Wednesday, September 11, 2013

PulledPork 0.7.0 Released! #include <IP.Reputation>

PulledPork 0.7.0 - Swine Flu has been released and can be found at the PulledPork site.  There are numerous feature changes and enhancements that dramatically affect the functionality and capabilities of PulledPork since the last major 0.6.x release.  An excerpt of the changelog is at the bottom of this post and lists all of the changes/features/enhancements.   

The most significant change that you are likely to notice deals with how PulledPork now processes the rules tarball.  In the previous versions of PulledPork when you would run the application it would process the rules tarball as designated in your configuration, regardless of whether or not the source tarball had changed (no new rules tarball for example).  With the new changes the source rules tarball is ONLY processed if it is new/changed OR if you specify the -P runtime flag.  So for tuning exercises or out of band runs when the source tarball is unchanged, you MUST specify the -P flag for any processing to occur.

Inline with the new IP Reputation preprocessor that was introduced in Snort 2.9.1 we have included full support for this feature.  This support includes a couple of new configuration options that are located in the pulledpork.conf and allow for retrieval of multiple ip reputation lists (PulledPork will automatically de-dupe these lists).  If you are running Snort on Linux you are also able to specify at ./configure time an option to allow for in-memory reloading of IP Reputation lists, thus you do not have to SIGHUP or completely reload Snort.  This in-memory reload is accomplished by using a control socket that this version of PulledPork is capable of utilizing.

Working closely with the Barnyard2 team we have developed a new version of the data in the  This allows for more information to be included in intrusion events such as the revision of the rule (currently not included in alerts).  The default version is still version 1 of the file, it is CRITICAL to note that only Barnyard 2.2+ supports this new version of the file and as such ONLY when using this version or newer of Barnyard 2.2+ should you change this value in your pulledpork.conf.

When utilizing the default configuration that creates two single unified rules files (one for so_rules and one for text rules) the so_rules stub files are now included in the single rules tarball.  This means that you no longer need to include the so_rules.rules file.  This single rules file is now internally separated by category and rule type, or generator to allow for rapid rule location and more logical perusing of the file.

As per the usual, thank you for your continued support and usage of PulledPork and Snort.  Should you have any questions or concerns please feel free to file a bug report or new feature request at and also to participate in the community mailing list that can be found at

Bug Fixes:
- Bug #79 - Fixed race condition that did not allow for disabled rules to be modified using modifysid
These rules would then be enabled by flowbit dependency check and be unmodified
- Bug #77 - Adjusted chown property of archive::tar
- Bug #78 - Adjusted per bug report to allow for proper ignoring of preproc.rules
- Bug #102 - Only Enabled rules are written to now when -E flag is specified
- Bug #99 - Doc Bug, updated docs associated with snort_version variable
- Bug #96 - Modified code to allow for same-line traling comments: "1:10011 #can haz disable!"
Also updated the rulestate files (enable,disable,drop)
- Bug #82 - Modified run order to force modifysid to run before all other sid state modification routines
This allows for sid changes to be made prior to automatic state determination ala automatic
flowbit resolution.  NOTE that this DOES NOT AND WILL NOT disable automatic flowbit
resolution, this is a critical piece.
- Bug #81 - Updated valid SO distro pre-compiled list
- Bug #114 - Update Regex to allow for null search/replace in modify_sid sub
- Unlisted Bug - Allow for escaped ; "\;" in references
- Bug #121 - Update to allow for new url and cert!
- Bug #119 - Fixed regex [^\\], should have been negative look behind (?<!\\)
- Bug #120 - Updated proxy code for better support and proper runtime load order
- Unlisted Bug - Account for multiple flowbits that are separated using &| operators
- Bug #126 - Removed Switch usage
- Bug #129 - Fixed to allow for -n usage (in conjunction with -P) when an ip list is used also
- Unlisted Bug - Fixed to allow for proper -P usage

New Features / changes:
- Bug #105 - Removed Switch function as it is deprecated in > 5.12 perl
- NEW - Added IP Reputation Preprocessor support
- NEW - Capability to use control socket for IP List reload
- NEW - -P runtime flag to (process even if there is no new rules tarball)**
- Bug #68 - Added basic surricata support
- Bug #115 - Single rules file now has category (and GID) separators
Correlating to this we have also removed the separate so_rules.rules file
All rules are now in a single snort.rules file unless the keep flag is
specified at runtime.
- NEW - Numerous sub rewrites to allow for better performance
- NEW - New format for barnyard 2.2+ gid || sid || rev || class || pri || msg || @refs
- NEW - SO rule categories are now prepended with VRT-SO
- NEW - More advanced structure (for use with by2.2+) and backward compatibility
This allows for better mapping of gid:sid:rev in the database!
- NEW - Rewrote the way that extraction is handled, to properly support a single rules tarball being
updated.  This includes how md5 validation is done and in what order.  If a single
file is updated then they are all extracted and processed.