Initial import

6 files changed, 333 insertions, 0 deletions

diff --git a/.SRCINFO b/.SRCINFO
new file mode 100644
index 000000000000..20a8b18ffd7f
--- /dev/null
+++ b/.SRCINFO
@@ -0,0 +1,32 @@
+pkgbase = pulledpork
+	pkgdesc = Tool to automatically update rules for snort
+	pkgver = 0.7.0
+	pkgrel = 3
+	url = https://code.google.com/p/pulledpork
+	install = install
+	arch = any
+	license = GPL
+	depends = cron
+	depends = perl
+	depends = perl-lwp-protocol-https
+	depends = perl-crypt-ssleay
+	depends = perl-archive-tar
+	depends = perl-switch
+	optdepends = snort
+	backup = etc/pulledpork/pulledpork.conf
+	backup = etc/pulledpork.conf
+	backup = etc/pulledpork/disablesid.conf
+	backup = etc/pulledpork/dropsid.conf
+	backup = etc/pulledpork/enablesid.conf
+	backup = etc/pulledpork/modifysid.conf
+	source = https://pulledpork.googlecode.com/files/pulledpork-0.7.0.tar.gz
+	source = pulledpork.conf
+	source = pulledpork_update.sh
+	source = pulledpork.cron
+	sha256sums = f60c005043850bb65a72582b9d6d68a7e7d51107f30f2b3fc67e607c995aa1a8
+	sha256sums = 3c788c1f0c50070bc5e3ccde59f9cf38d1007b5a89828228cd02d47f56fb6f9c
+	sha256sums = 7ec58f5e73b3432eadab9a6050f17d5a1bd038ef2cfe52023da9f772ac532f98
+	sha256sums = c9213d3076424dc391d09a6c19f769631f668f27206585dd98dcbf9390a1b9ee
+
+pkgname = pulledpork
+
diff --git a/PKGBUILD b/PKGBUILD
new file mode 100644
index 000000000000..c7bacc310aeb
--- /dev/null
+++ b/PKGBUILD
@@ -0,0 +1,36 @@
+# Maintainer: Amish <contact at via dot aur>
+# Contributor: Isaac C. Aronson <i@pingas.org>
+
+pkgname=pulledpork
+pkgver=0.7.0
+pkgrel=3
+pkgdesc="Tool to automatically update rules for snort"
+arch=('any')
+url="https://code.google.com/p/pulledpork"
+license=('GPL')
+depends=('cron' 'perl' 'perl-lwp-protocol-https' 'perl-crypt-ssleay' 'perl-archive-tar' 'perl-switch')
+optdepends=('snort')
+backup=('etc/pulledpork/pulledpork.conf'
+        'etc/pulledpork.conf'
+        'etc/pulledpork/disablesid.conf'
+        'etc/pulledpork/dropsid.conf'
+        'etc/pulledpork/enablesid.conf'
+        'etc/pulledpork/modifysid.conf')
+source=("https://pulledpork.googlecode.com/files/pulledpork-${pkgver}.tar.gz"
+        "pulledpork.conf"
+        "pulledpork_update.sh"
+        "pulledpork.cron")
+sha256sums=('f60c005043850bb65a72582b9d6d68a7e7d51107f30f2b3fc67e607c995aa1a8'
+            '3c788c1f0c50070bc5e3ccde59f9cf38d1007b5a89828228cd02d47f56fb6f9c'
+            '7ec58f5e73b3432eadab9a6050f17d5a1bd038ef2cfe52023da9f772ac532f98'
+            'c9213d3076424dc391d09a6c19f769631f668f27206585dd98dcbf9390a1b9ee')
+install=install
+
+package() {
+  cd "${srcdir}/${pkgname}-${pkgver}"
+  install -dm755 "${pkgdir}"/etc/cron.weekly "${pkgdir}"/etc/pulledpork "${pkgdir}"/usr/bin
+  install -Dm644 etc/* "${pkgdir}"/etc/pulledpork/
+  install -Dm644 ../pulledpork.conf "${pkgdir}"/etc/pulledpork/
+  install -Dm700 ../pulledpork.cron "${pkgdir}"/etc/cron.weekly/pulledpork
+  install -Dm755 pulledpork.pl ../pulledpork_update.sh "${pkgdir}"/usr/bin/
+}
diff --git a/install b/install
new file mode 100644
index 000000000000..e185ca87effb
--- /dev/null
+++ b/install
@@ -0,0 +1,19 @@
+post_install() {
+cat << _EOF  
+
+>>> You may want to ADJUST files in /etc/pulledpork/ directory
+
+>>> Default config is set up for emergingthreats open rules
+
+>>> By default rules auto-update every week if
+>>>   file /etc/snort/rules/snort.rules exists
+
+>>> To use these rules in snort, you must include snort.rules
+>>> file in your snort.conf (if not already setup to be so)
+
+_EOF
+}
+
+post_upgrade() {
+  post_install $1
+}
diff --git a/pulledpork.conf b/pulledpork.conf
new file mode 100644
index 000000000000..872f0512d7f6
--- /dev/null
+++ b/pulledpork.conf
@@ -0,0 +1,209 @@
+# Config file for pulledpork
+# Be sure to read through the entire configuration file
+# If you specify any of these items on the command line, it WILL take 
+# precedence over any value that you specify in this file!
+
+#######
+#######  The below section defines what your oinkcode is (required for 
+#######  VRT rules), defines a temp path (must be writable) and also 
+#######  defines what version of rules that you are getting (for your 
+#######  snort version and subscription etc...)
+####### 
+
+# You can specify one or as many rule_urls as you like, they 
+# must appear as http://what.site.com/|rulesfile.tar.gz|1234567.  You can specify
+# each on an individual line, or you can specify them in a , separated list
+# i.e. rule_url=http://x.y.z/|a.tar.gz|123,http://z.y.z/|b.tar.gz|456
+# note that the url, rule file, and oinkcode itself are separated by a pipe |
+# i.e. url|tarball|123456789, 
+#rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|<oinkcode>
+# NEW Community ruleset:
+#rule_url=https://s3.amazonaws.com/snort-org/www/rules/community/|community-rules.tar.gz|Community
+# NEW For IP Blacklisting! Note the format is urltofile|IPBLACKLIST|<oinkcode>
+# This format MUST be followed to let pulledpork know that this is a blacklist
+#rule_url=http://labs.snort.org/feeds/ip-filter.blf|IPBLACKLIST|open
+# URL for rule documentation! (slow to process)
+#rule_url=https://www.snort.org/reg-rules/|opensource.gz|<oinkcode>
+rule_url=https://rules.emergingthreatspro.com/|emerging.rules.tar.gz|open
+# THE FOLLOWING URL is for etpro downloads, note the tarball name change!
+# and the et oinkcode requirement!
+#rule_url=https://rules.emergingthreatspro.com/|etpro.rules.tar.gz|<et oinkcode>
+# NOTE above that the VRT snortrules-snapshot does not contain the version
+# portion of the tarball name, this is because PP now automatically populates
+# this value for you, if, however you put the version information in, PP will
+# NOT populate this value but will use your value!
+
+# Specify rule categories to ignore from the tarball in a comma separated list
+# with no spaces.  There are four ways to do this:
+# 1) Specify the category name with no suffix at all to ignore the category
+#    regardless of what rule-type it is, ie: netbios
+# 2) Specify the category name with a '.rules' suffix to ignore only gid 1
+#    rulefiles located in the /rules directory of the tarball, ie: policy.rules
+# 3) Specify the category name with a '.preproc' suffix to ignore only
+#    preprocessor rules located in the /preproc_rules directory of the tarball,
+#    ie: sensitive-data.preproc
+# 4) Specify the category name with a '.so' suffix to ignore only shared-object
+#    rules located in the /so_rules directory of the tarball, ie: netbios.so
+# The example below ignores dos rules wherever they may appear, sensitive-
+# data preprocessor rules, p2p so-rules (while including gid 1 p2p rules),
+# and netbios gid-1 rules (while including netbios so-rules):
+# ignore = dos,sensitive-data.preproc,p2p.so,netbios.rules
+# These defaults are reasonable for the VRT ruleset with Snort 2.9.0.x.
+ignore=deleted.rules,experimental.rules,local.rules
+# IMPORTANT, if you are NOT yet using 2.8.6 then you MUST comment out the
+# previous ignore line and uncomment the following!
+# ignore=deleted,experimental,local,decoder,preprocessor,sensitive-data
+
+# What is our temp path, be sure this path has a bit of space for rule 
+# extraction and manipulation, no trailing slash
+temp_path=/tmp
+
+#######
+#######  The below section is for rule processing.  This section is 
+#######  required if you are not specifying the configuration using
+#######  runtime switches.  Note that runtime switches do SUPERSEED 
+#######  any values that you have specified here!
+#######
+
+# What path you want the .rules file containing all of the processed 
+# rules? (this value has changed as of 0.4.0, previously we copied 
+# all of the rules, now we are creating a single large rules file
+# but still keeping a separate file for your so_rules!
+rule_path=/etc/snort/rules/snort.rules
+
+# What path you want the .rules files to be written to, this is UNIQUE
+# from the rule_path and cannot be used in conjunction, this is to be used with the
+# -k runtime flag, this can be set at runtime using the -K flag or specified
+# here.  If specified here, the -k option must also be passed at runtime, however
+# specifying -K <path> at runtime forces the -k option to also be set
+# out_path=/etc/snort/rules/
+
+# If you are running any rules in your local.rules file, we need to
+# know about them to properly build a sid-msg.map that will contain your
+# local.rules metadata (msg) information.  You can specify other rules
+# files that are local to your system here by adding a comma and more paths...
+# remember that the FULL path must be specified for EACH value.
+# local_rules=/path/to/these.rules,/path/to/those.rules
+local_rules=/etc/snort/rules/local.rules
+
+# Where should I put the sid-msg.map file?
+sid_msg=/etc/snort/sid-msg.map
+
+# New for by2 and more advanced msg mapping.  Valid options are 1 or 2
+# specify version 2 if you are running barnyard2.2+.  Otherwise use 1
+sid_msg_version=2
+
+# Where do you want me to put the sid changelog?  This is a changelog 
+# that pulledpork maintains of all new sids that are imported
+sid_changelog=/var/log/snort/sid_changes.log
+# this value is optional
+
+#######
+#######  The below section is for so_rule processing only.  If you don't
+#######  need to use them.. then comment this section out!
+#######  Alternately, if you are not using pulledpork to process 
+#######  so_rules, you can specify -T at runtime to bypass this altogether
+#######
+
+# What path you want the .so files to actually go to *i.e. where is it
+# defined in your snort.conf, needs a trailing slash
+#sorule_path=/usr/lib/snort_dynamicrules/
+
+# Path to the snort binary, we need this to generate the stub files
+snort_path=/usr/bin/snort
+
+# We need to know where your snort.conf file lives so that we can
+# generate the stub files
+config_path=/etc/snort/snort.conf
+
+##### Deprecated - The stubs are now  categorically written to the  single rule file!
+# sostub_path=/etc/snort/rules/so_rules.rules
+
+# Define your distro, this is for the precompiled shared object libs!
+# Valid Distro Types:
+# Debian-5-0, Debian-6-0,
+# Ubuntu-8.04, Ubuntu-10-4
+# Centos-4-8, Centos-5-4
+# FC-12, FC-14, RHEL-5-5, RHEL-6-0
+# FreeBSD-7-3, FreeBSD-8-1
+# OpenBSD-4-8
+# Slackware-13-1
+#distro=FreeBSD-8.1
+
+#######  This next section is optional, but probably pretty useful to you.
+#######  Please read thoroughly!
+
+# If you are using IP Reputation and getting some public lists, you will probably
+# want to tell pulledpork where your blacklist file lives, PP automagically will
+# de-dupe any duplicate IPs from different sources.
+#black_list=/etc/snort/rules/iplists/default.blacklist
+
+# IP Reputation does NOT require a full snort HUP, it introduces a concept whereby
+# the IP list can be reloaded while snort is running through the use of a control
+# socket.  Please be sure that you built snort with the following optins:
+# -enable-shared-rep and --enable-control-socket.  Be sure to read about how to
+# configure these!  The following option tells pulledpork where to place the version
+# file for use with control socket ip list reloads!
+# This should be the same path where your black_list lives!
+#IPRVersion=/etc/snort/rules/iplists
+
+# The following option tells snort where the snort_control tool is located.
+#snort_control=/usr/bin/snort_control
+
+# What do you want to backup and archive?  This is a comma separated list
+# of file or directory values.  If a directory is specified, PP will recurse
+# through said directory and all subdirectories to archive all files.
+# The following example backs up all snort config files, rules, pulledpork
+# config files, and snort shared object binary rules.
+# backup=/etc/snort,/etc/pulledpork,/usr/lib/snort_dynamicrules/
+
+# what path and filename should we use for the backup tarball?
+# note that an epoch time value and the .tgz extension is automatically added
+# to the backup_file name on completeion i.e. the written file is:
+# pp_backup.1295886020.tgz
+# backup_file=/tmp/pp_backup
+
+# Where do you want the signature docs to be copied, if this is commented 
+# out then they will not be copied / extracted.  Note that extracting them 
+# will add considerable runtime to pulledpork.
+# docs=/path/to/base/www
+
+# The following option, state_order, allows you to more finely control the order
+# that pulledpork performs the modify operations, specifically the enablesid
+# disablesid and dropsid functions.  An example use case here would be to
+# disable an entire category and later enable only a rule or two out of it.
+# the valid values are disable, drop, and enable.
+# state_order=disable,drop,enable
+
+
+# Define the path to the pid files of any running process that you want to
+# HUP after PP has completed its run.
+# pid_path=/var/run/snort.pid,/var/run/barnyard.pid,/var/run/barnyard2.pid
+# and so on...
+# pid_path=/var/run/snort_eth0.pid
+
+# This defines the version of snort that you are using, for use ONLY if the 
+# proper snort binary is not on the system that you are fetching the rules with
+# This value MUST contain all 4 minor version
+# numbers. ET rules are now also dependant on this, verify supported ET versions
+# prior to simply throwing rubbish in this variable kthx!
+# snort_version=2.9.0.0
+
+# Here you can specify what rule modification files to run automatically.
+# simply uncomment and specify the apt path.
+enablesid=/etc/pulledpork/enablesid.conf
+dropsid=/etc/pulledpork/dropsid.conf
+disablesid=/etc/pulledpork/disablesid.conf
+modifysid=/etc/pulledpork/modifysid.conf
+
+# What is the base ruleset that you want to use, please uncomment to use
+# and see the README.RULESETS for a description of the options.  
+# Note that setting this value will disable all ET rulesets if you are 
+# Running such rulesets
+# ips_policy=security
+
+####### Remember, a number of these values are optional.. if you don't 
+####### need to process so_rules, simply comment out the so_rule section
+####### you can also specify -T at runtime to process only GID 1 rules.
+
+version=0.7.0
diff --git a/pulledpork.cron b/pulledpork.cron
new file mode 100644
index 000000000000..b5a9488f0640
--- /dev/null
+++ b/pulledpork.cron
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+/usr/bin/pulledpork_update.sh /etc/snort/rules/snort.rules > /dev/null 2>&1
diff --git a/pulledpork_update.sh b/pulledpork_update.sh
new file mode 100644
index 000000000000..d1bcd1535d76
--- /dev/null
+++ b/pulledpork_update.sh
@@ -0,0 +1,34 @@
+#!/bin/bash
+
+if [ -z "$1" ]
+then 
+	echo "You must provide rule file path."
+	exit 0
+fi
+
+if [ ! -f "$1" ]
+then
+	echo "Rule file $1 missing."
+	exit 0
+fi
+
+# ulimit is needed as sometimes pulledpork.pl goes in infinite loop
+( ulimit -t 60; /usr/bin/pulledpork.pl -P -c /etc/pulledpork/pulledpork.conf )
+
+# restart snort
+if systemctl is-active snort &>/dev/null
+then
+	systemctl restart snort
+fi
+
+# restart suricata
+if systemctl is-active suricata &>/dev/null
+then
+	systemctl restart suricata
+fi
+
+# restart barnyard2
+if systemctl is-active barnyard2 &>/dev/null
+then
+	systemctl restart barnyard2
+fi