PulledPork for Snort and Suricata rule management.
Features and Capabilities:
* Automated downloading, parsing, state modification and rule modification for all of your snort rulesets.
* Checksum verification for all major rule downloads
* Automatic generation of updated sid-msg.map file
* Capability to include your local.rules in sid-msg.map file
* Capability to pull rules tarballs from custom urls
* Complete Shared Object support
* Complete IP Reputation List support
* Capability to download multiple disparate rulesets at once
* Maintains accurate changelog
* Capability to HUP processes after rules download and process
* Aids in tuning of rulesets
* Verbose output so that you know EXACTLY what is happening
* Minimal Perl Module dependencies
* Support for Suricata, and ETOpen/ETPro rulesets
* A sweet smokey flavor throughout the pork!
Special Notes Section
Please note that pulledpork runs rule modification (enable, drop, disable, modify) in that order by default..
This means that disable rules will always take precedence.. thusly if you specify the same gid:sid in enable and disable configuration files, then that sid will be disabled.. keep this in mind for ranges also! However, you can specify a different order using the state_order keyword in the master config file.
Usage and Download:
yum install libcrypt-ssleay-perl
apt-get install libcrypt-ssleay-perl
git clone https://github.com/shirkdog/pulledpork && cd pulledpork
perl pulledpork.pl -h
perl pulledpork.pl -o /usr/local/etc/snort/rules/ -O 12345667778523452344234234 \
-u http://www.snort.org/reg-rules/snortrules-snapshot-2973.tar.gz -i disablesid.conf -T -H