Showing posts with label snort rule management. Show all posts
Showing posts with label snort rule management. Show all posts

Monday, March 28, 2011

PulledPork 0.6.0 the Smoking Pig, He's on Fire!

It has been some time since I posted anything at all, I had considered adding "relevant".  But that's simply not true, since it's been dead air for a while.

Having said this, I am pleased to announce PulledPork V 0.6.0 - the Smoking Pig is finally released as of, well, right now!

This version represents a decent amount of time spent improving the core of the tool to enhance speed, a large number of feature enhancements and also not an insignificant number of bugfixes!  A few quick notes before I copy and paste the changelog notes; If you are changing rulestate by doing anything in the drop|enable|disable config files with the category, you will now need to prepend the category that you want to modify with ET- or VRT- (based on where the rules came from).  Another item of note is that multiple rulesets are now fully supported, thus no need to run two or more instances of PulledPork.  Lastly but certainly not least is the capability to ignore source files on a more granular level: (plaintext, preproc, shared object or global).

One more big feature enhancement that I would like to point out, is the capability to create a backup/archive of your existing rules files / config files / whatever else you want!  kthx, moving on...

Please be sure to read through the documentation THOROUGHLY, a couple of the above noted changes could affect your implementation and I don't want you to be terribly shocked by that.  Plus, the things that you will need to update are trivial!

The new PulledPork can be downloaded at the following location:
http://pulledpork.googlecode.com/files/pulledpork-0.6.0.tar.gz
SHA1 Checksum: c4fdf58c716017a0ebad3c46f770fda54c8f23b2
MD5 Checksum: d65c4ef29956823a1a5a05921f219a29
Without further rambling on my part, the changelog notes:

v0.6.0 the Smoking Pig

New Features / changes:
  • Added -q command line switch to squelch everything except fatal errors
  • Code clean up for readability
  • Move debug output to allow for better debugging of actual variable values
  • Update config to allow for ssl from ET
  • Update config to allow for new snort rules gzip
  • Bug #55 - Create capability to ignore more granularly (plaintext, preproc, shared object or global).
  • Bug #50 - You can now create backups and archives of your existing config and rules files etc...
    • This adds the PM requirement of File::Find
  • Bug #56 - More verbose output when a flowbit is re-enabled (only when run with -v)
  • Bug #60 - added -E flag that will cause ONLY enabled rules to be written to output files
  • Bug #47 - added -R flag that will set the state of the rules specified in enablesid.conf back to their ORIGINAL state, as read from the source rules tarball.
  • Bug #63 - added sid MSG information to changelog output.
  • Added -k and -K options to allow for the writing of the original source file rather than one large output file.
  • Bug #66 - Prepend VRT rulesets with VRT- and ET rulesets with ET- to allow for paralell ruleset operations.  This also provides more granularity in that scenario wherein the user could set state in a VRT or ET category only by specifying VRT-category or ET-category in the sid state modification files.
  • Added support for 500 errors, specifying that users should update their root cert store!
Bug Fixes:
  • Bug #39 - updated to allow for use of username:pass@proxy.url
  • Bug #49 - fix for race condition not allowing HUP to work with -nTH switches specified
  • Bug #40 - allow so_rules to be handled when non VRT rulesets are downloaded
  • Bug #45 - create a blank so_stub rules file so that we don't get an error re: a blank file from snort when generating so_stubs! (only if the file does not already exist, and only if you are using SOs!)
  • Bug #46 - throw error if a config file that is specified does not exist   
  • Bug #42 - Added OpenSUSE-11-3 to list
  • Fixed race condition that did not properly handle certain spaces in flowbits set and isset values, resulting in unchecked flowbits etc...
  • Bug #51 - Increased timeout value to 60 seconds
  • Bug #53 - Fixed pcre issue that caused certain rules containing isset and set flobwits values to incorrectly be auto-enabled.
  • Bug #61 - Fixed so that .so rules are not touched!
  • Bug #67 - Fixed regex to allow for space between ( and msg.
  • Bug #71 - Flaw in if statement logic did not allow for proper multiline rule parsing
  • Undocumented ID - Flaw in changelog routine did not allow for proper writing of sid-msg or sid in "deleted rules" section of the changelog.
  • Bug #62 - Added check for amd64 string during arch detection!

Special Notes:
  • Bug #47 - This should be used by advanced users only, it can produce results that may not make sense to the typical user.  And frankly, I don't understand it ;-)
  • Bug #60 - This fix WILL cause inconsistency in your changelog, as when PP reads the old rules from the existing rules file, it will have only the enabled rules in it.. thus any rules that were not enabled in that file will show up as NEW rules in the changelog output, you have been warned, so no whining!
 That should just about cover it for now, as always, I want to also thank the community for their support and feedback!  If you have any questions, comments, concerns, or otherwise then please feel free to hit me up in #snort or #pulledpork on freenode.  You are also always welcome and encouraged to join the mailing list that can be found at http://groups.google.com/group/pulledpork-users/.  And of course you can also submit feedback / bugs / feature requests at http://pulledpork.googlecode.com.

Regards,
JJC
    Posted by at No comments:
    Labels: , , , ,

    Thursday, October 21, 2010

    Haz The Drowning Rat? - PulledPork 0.5.0 is now floating!

    This release of PulledPork (The Drowning Rat) represents quite a bit of development to include a number of community requested capabilities, change a few around, and repair some bugs!  Again, I would like to thank the community for their support, contribution and use of the PulledPork Snort rule management system.  The next section is an excerpt from the README.CHANGES and below there I may discuss some example use-cases and include some sample output.

    PulledPork Changelog

    v0.5.0

    New Features / changes:
    - Automatic VRT tarball name determination (based on local Snort Version)
    - Full support for ET Pro rulesets
    - Full support for new ET Download scheme
    - Issue #27 Modifysid capability
    - Capability to retrieve multiple rulesets in a single run
    - Issue #24 Added verbose output showing all requests, results and urls
    - Verbose output now shows percentage bar for downloads
    - Extra Verbose output now shows additional HTTP debug!
    - Set value in default.conf file to https for VRT downloads
    - Set UA Value to (PulledPork/X.X.X)
    - Capability to log critical information to syslog
    - Grabonly option, for those that only want to download the tarball(s)
    - Issue #34 Added the capability to specify the order of disable / enable / drop
        using the state_order configuration option in the master config file
    - Added a contrib directory
    - Added oink-conv.pl to contrib directory
        * converts oinkmaster config files to PP config files
        * Thx Russell Fulton!
    - Added README.CONTRIB to track contrib files (ohai manifest)
    - Perl Modue Requirement Changes (SEE SECTION BELOW)
    - Issue #38 Added capability to extract reference docs from tarball and
        store in a defined path, NOTE this dramatically increases PP runtime
        * runtime value is -r

    Bug Fixes:
    - Should now correctly use environmentally set proxy settings
        * Shout to pkthound for his work and contribution here!
    - Fixed case where rules with multiple flowbit (un)?set values would not
        properly populate all of the flowbit values into the rules hash
    - Bug #29 - fixed to allow for proper sid-msg.map generation
    - Bug #28 - fixed numerous spellification issues
    - Bug #32 - fixed to allow for so stub generation in nodownload and !nodownload case


    Perl Module Requriement Changes:
    - LWP::Simple no longer
    - LWP::UserAgent now required
    - HTTP::Request now required
    - HTTP::Status now required
    - SYS::Syslog now required
    - Crypt::SSLeay now required
    - Carp now required

    As you can see, and as I had indicated, there are a number of significant improvements and fixes.  It is important to note that there are a number of changes, that include new and changed options, to the master config and the addition of the modifysid.conf file that allows you to modify rules based on regular expression matches etc...

    Of course we also now fully support (ET Pro and the new ET open) rules and the capability to download multiple rulesets in a single run, rather than multiple config files referencing other .rules files as local rules etc...

    One other seemingly insignificant change is the capability to change the order that the rules modification routines run, this means that you can more granularly control rule state.  The default processing order is (enable, drop, disable), this can now be changed though to allow for the disabling of all rules in a specific category (or however you would do it) and then selectively enabling rules out of that category, by simply changing the run order to disable,drop,enable.  Of course combining this with the pcre, category, modifysid etc.. capabilities gives you quite a bit of versatility.

    So, without further adeau, I give you:
        http://code.google.com/p/pulledpork/
          _____ ____
         `----,\    )
          `--==\\  /    PulledPork v0.5.0 The Drowning Rat
           `--==\\/
         .-~~~~-.Y|\\_  Copyright (C) 2009-2010 JJ Cummings
      @_/        /  66\_  cummingsj@gmail.com
        |    \   \   _(")
         \   /-| ||'--'  Rules give me wings!
          \_\  \_\\
     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    Checking latest MD5 for snortrules-snapshot-2861.tar.gz....
        They Match
        Done!
    Prepping rules from snortrules-snapshot-2861.tar.gz for work....
        Done!
    Checking latest MD5 for etpro.rules.tar.gz....
        They Match
        Done!
    Prepping rules from etpro.rules.tar.gz for work....
        Done!
    Checking latest MD5 for emerging.rules.tar.gz....
        They Match
        Done!
    Prepping rules from emerging.rules.tar.gz for work....
        Done!
    Reading rules...
    Reading rules...
    Activating security rulesets....
        Done
    Setting Flowbit State....
        Enabled 264 flowbits
        Enabled 29 flowbits
        Enabled 4 flowbits
        Enabled 2 flowbits
        Done
    Writing /home/jj/snort.rules....
        Done
    Generating sid-msg.map....
        Done
    Writing /home/jj/sid-msg.map....
        Done
    Writing /home/jj/sid_changes.log....
        Done
    Rule Stats....
        New:-------0
        Deleted:---0
        Enabled Rules:----4506
        Dropped Rules:----0
        Disabled Rules:---17797
        Total Rules:------22303
        Done
    Please review /var/log/sid_changes.log for additional details
    Fly Piggy Fly!
    Bah, Paste chopped my flying pig up ;-)

    Get it here:
    pulledpork-0.5.0.tar.gz latest hashes:
    MD5SUM = 60c0abe78945876c643760b3bb2afdb6
    SHA256 = 9e69873d737e4fc8dfd9b3a98316e4ff41bd8c4accda72f18036b96568c48872

    Cheers,
    JJC 
    Posted by at No comments:
    Labels: , , , ,

    Thursday, July 1, 2010

    PulledPork 0.4.2 501 error when downloading rules

    This issue most typically stems from a missing Perl Module that is required to communicate via SSL using LWP::Simple.  This required Perl Module is Crypt::SSLeay and is not included in the LWP::Simple redistributed package from the Ubuntu 8.x repositories, and will typically fail to install via CPAN on many Ubuntu server installations.  As such you simply need to do the following (on Ubuntu, since this is the only place I have seen it broken):

    sudo apt-get install libcrypt-ssleay-perl

    Of course if you are not running Ubuntu then you will need to use CPAN or find whatever repackaged garbage that your distro is using to distribute this ;-).

    One other cause could be that your root certificates are outdated, so if you have the aforementioned PM installed and are still receiving a 501.. this is likely the cause... google how to update your root certificates for your distro!  Again, for the sake of completeness, this is how you do it on Ubuntu:

    sudo apt-get install ca-certificates
    sudo update-ca-certificates

    I have also added this to the PP FAQ.

    Cheers,
    JJC
    Posted by at No comments:
    Labels: , , , ,

    Tuesday, June 29, 2010

    PulledPork 0.4.2 - get it while it's hawt!

    This release represents a number of significant enhancements and features (all listed below). Probably the most important to note are the changes from a delimeter of | to : when modifying rule state. We also now automatically determine snort version and OS arch. One of the most useful features, IMHO, is the pcre: rule state modification capability.. see the rule modification configs for more details... but let's say that I wanted to disable ALL MSXX rules because I run a strictly *nix environment... simply place something like pcre:MS\d{2}-\d+ into the disablesid.conf and use that file by specifying -i.

    As noted below, there are MANY other changes, fixes, and additions so please don't hesitate to ask questions in irc (freenode #pulledpork) or on the     mailing list.

    get it here ->     http://code.google.com/p/pulledpork

    v0.4.2

    New Features / changes:
    • Capability to modify rules by category (See README.CATEGORIES)
    • Capability to modify rules using regular expressions (pcre:) - See sid modification configs
    • Capability to use regular expressions in specific rule modifications - See sid modification configs
    • Changed the | delimiter for cve,bugtraq etc to :
    • Added README.CATEGORIES
    • Added README.SHAREDOBJECTS
    • Follow flowbit chains
    • Moved README files to doc
    • Automatically determine arch
    • Automatically determine Snort Version
    • Added some verbiage surrounding HUP vs Restart vs When/where/who and how
    • Added support for new snort.org download scheme of http://snort.org/reg-rules...
    Bug Fixes:
    • Certain rules specific GID values were not being properly parsed by the modifysid sub.
    • Bug #20 fixed, ranges are no longer off by +1 additional rule being enabled
    • Enhancement request #21, added more descript information to dropsid.conf and to README
    • Fixed flaw that caused certain flowbits to not be set (when GID boundaries were crossed and multiple keys were checked)
    • Enhancement request #22 updated the master config file to contain all of the currently available precompiled SO rules
    • Remove risky system calls, use handles instead
    pulledpork-0.4.2.tar.gz latest hashes:
    MD5SUM = d11b9d884f940a0df293718a4d4b3913
    SHA256 = 3491b8c3c99c621cfd6467da2c43866f33ede1d096538e4a497cdf52b49ad677

    Cheers,
    JJC
    Posted by at No comments:
    Labels: , , ,

    Monday, April 26, 2010

    PulledPork 0.4.1, I see your sensitive data!

    In conjunction with the Snort 2.8.6 release and the new Snort Rules tarball format, pulledpork 0.4.1 is now released!  As noted below, there are a number of changes and fixes.  When updating your pulledpork, please be sure to use the latest master configuration file that is included in the release tarball and read through it thoroughly.

    Notable changes include the tarball filename change, preprocessor rules and sensitive data rules.  Note that pulledpork 0.4.0 will still work with 2.8.6 but will not properly make use of the new rules that I just listed and that you will need to change the rules tarball name for VRT releases.  Please also note that if you use pulledpork 0.4.1 and are still using Snort 2.8.5.3 that you need to make some changes in the "ignore" variable section of the pulledpork.conf file.

    New Features/changes:
    • Flowbit tracking! - This means that all flowbits are not enabled when a specific base ruleset is specified (security etc...) but rather all flowbits are now tracked, allowing for only those that are required to be enabled.
    • Adjusted pulledpork.conf to account for new snort rules tarball naming and packing scheme, post Snort 2.8.6 release.
    • Added option to specify all rule modification files in the master pulledpork.conf file - feature request 19.
    • Added capability to specify base ruleset (see README.RULESETS) in master pulledpork.conf file.

    • Handle preprocessor and sensitive-information rulesets

    Bug Fixes:
    • 18 - non-rule lines containing the string sid:xxxx were being populated into the rule data structure, added an extra check to ensure that this does not occur
    • Cleaned up href pointers, syntactical purposes only...
    • Modified master config to allow for better readability on smaller console based systems
    • Error output was not always returning full error, fixed this

    Thanks to the community for continued support and feedback!

    Cheers,
    JJC
    Posted by at No comments:
    Labels: , , ,

    Friday, March 26, 2010

    Pulling Pork with the Drunken Leprechaun (PP 0.4.0)


    PulledPork 0.4.0 (Drunken Leprechaun) is officially released and can be downloaded here -> pulledpork-0.4.0.tar.gz


    This version constitutes a major rewrite of the rule reading, modification and writing system to improve speed, future module addition, supportability, and of course reliability.  Incidentally, the codename was partially chosen due to a majority of the rewrites being finished on St. Patrick's Day.

    One specific change to note is the use of Archive::Tar, this makes PulledPork more system independent.  As such though, you will need to install Archive::Tar if you do not have it currently installed, you can do so using CPAN, please see the PulledPork FAQ for further information.

    New Features/changes:
    • Enablesid (-e enablesid.conf)
    • Moved all .conf files under etc/
    • Ability to define sid ranges in any of the sid modification .conf files
    • Ability to specify references in any of the sid modification .conf files
    • Ability to ignore entire rule categories (i.e. not include them)
    • Specify locally stored rules files that need their meta data included in sid-msg.map
    • All rulestate modifications, comparisons etc.. are now handled in-memory
    • Rewrite of sid-msg.map generation code to allow for all proper character reading and addition to sid-msg.map
    • No longer reliant on tar binary, now using Archive::Tar
    • Ability to specify your arch for so_rules
    • Added significant amounts of debug output when an error is detected
    • Rules are now written to only two distinct files
    • Cleaned up changelog and added more information to it
    Bug Fixes:
    • Properly account for whitespace in non-standard rulesets such as ET
    • Cleaned up and improved the changelog to display new / deleted sids and rule totals
    • Certian conditions caused the md5 check to fail even when valid - This was primarily an ET issue, but did manifest on VRT rulesets also
    • Many small fixes that were not tracked well :-P
    • Do not overwrite local.rules, but still include in sid-msg.map generation
    A little more detail about some of the new key features, note that there are more.. please read through all of the conf files and README thoroughly:

    Initially you may not notice a significant performance increase, unless you already have a large count of disable or drop sids specified in your configuration because this is where the major improvement was made.  I can't help how slow your internet connection is and thusly how long it takes you to download the tarball itself ;-).

    One key change that you will note is that all rules are now written to only two distinct files.. one for GID:1 rules and one for GID:3 rules.  The logic behind this is simple; if a new rule category comes out (a new or different .rules file within the VRT or ET tarball) then it will automatically be included in your snort.conf as you will have only one or both of the aforementioned GID:1 or GID:3 rules files included .  Please note these changes in the rule_path and sostub_path within the pulledpork.conf file.

    Somewhat hand-in-hand with the previous change is the addition of the ignore variable within the pulledpork.conf file.. this specifies what categories/rule files that you want excluded from your configuration.  By default these are deleted, experimental, and local.

    If you have a local.rules file or other already locally existing rules files, you can specify them  with the local_rules variable, doing so will tell pulledpork to read these rules and populate their meta data into the sid-msg.map.

    Enablesid - This was a widely requested feature, the capability to enable specific sids etc.

    Sid modification ranges - This stemmed from one of the enablesid requests (an option to enable ALL sids) and my interpretation of what I thought would be more useful.  This feature gives you the capability to specify a range of sids in any of the sid state modification configuration files in the format of GID:SID-GID:SID.  Please see the individual configuration files for additional information.

    Reference modification - This was another community request and allows the user to specify any reference within a rule and perform an operation on that rule (disable, enable, drop...).  The formatting is simple, the user specifies, in one of the sid state modification configuration files, the reference information such as cve|XXX-XXXX,MSXX-XXXX.  Please see the individual configuration files for additional information.

    Excerpt from an example configuration file:
    # example of enabling ranges and references!
    # you should be specific when enabling a range of rules.. don't just put an extremely high number
    # this would be at the cost of speed and memory usage.
    1:1101,1:800,1:1200-1:2000,cve|1999-0499,bugtraq|22026,MS09-004

    Excerpt from new changelog format:
    -=Begin Changes Logged for Tue Mar 23 19:15:02 2010 GMT=-

    New Rules
            1:16492
            1:16493
            1:16494
            1:16495
            1:16496
            1:16497
            1:16498
            1:16499
            1:16500

    Set Policy: security

    Rule Totals
            New:-------9
            Deleted:---0
            Enabled:---5378
            Dropped:---0
            Disabled:--3606
            Total:-----8984

    -=End Changes Logged for Tue Mar 23 19:15:02 2010 GMT=-
    You will want to take the paths out of your old pulledpork.conf and use the new pulledpork.conf, since there are so many new features and variables pulledpork will not function without the updated pulledpork.conf file.  All of the other sid modification conf files remain unchanged, however.

    Please be sure that you read the README and all configuration files thoroughly as there are many changes.

    JJC
    Posted by at No comments:
    Labels: , ,

    Tuesday, January 12, 2010

    ET Rules and /\s?/

    It was recently brought to my attention that many of the rules within the various Emerging Threats ruleset have a whitespace after value definitions such as flowbits:set and msg:"\s?". Unfortunately I did not notice this within the ET rulesets.

    PulledPork was originally written to handle VRT rulesets from snort.org (none have this formatting flaw) and as such I had not accounted for it, as mentioned previously. The fix is a simple regex modification to the PulledPork code, you can get the patch here: http://pulledpork.googlecode.com/files/pp_304_whitespace.patch and apply it to pulledpork.pl.

    For those that might ask the question "what if there are multiple whitespaces, ala \s*" this is NOT the case, I spoke with rotorhead from the ET team and all ET rules are normalized to atleast remove multiple whitespace chars.

    This fix has already been checked into svn but I will not be re-releasing 0.3.4 to account for this.. but will likely be generating daily snapshots in the near future.

    Cheers,
    JJC
    Posted by at No comments:
    Labels: , , , ,

    Monday, January 11, 2010

    Time to own your rules - PulledPork 0.3.4 Released!


    After what seems like forever since I have made a post about anything, I am pleased to announce the general availability of the latest version of PulledPork! This new version (v0.3.4) has a significant number of bugfixes for a variety of OS/distributions in addition to the numerous feature enhancements noted below.

    I would like to thank all of the individuals that provided beta testing assistance and valuable feedback. I would also like to thank all of the users that have adopted PulledPork and sent in comments / feature requests. PulledPork certainly would not be where it is without your support and contributions!

    Now that we are through the mushy stuff, on to the features!

    VRT Rulesets! - Support metadata based VRT recommended rulesets - The short of it is that you can now specify a default pre-defined ruleset, yes.. this ruleset was designed by the VRT! The individual pre-defined rulesets that can be specified are fairly straightforward:
    • Connectivity - You run a lot of real time applications (VOIP, financial transactions, etc), and don't want to run any rules that could affect the current performance of your sensor. The rules in this category make snort happy, additionally this category focuses on the high profile most likely to affect the largest number of people type of vulnerabilities.
    • Balanced - You are normal, you run normal stuff and you want normal security protections. This is the best policy to start from if you are new, old, or just plain average. If you don't have any special requirements for super high speeds or super secure networks, start here.
    • Security - You don't care about dropping your bosses email, everything in your environment is tightly regulated and you don't tolerate people stepping outside of your security policy. This policy hates on IM, P2P, vulnerabilities, malware, web apps that cause productivity loss, remote access, and just about anything not related to getting work done. If you run your network with an iron fist, start here!

    Changelog - This feature allows you to specify that you want a changelog (any rule that has any change in it from your previous ruleset, i.e. disabled, enabled, modified etc..) maintained for any and all changes, in a specified log file.

    Inline Drops - This feature allows you to specify what SIDs you want to be set to drop, for those running an inline setup!

    Multiline Rules - Added full support for parsing of multiline rules.

    Enhancements - Many minor enhancements made to the debugging output, speed enhancements, code cleanup, error handling etc...

    There are quite a few runtime options and configuration options, please be sure to read through the README files thoroughly, also please be sure to use the latest pulledpork.conf that is included in the tarball! That's about it for now, please feel free to participate by asking questions on the mail list at http://groups.google.com/group/pulledpork-users/ or on freenode in #snort or #pulledpork

    One final note, all of the release tarballs will now be named as pulledpork-X.X.X.tar.gz to help out with those maintaining packages and ports, thanks!

    Download the tarball here pulledpork-0.3.4.tar.gz
    MD5SUM = 034f90a2555c5f82e760b0ce68489ad2
    SHA256 = 8b775e6476d653733f3d29ea9c962a76feaf148f3204a90fd47c646802448b80

    Cheers,
    JJC
    Posted by at No comments:
    Labels: , , , , ,

    Wednesday, October 14, 2009

    Pulledpork v0.2.5 - Released

    A new and updated version of pulledpork is out, this version adds functionality and also addresses a number of previously reported bugs, a few simple examples:

    • Improved and cleaned up code for efficiency and speed
    • Do not overwrite local.rules on run
    • Do not attempt to copy . and .. as rules files
    • Much more...
    The primary feature that has been added allows for the capability to download rules from sites other than snort.org (VRT). Any url can be specified to download a rules tarball from, however md5 hash verification will only work when VRT or ET locations are specified. If a different location (i.e. a local redistribution point) is specified, please be sure to specify the -d (do not verify md5) option. Please see the README and pulledpork.conf files for more information on usage of new and existing options and features.

    New option runtime flag:
    • -u Where do you want me to pull the rules tarball from
    (ET, Snort.org, see pulledpork config base_url option for value ideas)

    A new tarball containing all of the new features will be published today at http://code.google.com/p/pulledpork/downloads/list
    Posted by at No comments:
    Labels: , , , ,

    Thursday, July 16, 2009

    pulledpork 0.2.2 and new features

    Get it while it's hot @here!

    I have received a few requests to build support into pulledpork for the restarting of processes (i.e. snort after downloading new rules or modifying the ruleset using disablesid). In response to this, it is done ^-^. You will note in the pulledpork.conf file that there is a new option at the bottom called pid_path. Simply list the path to your pid files (/var/run/snort_intx.pid,/path/to/another/pid.pid) etc... and specify -H at runtime.. you will be magically pleased (assuming you run pulledpork under a context that has permissions to restart said PID).

    I also added a second option "-n" that will allow you to make modifications to the disablesid.conf file and re-execute pulledpork without attempting to download the current ruleset or md5 again (ala tuning exercises...).

    Please see the included README for additional info and general guidelines on usage... below is some sample output.

    ./pulledpork.pl -c ../pulledpork.conf -i disablesid.conf -THn
    Prepping files for work....
    Done!
    Copying rules files....
    Done!
    Disabling your chosen SID's....
    Disabled 1 rules in /usr/local/etc/snort/rules/web-iis.rules
    Disabled 2 rules in /usr/local/etc/snort/rules/backdoor.rules
    Disabled 1 rules in /usr/local/etc/snort/rules/rpc.rules
    Disabled 1 rules in /usr/local/etc/snort/rules/exploit.rules
    Done
    HangUP Time....
    Done!
    Fly Piggy Fly!
    That's all for now, enjoy!

    JJC
    Posted by at No comments:
    Labels: , , , , ,

    Thursday, June 25, 2009

    BASE / ACID outdated reference links - a fix

    Recently, with changes to the snort.org site, the Snort mailing lists have been quite inundated with questions about the link to the SID reference and how it is no more. As a partial means of compensating for this and to help the community, we have recently added an up-to-date tool at rootedyour.com that will allow for you to once again have a valid snort reference link.


    In BASE, simply locate the following section of your base_conf.php:
    /* Signature references */
    $external_sig_link = array('bugtraq' => array('http://www.securityfocus.com/bid/', ''),
    'snort' => array('http://www.snort.org/pub-bin/sigs.cgi?sid=', ''),
    'cve' => array('http://cve.mitre.org/cgi-bin/cvename.cgi?name=', ''),
    'arachnids' => array('http://www.whitehats.com/info/ids', ''),
    'mcafee' => array('http://vil.nai.com/vil/content/v_', '.htm'),
    'icat' => array('http://icat.nist.gov/icat.cfm?cvename=CAN-', ''),
    'nessus' => array('http://www.nessus.org/plugins/index.php?view=single&id=', ''),
    'url' => array('http://', ''),
    'local' => array('signatures/', '.txt'));


    and modify the 'snort' line to match:
    'snort' => array('http://www.rootedyour.com/snortsid?sid=', ''),
    Once this is done, you are all set, the snort documentation link will now take you to rootedyour.com and display the info for that SID.

    Obviously if you want to do this in other applications, simply point them to http://www.rootedyour.com/snortsid?sid=xxxxx where xxxxx is the SID that you want to know about. ex: http://rootedyour.com/snortsid?sid=234

    Cheers,
    JJC
    Posted by at No comments:
    Labels: , ,

    Wednesday, June 3, 2009

    pulledpork tarball

    It's up... get it while it's hot -> http://code.google.com/p/pulledpork/downloads/list

    Cheers,
    JJC
    Posted by at No comments:
    Labels: , , ,

    Tuesday, June 2, 2009

    v0.2 Beta 1 is the outed! -> pulledpork that is <-



    As the title indicates, the first beta for v0.2 of pulledpork has just been checked in to the pulledpork svn..

    A shortlist of the current featuresets below



    Release 0.1:

    Release 0.2:

    So, as you can see above I have added quite a bit of code and functionality to pulled pork. The disablesid function should be pretty robust (perhaps I'll add some additional error handling), but for the most part it should rock and roll!

    I'll likely be adding a modifysid section to mirror what oinkmaster does with their modifysid function.. but that's probably still a few weeks out.

    Having said all of this, please download, test and post any bugs/issues that you find on the google code page for pulledpork or catch me in #snort on freenode.

    And now, the gratuatis screenshot ;-)


    Cheers,
    JJC
    Posted by at No comments:
    Labels: , , ,

    Monday, June 1, 2009

    PulledPork Checkin

    Quick update today with big enhancements coming this week in the bbq pulledpork arena! (hopefully).

    This past Friday I checked in some code for PulledPork that allows for the handling of any format contents of md5 file from the snort.org servers.. we won't be foiled again ;-)

    Get your great tasting pulledpork here => http://code.google.com/p/pulledpork

    Cheers,
    JJC
    Posted by at No comments:
    Labels: , , ,

    Tuesday, May 26, 2009

    Baconator Renamed => Pulled_Pork

    So, for some "mostly obvious reasons" I have renamed the Baconator project to Pulled_Pork. This was for a variety of reasons and if you really want to know I'll explain it.. Just drop by #snort on freenode... suffice it to say that this new name is more fitting. Please also note the google code location has changed from /p/baconator to /p/pulledpork. I did note on the baconator page that this change has occured.

    The new location => http://code.google.com/p/pulledpork/

    As always, thanks for the support and please fetch the latest version to do some testing for me!

    Cheers,
    JJC
    Posted by at No comments:
    Labels: , , ,

    Monday, May 18, 2009

    Baconator 0.1 Beta 2 (try me)

    I have completed the 0.1 Beta 2 of Baconator and believe it to be fairly stable and user friendly! Please give it a roll (it's not in a tarball yet, so you will have to check it out as noted below) and let me know if you experience any issues or have any updates / features that you would like to see.

    The timeline:
    Release 0.1:(This is complete)

    Release 0.2:(I have started to work on this piece, probably finished in a few more weeks)

    Next Release...

    Visit the google code site for info on how to check out the code etc..

    http://code.google.com/p/baconator/

    Cheers,
    JJC
    Posted by at No comments:
    Labels: , , ,

    Tuesday, April 21, 2009

    Baconator - Shared Object Snort Rule Management!

    Recently while taking a plane ride from one lovely airport to another and doing some snort shared object rule development, I realized that I did not have a clean and easy way of fetching the latest snort rule tarball.

    Don't get me wrong and misinterpret this post, I love Oinkmaster and have been a user of it for many a year!

    Now, having said that... Oinkmaster does have it's shortcomings (for me anyway); the least of which is certainly not the fact that it currently does NOT handle shared object rules. With the release of Snort 2.8.4 and it's awesome new dcerpc2 preprocessor... the use of so_rules will most likely be much more prevalent.. and as such, with threats like Conficker and it's varients out there, I needed a way to handle this.

    I did consider modifying Oinkmaster to fit my needs, but when I started writing the code at 30,000 feet... I didn't have the Oinkmaster codebase with me.

    As a direct result of this thought and the lack of codebase on the plane... I started Baconator. Baconator is a Snort rule management tool that also handles so_rules, the creation of stub files from said so_rules, complete file validation (via MD5) against current VRT releases. It also does much more... or, will anyway.

    I'll be posting more about Baconator as I complete the code. For now, if you want to try it out (it's not yet complete) you can checkout the code from the svn repo at http://code.google.com/p/baconator/.

    The current code will fetch the latest ruleset from snort.org (ultimately I'll probably build the functionality in to fetch from ET). If you have an existing copy of the rules tarball from snort.org it will fetch the latest rule tarball md5 from snort.org and compare so that it doesn't re-fetch the same tarball again. It then performs the various extraction routines as defined in the conf file or at runtime and puts the files where you tell it to.. the rules files that is!

    More info can be found on the google code page for Baconator. I'll also be updating that site regularly with updates to the timeline, current svn etc...

    Cheers,
    JJC
    Posted by at No comments:
    Labels: , , , ,
    Subscribe to: Posts (Atom)