Notice
Recent Posts
Recent Comments
Link
| 일 | 월 | 화 | 수 | 목 | 금 | 토 |
|---|---|---|---|---|---|---|
| 1 | 2 | 3 | 4 | 5 | 6 | 7 |
| 8 | 9 | 10 | 11 | 12 | 13 | 14 |
| 15 | 16 | 17 | 18 | 19 | 20 | 21 |
| 22 | 23 | 24 | 25 | 26 | 27 | 28 |
| 29 | 30 | 31 |
Tags
- 로그인불가
- elastic stack
- ansible
- hardening
- XCP-ng
- G-suite
- ELASTIC
- docker
- GitLab
- ssh key 배포
- macos
- x-pack
- Windows
- Kibana server is not ready yet
- bash
- Proxy
- pfsense
- 보안양파
- centos 8
- miniconda
- proxycfg
- freebsd
- PlayBook
- xe guest utilities
- Kibana
- Elasticsearch
- endpoint security
- 한글가이드
- application security
Archives
- Today
- Total
선 밖에 선 자유인
PulledPork 설치 및 설정 본문
Install and Configure PulledPork
Snort needs to have an updated set of rulesets in order to be able to detect and respond to emerging threats as effectively as possible. Pulledpork is a Perl script that is able to keep your Snort rulesets updated at all times with a minimal amount of effort.
- Install prerequisites:
- Next, go to http://pulledpork.googlecode.com and download the latest version of PulledPork. As of the writing of this guide, the latest version was 0.6.1. Obviously, adjust your filenames to reflect the version of PulledPork you download. The easiest way to download is through wget from your machine's command line. Copy the complete download URL from the PulledPork website and then do the following:
- Untar the downloaded file:
- This will create a pulledpork-0.6.1.tar.gz directory and extract all the PulledPork files in it. We are going to rename that directory into simply pulled pork to keep it simple:
- Next, edit the /usr/local/snort/pulledpork/etc/pulledpork.conf file:
- Change the lines that appear below and make them look exactly like they appear below with the exception of the <oinkcode> on the rule_url line which should be replaced with the oinkcode you generated earlier in the guide.
- Next, edit /usr/local/snort/etc/snort.conf:
- Locate the var RULE_PATH line and change it to appear like below:
- Next, remove all snort include rules files from /usr/local/snort/etc/snort.conf by typing the following commands:
- Now, add the following include files to /usr/local/snort/etc/snort.conf by typing the following commands:
- Create a rules directory:
- Create a local rules file:
- Test PulledPork runs successfully by typing the command below:
- Edit crontab:
- Insert a new line like below into crontab (All in one line):
- Save Crontab (ESC) (SHIFT ZZ)
apt-get install libcrypt-ssleay-perl liblwp-useragent-determined-perl -y
cd /usr/local/src/snort wget https://pulledpork.googlecode.com/files/pulledpork-0.6.1.tar.gz
If you get a warning WARNING: cannot verify pulledpork.googlecode.com's certificate, and your file doesn't download, simply use the following command instead:
cd /usr/local/src/snort wget --no-check-certificate https://pulledpork.googlecode.com/files/pulledpork-0.6.1.tar.gz
cd /usr/local/snort tar -xvzf /usr/local/src/snort/pulledpork-0.6.1.tar.gz
mv pulledpork-06* pulledpork
vi /usr/local/snort/pulledpork/etc/pulledpork.conf
rule_url=http://www.snort.org/reg-rules/%7Csnortrules-snapshot.tar.gz%7C<oinkcode> # get the rule docs! #rule_url=https://www.snort.org/reg-rules/%7Copensource.gz%7C #rule_url=https://rules.emergingthreats.net/%7Cemerging.rules.tar.gz%7Copen # THE FOLLOWING URL is for etpro downloads, note the tarball name change! # and the et oinkcode requirement! #rule_url=https://rules.emergingthreats.net/%7Cetpro.rules.tar.gz%7C rule_path=/usr/local/snort/etc/rules/snort.rules local_rules=/usr/local/snort/etc/rules/local.rules # Where should I put the sid-msg.map file? sid_msg=/usr/local/snort/etc/sid-msg.map # Path to the snort binary, we need this to generate the stub files snort_path=/usr/local/snort/bin/snort # We need to know where your snort.conf file lives so that we can # generate the stub files config_path=/usr/local/snort/etc/snort.conf # This is the file that contains all of the shared object rules that pulledpork # has processed, note that this has changed as of 0.4.0 just like the rules_path! sostub_path=/usr/local/snort/etc/rules/so_rules.rules distro=Ubuntu-10.04
vi /usr/local/snort/etc/snort.conf
var RULE_PATH /usr/local/snort/etc/rules
sed -i '/^include $RULE_PATH/d' /usr/local/snort/etc/snort.conf sed -i '/^include $RULE_PATH/d' /usr/local/snort/etc/snort.conf sed -i '/^include $RULE_PATH/d' /usr/local/snort/etc/snort.conf
echo "include \$RULE_PATH/snort.rules" >> /usr/local/snort/etc/snort.conf echo "include \$RULE_PATH/local.rules" >> /usr/local/snort/etc/snort.conf echo "include \$RULE_PATH/so_rules.rules" >> /usr/local/snort/etc/snort.conf
mkdir /usr/local/snort/etc/rules
touch /usr/local/snort/etc/rules/local.rules
/usr/local/snort/pulledpork/pulledpork.pl -c /usr/local/snort/pulledpork/etc/pulledpork.conf
Upon success, you should get an output similar to below:
Rule Stats....
New:-------0
Deleted:---0
Enabled Rules:----3154
Dropped Rules:----0
Disabled Rules:---11235
Total Rules:------14389
Done
Please review /var/log/sid_changes.log for additional details
Fly Piggy Fly!
Now, let's schedule PulledPork to automatically update on a daily basis.
crontab -e
00 01 0 * * * root /usr/local/snort/pulledpork/pulledpork.pl -c /usr/local/snort/pulledpork/etc/pulledpork.conf
The line above will run the script every day of the week at 1 A.M.
Comments