Pulled Pork – Suricata & Snort Rule Management

Usage: ./pulledpork.pl [dEgHklnRTPVvv? help] c <config filename> o <rule output path>

   O <oinkcode> s <so_rule output directory> D <Distro> S <SnortVer>

   p <path to your snort binary> C <path to your snort.conf> t <sostub output path>

   h <changelog path> I (security|connectivity|balanced) i <path to disablesid.conf>

   b <path to dropsid.conf> e <path to enablesid.conf> M <path to modifysid.conf>

   r <path to docs folder> K <directory for separate rules files>

Options:

help/? Print this help info.

b Where the dropsid config file lives.

C Path to your snort.conf

c Where the pulledpork config file lives.

d Do not verify signature of rules tarball, i.e. downloading fron non VRT or ET locations.

D What Distro are you running on, for the so_rules

   Valid Distro Types:

     Debian60, Ubuntu104, Ubuntu1204, Centos54

     FC12, FC14, RHEL55, RHEL60

     FreeBSD81, FreeBSD90, FreeBSD100, OpenBSD52, OpenBSD53

     OpenSUSE114, OpenSUSE121, Slackware131  

e Where the enablesid config file lives.

E Write ONLY the enabled rules to the output files.

g grabonly (download tarball rule file(s) and do NOT process)

h path to the sid_changelog if you want to keep one?

H Send a SIGHUP to the pids listed in the config file

I Specify a base ruleset( I security,connectivity,or balanced, see README.RULESET)

i Where the disablesid config file lives.

k Keep the rules in separate files (using same file names as found when reading)

K Where (what directory) do you want me to put the separate rules files?

l Log Important Info to Syslog (Errors, Successful run etc, all items logged as WARN or higher)

L Where do you want me to read your local.rules for inclusion in sidmsg.map

m where do you want me to put the sidmsg.map file?

M where the modifysid config file lives.

n Do everything other than download of new files (disablesid, etc)

o Where do you want me to put generic rules file?

p Path to your Snort binary

P Process rules even if no new rules were downloaded

R When processing enablesid, return the rules to their ORIGINAL state

r Where do you want me to put the reference docs (xxxx.txt)

S What version of snort are you using

s Where do you want me to put the so_rules?

T Process text based rules files only, i.e. DO NOT process so_rules

u Where do you want me to pull the rules tarball from

** E.g., ET, Snort.org. See pulledpork config rule_url option for value ideas

V Print Version and exit

v Verbose mode, you know.. for troubleshooting and such nonsense.

vv EXTRA Verbose mode, you know.. for indepth troubleshooting and other such nonsense.

w Skip the SSL verification (if there are issues pulling down rule files)

W Where you want to work around the issue where some implementations of LWP do not work with pulledporks proxy configuration.

Leave a Reply