to the snort.conf file, or the pulled pork rules will never be read into memory when Snort starts:
sudo vi /etc/snort/snort.conf
Add the following line to enable snort to use the rules that PulledPork downloaded (line 547), after the line for local.rules:
Since we have modified snort.conf, we should test that Snort loads correctly in NIDS mode with the PulledPork rules included:
sudo snort -T -c /etc/snort/snort.conf -i eth0
Once that is successful, we want to test that Snort and Barnyard2 load correctly when run manually as daemons:
sudo /usr/local/bin/snort -u snort -g snort -c /etc/snort/snort.conf -i eth0 -D sudo barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.u2 -w /var/log/snort/barnyard2.waldo -g snort -u snort -D
As before, ping the IP address of the Snort eth0 interface, and then check the database for more events (remember to use the MYSQLSNORTPASSWORD):
mysql -u snort -p -D snort -e "select count(*) from event"
The number of events reported should be greater than what you saw the last time you ran this command. Now that we are sure that PulledPork runs correctly, we want to add PulledPork to root’s crontab to run daily:
sudo crontab -e
Choose any editor if prompted
The Snort team has asked you to randomize when PulledPork connects to their server to help with load balancing. In the example below, we have PulledPork checking at 04:01 every day. Change the minutes value (the 01 below) to a value between 0 and 59, and the hours value (the 04 below) to a value between 00 and 23. For more info on crontab layout, check here:
01 04 * * * /usr/local/bin/pulledpork.pl -c /etc/snort/pulledpork.conf -l
Stop the running daemons from earlier testing:
user@snortserver:~$ ps aux | grep snort snort 1296 0.0 2.1 297572 43988 ? Ssl 03:15 0:00 /usr/local/bin/snort -q -u snort -g snort -c /etc/snort/snort.conf -i eth0 -D user 1314 0.0 0.0 4444 824 pts/0 S+ 03:17 0:00 grep --color=auto snort user@snortserver:~$ sudo kill 1296 user@snortserver:~$ ps aux | grep barnyard2 snort 1298 0.0 2.1 297572 43988 ? Ssl 03:15 0:00 barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.u2 -w /var/log/snort/barnyard2.waldo -g snort -u snort -D user 1316 0.0 0.0 4444 824 pts/0 S+ 03:17 0:00 grep --color=auto barnyard2 user@snortserver:~$ sudo kill 1298
Note: Snort needs to be reloaded to see the new rules. This can be done with kill -SIGHUP snort-pid, or you can restart the snort service (once that’s created in a later part of this guide).
Additional note about shared object rules: In addition to regular rules, The above section will download Shared object rules. Shared object rules are also known as ”Shared Object rules”, ”SO rules”, ”pre-compiled rules”, or ”Shared Objects”. These are detection rules that are written in the Shared Object rule language, which is similar to C.
These rules are pre-compiled by the provider of the rules, and allow for more complicated rules, and allow for obfuscation of rules (say to detect attacks that haven’t been patched yet, but the vendor wants to allow detection without revealing the vulnerability). These rules are compiled by the vendor for specific systems. One of these systems is Ubuntu 12, and luckily these rules also work on Ubuntu 14 and 15.
Congratulations, if you have output similar to the above then you have successfully Configured PulledPork. Continue to the next section to install startup scripts for Snort and Barnyard2. Choose one of the two following links, depending on your version of Ubuntu. You will create an Upstart scripts for Ubuntu 12 and 14, and a systemD scripts for Ubuntu 15.