Tuesday, 4 July 2017

4.7.17

By Peter

In: , ,

No comments

Snort: Installing and configuring pulledpork

Pulledpork is a utility written perl that provides automation of snort rule updates.

Let's firstly grab a copy of the latest version of pulledpork from official repo on Github:

cd /tmp
git clone https://github.com/shirkdog/pulledpork.git
cd pulledpork
cp pulledpork.pl /usr/local/bin/
chmod +x /usr/local/bin/pulledpork.pl

We'll also need to install perl and few of it's packages are installed:

sudo yum -y install perl cpan
sudo cpanm LWP ExtUtils::CBuilder Path::Class Crypt::SSLeay Sys::Syslog Archive::Tar

We can now copy all of the pulled pork config files to our snort directory with:

cp etc/* /etc/snort/

and then edit our pulledpork.conf file as follows:

rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|<your-oink-code-here>
rule_path=/etc/snort/rules/snort.rules
local_rules=/etc/snort/rules/local.rules
sid_msg=/etc/snort/sid-msg.map
sorule_path=/usr/local/lib/snort_dynamicrules/
snort_path=/usr/sbin/snort
config_path=/etc/snort/snort.conf
distro=RHEL-6-0

and then perform a test run with:

/usr/local/bin/pulledpork.pl -c /etc/snort/pulledpork.conf -T -H

Finally we can create a cron job to perform this every week (on Sunday):

0 0 * * 0 /usr/local/bin/pulledpork.pl -c /etc/snort/pulledpork.conf -T -H && /usr/sbin/service snort restart

I also found that there were many sensitive alerts such as 'stream5: TCP Small Segment Threshold Exceeded' - we can use the 'disablesid.conf' file to ensure pulledpork does not enable these rules:

sudo vi /etc/snort/disablesid.conf

and add:

119:19 # http_inspect: LONG HEADER
123:8 # frag3: Fragmentation overlap
128:4 # ssh: Protocol mismatch
129:4 # stream5: TCP Timestamp is outside of PAWS window
129:5 # stream5: Bad segment, overlap adjusted size less than/equal 0
129:7 # stream5: Limit on number of overlapping TCP packets reached
129:12 # stream5: TCP Small Segment Threshold Exceeded
129:15 # stream5: Reset outside window

Credit to Stephen Hurst for the above rules.

Re-download the ruleset again (you might have to delete the existing ruleset file in /tmp firstly:

rm snortrules-snapshot-2990.tar.gz*


sudo /usr/local/bin/pulledpork.pl -c /etc/snort/pulledpork.conf -T -H && /usr/sbin/service snort restart

0 comments:

Post a Comment