{"id":13680222,"url":"https://github.com/shirkdog/pulledpork","last_synced_at":"2025-04-04T21:05:22.391Z","repository":{"id":30905898,"uuid":"34463709","full_name":"shirkdog/pulledpork","owner":"shirkdog","description":"Pulled Pork for Snort and Suricata rule management (from Google code)","archived":false,"fork":false,"pushed_at":"2021-07-07T18:15:48.000Z","size":704,"stargazers_count":431,"open_issues_count":39,"forks_count":134,"subscribers_count":48,"default_branch":"master","last_synced_at":"2025-03-28T20:05:33.526Z","etag":null,"topics":["perl","ruleset","snort","suricata"],"latest_commit_sha":null,"homepage":"","language":"Perl","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/shirkdog.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null}},"created_at":"2015-04-23T15:10:22.000Z","updated_at":"2025-03-19T17:34:56.000Z","dependencies_parsed_at":"2022-08-27T13:11:34.520Z","dependency_job_id":null,"html_url":"https://github.com/shirkdog/pulledpork","commit_stats":null,"previous_names":[],"tags_count":3,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/shirkdog%2Fpulledpork","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/shirkdog%2Fpulledpork/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/shirkdog%2Fpulledpork/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/shirkdog%2Fpulledpork/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/shirkdog","download_url":"https://codeload.github.com/shirkdog/pulledpork/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247249524,"owners_count":20908212,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["perl","ruleset","snort","suricata"],"created_at":"2024-08-02T13:01:14.437Z","updated_at":"2025-04-04T21:05:22.360Z","avatar_url":"https://github.com/shirkdog.png","language":"Perl","funding_links":[],"categories":["Perl","[🔓 security](https://github.com/stars/ketsapiwiq/lists/unlock-security)"],"sub_categories":[],"readme":"PulledPork\n==========\n\nPulledPork for Snort and Suricata rule management (from Google code)\n\nFind us on Libera.Chat (IRC) [`#pulledpork`](https://libera.chat/guides/connect)\n\nCopyright (C) 2009-2021 JJ Cummings, Michael Shirk and the PulledPork Team!\n\nThank you for choosing to use PulledPork!  This file provides some basic\nguidance on the usage of PulledPork.  Please be sure to read this file\nthoroughly so that you don't overlook something!\n\n\n## Features and Capabilities\n\n * Automated downloading, parsing, state modification and rule modification\n   for all of your snort rulesets.\n * Checksum verification for all major rule downloads\n * Automatic generation of updated sid-msg.map file\n * Capability to include your local.rules in sid-msg.map file\n * Capability to pull rules tarballs from custom urls\n * Complete Shared Object support\n * Complete IP Reputation List support\n * Capability to download multiple disparate rulesets at once\n * Maintains accurate changelog\n * Capability to HUP processes after rules download and process\n * Aids in tuning of rulesets\n * Verbose output so that you know EXACTLY what is happening\n * Minimal Perl Module dependencies\n * Support for Suricata, and ETOpen/ETPro rulesets\n * A sweet smokey flavor throughout the pork!\n\n\n## Command Usage Reference\n\n```\nUsage: pulledpork.pl [-dEgklnRTPVvv? -help] -c \u003cconfig filename\u003e -o \u003crule output path\u003e\n -O \u003coinkcode\u003e -s \u003cso_rule output directory\u003e -D \u003cDistro\u003e -S \u003cSnortVer\u003e\n -p \u003cpath to your snort binary\u003e -C \u003cpath to your snort.conf\u003e -t \u003csostub output path\u003e\n -h \u003cchangelog path\u003e -H \u003csignal_name\u003e -I (security|connectivity|balanced) -i \u003cpath to disablesid.conf\u003e\n -b \u003cpath to dropsid.conf\u003e -e \u003cpath to enablesid.conf\u003e -M \u003cpath to modifysid.conf\u003e\n -r \u003cpath to docs folder\u003e -K \u003cdirectory for separate rules files\u003e\n\n Options:\n -help/? Print this help info.\n -b Where the dropsid config file lives.\n -C Path to your snort.conf\n -c Where the pulledpork config file lives.\n -d Do not verify signature of rules tarball, i.e. downloading fron non VRT or ET locations.\n -D What Distro are you running on, for the so_rules\n    For latest supported options see http://www.snort.org/snort-rules/shared-object-rules\n    Valid Distro Types:\n\tAlpine-3-10\n\tCentos-6, Centos-7, Centos-8\n\tDebian-8, Debian-9, Debian-10\n\tFC-27, FC-30\n\tFreeBSD-11, FreeBSD-12\n\tOpenBSD-6-2, OpenBSD-6-4, OpenBSD-6-5 \n\tOpenSUSE-15-0, OpenSUS-15-1, OpenSUSE-42-3\n\tRHEL-6, RHEL-7, RHEL-8\n\tSlackware-14-2\n\tUbuntu-14-4, Ubuntu-16-4, Ubuntu-17-10, Ubuntu-18-4\n -e Where the enablesid config file lives.\n -E Write ONLY the enabled rules to the output files.\n -g grabonly (download tarball rule file(s) and do NOT process)\n -h path to the sid_changelog if you want to keep one?\n -H Send signal_name to the pids listed in the config file (SIGHUP or SIGUSR2)\n -I Specify a base ruleset( -I security,connectivity,or balanced, see README.RULESET)\n -i Where the disablesid config file lives.\n -k Keep the rules in separate files (using same file names as found when reading)\n -K Where (what directory) do you want me to put the separate rules files?\n -l Log Important Info to Syslog (Errors, Successful run etc, all items logged as WARN or higher)\n -L Where do you want me to read your local.rules for inclusion in sid-msg.map\n -m where do you want me to put the sid-msg.map file?\n -M where the modifysid config file lives.\n -n Do everything other than download of new files (disablesid, etc)\n -o Where do you want me to put generic rules file?\n -O Define the oinkcode on the command line (necessary for some users)\n -p Path to your Snort binary\n -P Process rules even if no new rules were downloaded\n -R When processing enablesid, return the rules to their ORIGINAL state\n -r Where do you want me to put the reference docs (xxxx.txt)\n -S What version of snort are you using (2.8.6 or 2.9.0) are valid values\n -s Where do you want me to put the so_rules?\n -T Process text based rules files only, i.e. DO NOT process so_rules\n -u Where do you want me to pull the rules tarball from\n    ** E.g., ET, Snort.org. See pulledpork config rule_url option for value ideas\n -V Print Version and exit\n -v Verbose mode, you know.. for troubleshooting and such nonsense.\n -vv EXTRA Verbose mode, you know.. for in-depth troubleshooting and other such nonsense.\n -w Skip the SSL verification (if there are issues pulling down rule files)\n -W Where you want to work around the issue where some implementations of LWP do not work with pulledpork's proxy configuration.\n ```\n\n\n## Basic Usage Examples\n\nA simple example of how to use PulledPork would be to specify all of your configuration directives inside of the\n`PulledPork.conf` file.  Specifically for minimal function, i.e. NO Shared Object rule processing you must define \nat a minimum the `rule_file`, `oinkcode`, `temp_path`, `tar_path`, and `rule_path` values.  Below are some examples of this.\n\n```bash\n./pulledpork.pl -o /usr/local/etc/snort/rules/ -O 12345667778523452344234234 \\\n  -u http://www.snort.org/reg-rules/snortrules-snapshot-2973.tar.gz \\\n  -i disablesid.conf -T -H\n```\n\nThe above will fetch the `snortrules-snapshot-2973.tar.gz` tarball from snort.org using the specified `oinkcode` of \n`12345667778523452344234234` and put the rules files from that tarball into the output path of \n`/usr/local/etc/snort/rules/` while the `-i` option tells pulledpork where the\n`disablesid.conf` lives, and the `-T` option tells pulledpork to not process for any shared object rules and the final\n`-H` option tells pulledpork to send a `Hangup` signal to the snort pid that you defined in the `pulledpork.conf`.\n\n```bash\n./pulledpork.pl -c pulledpork.conf -i disablesid.conf -T -H\n```\n\nSimilar to the first example but all options specified in the `pulledpork.conf` file (other than `disablesid` and `-H`)...\n\n```bash\n./pulledpork.pl -c pulledpork.conf -i disablesid.conf \\\n  -m /usr/local/etc/snort/sid-msg.map -Hn\n```\n\nThe above will simply read the disablesid and disable as defined, then send a `Hangup` signal after generating the `sid-msg.map`\nat the specified location without downloading anything.\nHighly useful when tuning / making changes etc..\n\nNext example, snort inline with rules that we want to drop and disable, then `HUP` our daemons after creating a `sid-msg.map`\nand writing change info to `sid_changes.log`!\n\n```bash\n./pulledpork.pl -c pulledpork.conf -i disablesid.conf -b dropsid.conf \\\n  -m /usr/local/etc/snort/sid-msg.map -h /var/log/sid_changes.log -H\n```\n\nNext example, same as the previous but specifying that we want to run the default \"security\" based ruleset\nand that we want to enable rules specified in `enablesid.conf`.\n\n```bash\n./pulledpork.pl -c pulledpork.conf -i disablesid.conf -b dropsid.conf \\\n  -e enablesid.conf -m /usr/local/etc/snort/sid-msg.map \\\n  -h /var/log/sid_changes.log -I security -H\n```\n\nNext example, same as the previous but specifying that we want to `-K` (Keep) the originationg tarball names.\nand write them to `/usr/local/etc/snort/rules/`\n\n```bash\n./pulledpork.pl -c pulledpork.conf -i disablesid.conf -b dropsid.conf \\\n  -e enablesid.conf -m /usr/local/etc/snort/sid-msg.map \\\n  -h /var/log/sid_changes.log -I security -H -K /usr/local/etc/snort/rules/\n```\n\nFor users of Suricata, the same steps are necessary for where your installation files reside, but all that pulledpork needs to process\nrule files is the `-S` flag being set to `suricata-3.1.3` or whatever version of suricata you are using\n\n```bash\n./pulledpork.pl -c pulledpork.conf -S suricata-3.1.3\n```\n\nPulledpork \"should\" work with Suricata and ET/ETPro rules. However there is no support for Talos rules to run on Suricata.\n\n## Special Notes Section\n\nPlease note that pulledpork runs rule modification (enable, drop, disable, modify) in that order by default..\n\n1. enable\n2. drop\n3. disable\n\nThis means that disable rules will always take precedence.. thusly if you specify the same `gid:sid` \nin enable and disable configuration files, then that sid will be disabled.. keep this in mind \nfor ranges also!  However, you can specify a different order using the state_order keyword in the\nmaster config file.\n\nI'll probably add more info later, the `--help` or `--?` will display all runtime options and the `pulledpork.conf` is\npretty well annotated... so if you can't figure it out... try harder!  And once you figure it out, please feel \nfree to contribute with additional readme / help foo.. thx!\n\nAs a side note, I would like to give a shout-out to my buddy Bruce for aiding in the naming of PulledPork!\n\"hopefully that will shut him up ;-)\"\n\nJ\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fshirkdog%2Fpulledpork","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fshirkdog%2Fpulledpork","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fshirkdog%2Fpulledpork/lists"}