Monday, March 28, 2011

PulledPork 0.6.0 the Smoking Pig, He's on Fire!

It has been some time since I posted anything at all, I had considered adding "relevant".  But that's simply not true, since it's been dead air for a while.

Having said this, I am pleased to announce PulledPork V 0.6.0 - the Smoking Pig is finally released as of, well, right now!

This version represents a decent amount of time spent improving the core of the tool to enhance speed, a large number of feature enhancements and also not an insignificant number of bugfixes!  A few quick notes before I copy and paste the changelog notes; If you are changing rulestate by doing anything in the drop|enable|disable config files with the category, you will now need to prepend the category that you want to modify with ET- or VRT- (based on where the rules came from).  Another item of note is that multiple rulesets are now fully supported, thus no need to run two or more instances of PulledPork.  Lastly but certainly not least is the capability to ignore source files on a more granular level: (plaintext, preproc, shared object or global).

One more big feature enhancement that I would like to point out, is the capability to create a backup/archive of your existing rules files / config files / whatever else you want!  kthx, moving on...

Please be sure to read through the documentation THOROUGHLY, a couple of the above noted changes could affect your implementation and I don't want you to be terribly shocked by that.  Plus, the things that you will need to update are trivial!

The new PulledPork can be downloaded at the following location:
SHA1 Checksum: c4fdf58c716017a0ebad3c46f770fda54c8f23b2
MD5 Checksum: d65c4ef29956823a1a5a05921f219a29
Without further rambling on my part, the changelog notes:

v0.6.0 the Smoking Pig

New Features / changes:
  • Added -q command line switch to squelch everything except fatal errors
  • Code clean up for readability
  • Move debug output to allow for better debugging of actual variable values
  • Update config to allow for ssl from ET
  • Update config to allow for new snort rules gzip
  • Bug #55 - Create capability to ignore more granularly (plaintext, preproc, shared object or global).
  • Bug #50 - You can now create backups and archives of your existing config and rules files etc...
    • This adds the PM requirement of File::Find
  • Bug #56 - More verbose output when a flowbit is re-enabled (only when run with -v)
  • Bug #60 - added -E flag that will cause ONLY enabled rules to be written to output files
  • Bug #47 - added -R flag that will set the state of the rules specified in enablesid.conf back to their ORIGINAL state, as read from the source rules tarball.
  • Bug #63 - added sid MSG information to changelog output.
  • Added -k and -K options to allow for the writing of the original source file rather than one large output file.
  • Bug #66 - Prepend VRT rulesets with VRT- and ET rulesets with ET- to allow for paralell ruleset operations.  This also provides more granularity in that scenario wherein the user could set state in a VRT or ET category only by specifying VRT-category or ET-category in the sid state modification files.
  • Added support for 500 errors, specifying that users should update their root cert store!
Bug Fixes:
  • Bug #39 - updated to allow for use of username:pass@proxy.url
  • Bug #49 - fix for race condition not allowing HUP to work with -nTH switches specified
  • Bug #40 - allow so_rules to be handled when non VRT rulesets are downloaded
  • Bug #45 - create a blank so_stub rules file so that we don't get an error re: a blank file from snort when generating so_stubs! (only if the file does not already exist, and only if you are using SOs!)
  • Bug #46 - throw error if a config file that is specified does not exist   
  • Bug #42 - Added OpenSUSE-11-3 to list
  • Fixed race condition that did not properly handle certain spaces in flowbits set and isset values, resulting in unchecked flowbits etc...
  • Bug #51 - Increased timeout value to 60 seconds
  • Bug #53 - Fixed pcre issue that caused certain rules containing isset and set flobwits values to incorrectly be auto-enabled.
  • Bug #61 - Fixed so that .so rules are not touched!
  • Bug #67 - Fixed regex to allow for space between ( and msg.
  • Bug #71 - Flaw in if statement logic did not allow for proper multiline rule parsing
  • Undocumented ID - Flaw in changelog routine did not allow for proper writing of sid-msg or sid in "deleted rules" section of the changelog.
  • Bug #62 - Added check for amd64 string during arch detection!

Special Notes:
  • Bug #47 - This should be used by advanced users only, it can produce results that may not make sense to the typical user.  And frankly, I don't understand it ;-)
  • Bug #60 - This fix WILL cause inconsistency in your changelog, as when PP reads the old rules from the existing rules file, it will have only the enabled rules in it.. thus any rules that were not enabled in that file will show up as NEW rules in the changelog output, you have been warned, so no whining!
 That should just about cover it for now, as always, I want to also thank the community for their support and feedback!  If you have any questions, comments, concerns, or otherwise then please feel free to hit me up in #snort or #pulledpork on freenode.  You are also always welcome and encouraged to join the mailing list that can be found at  And of course you can also submit feedback / bugs / feature requests at