PulledPork の動作には、Archive::Tar, Crypt::SSLeay, libwww-perl が必要
[root]# cpan Archive::Tar Crypt::SSLeay Bundle::LWP
・PulledPork インストール
https://github.com/shirkdog/pulledpork/releases から取得
[root]# tar xvfz pulledpork-0.7.3.tar.gz
[root]# mv -v pulledpork-0.7.3 /usr/local/pulledpork
[root]# chown -R snort:snort /usr/local/pulledpork/
[root]# chmod 755 /usr/local/pulledpork/pulledpork.pl
・PulledPork 設定
[root]# vim /usr/local/pulledpork/etc/pulledpork.conf
rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|<oinkcode>
その他の rule_url 行は全てコメントアウト
# rule_url=https://snort.org/downloads/community/|community-rules.tar.gz|Community
# rule_url=http://talosintelligence.com/feeds/ip-filter.blf|IPBLACKLIST|open
# rule_url=https://www.snort.org/reg-rules/|opensource.gz|<oinkcode>
rule_path=/etc/snort/rules/snort.rules
# local_rules=/etc/snort/rules/local.rules
sid_changelog=/var/log/snort/sid_changes.log
sid_msg=/etc/snort/etc/sid-msg.map
snort_path=/usr/local/bin/snort
config_path=/etc/snort/etc/snort.conf
# sostub_path=/etc/snort/so_rules/so_rules.rules
distro=RHEL-7-4
# black_list=/etc/snort/rules/iplists/default.blacklist
# IPRVersion=/etc/snort/rules/iplists
# snort_control=/usr/local/bin/snort_control
pid_path=/var/log/snort/snort_eth0.pid
snort_version=2.9.17.0
version=0.7.3
・snort.conf 変更
include $RULE_PATH/xxx.rules, include $PREPROC_RULE_PATH/xxx.rules,
include $SO_RULE_PATH/xxx.rules の行を削除
[root]# cp -v /etc/snort/etc/snort.conf /etc/snort/etc/snort.conf.bak
[root]# sed -i '/^include $RULE_PATH/d' /etc/snort/etc/snort.conf
[root]# sed -i '/^include $PREPROC_RULE_PATH/d' /etc/snort/etc/snort.conf
[root]# sed -i '/^include $SO_RULE_PATH/d' /etc/snort/etc/snort.conf
[root]# vim /etc/snort/etc/snort.conf
blacklist の行をコメントアウト
# blacklist $BLACK_LIST_PATH/blacklist.rules
snort.rules のみ include(全てのルールが snort.rules にまとめられる)
include $RULE_PATH/snort.rules
全てのルールファイルを削除
[root]# rm -vf /etc/snort/rules/*
[root]# rm -vf /etc/snort/so_rules/*
[root]# rm -vf /etc/snort/preproc_rules/*
/etc/snort/rules/snort.rules ファイルを作成
[root]# touch /etc/snort/rules/snort.rules
[root]# chown -R snort:snort /etc/snort/
[root]# chmod 600 /etc/snort/rules/snort.rules
・snort 再起動
[root]# systemctl restart snortd
・PulledPork 実行
[root]# /usr/local/pulledpork/pulledpork.pl -c /usr/local/pulledpork/etc/pulledpork.conf
※ 15分以上経過しないと再実行できない
・PulledPork 定期実行
[root]# crontab -e
3 0 * * * /usr/local/pulledpork/pulledpork.pl -c /usr/local/pulledpork/etc/pulledpork.conf