Feature #590
closed
Thinking that maybe this falls abit outside the scope of the suricata docs? Using suricata will be the same regardless of what rulemanagement framework a person uses.
I think it's a critical step for most users to use a rule manager, with generally a few Suricata specific aspects. So it would make sense for us to document it, and also to recommend it to users.
- Assignee set to Andreas Herz
Does anyone have a working pulledpork.conf for Suricata and ETOpen?
- Assignee changed from Andreas Herz to Anonymous
Hi,
there's just one thing that Pulledpork currently lacks for Suricata and that's the signal compatibility (Snort uses SIGHUP for reloading its rules and it's harcoded into the Pulledpork code).
That GitHub PR https://github.com/shirkdog/pulledpork/pull/274 provides full support for Suricata signal compatiblity but I'm afraid the Pulledpork guy it's a bit lazy accepting PR. :)
I myself use the current version of Pulledpork with the aforementioned patch and works like a charm, so, in the end the key points are just changing (apart from the common options for the rules) the pid_path and the snort version in the pulledpork.conf file this way:
pid_path=/usr/local/var/run/suricata.pid
snort_version=suricata-4.0
Hope that helps
Forgot to mention how run Pulledpork with the above patch:
pulledpork.pl -H SIGUSR2 -c /usr/local/etc/pulledpork/pulledpork.conf -E -T
- Effort set to low
- Difficulty set to low
I'd like to suggest closing this ticket. I think it should be up to Pulled Pork to document using it for Suricata. I'd suggest the same for Oinkmaster, but for historical reasons maybe it should stay. However, once Suricata-Update is bundled, maybe we should remove Oinkmaster documentation as well.
- Status changed from New to Closed
- Effort deleted (
low)
- Difficulty deleted (
low)
Also available in: Atom
PDF