Showing posts with label snorby. Show all posts
Showing posts with label snorby. Show all posts

Monday, March 28, 2011

PulledPork 0.6.0 the Smoking Pig, He's on Fire!

It has been some time since I posted anything at all, I had considered adding "relevant".  But that's simply not true, since it's been dead air for a while.

Having said this, I am pleased to announce PulledPork V 0.6.0 - the Smoking Pig is finally released as of, well, right now!

This version represents a decent amount of time spent improving the core of the tool to enhance speed, a large number of feature enhancements and also not an insignificant number of bugfixes!  A few quick notes before I copy and paste the changelog notes; If you are changing rulestate by doing anything in the drop|enable|disable config files with the category, you will now need to prepend the category that you want to modify with ET- or VRT- (based on where the rules came from).  Another item of note is that multiple rulesets are now fully supported, thus no need to run two or more instances of PulledPork.  Lastly but certainly not least is the capability to ignore source files on a more granular level: (plaintext, preproc, shared object or global).

One more big feature enhancement that I would like to point out, is the capability to create a backup/archive of your existing rules files / config files / whatever else you want!  kthx, moving on...

Please be sure to read through the documentation THOROUGHLY, a couple of the above noted changes could affect your implementation and I don't want you to be terribly shocked by that.  Plus, the things that you will need to update are trivial!

The new PulledPork can be downloaded at the following location:
http://pulledpork.googlecode.com/files/pulledpork-0.6.0.tar.gz
SHA1 Checksum: c4fdf58c716017a0ebad3c46f770fda54c8f23b2
MD5 Checksum: d65c4ef29956823a1a5a05921f219a29
Without further rambling on my part, the changelog notes:

v0.6.0 the Smoking Pig

New Features / changes:
  • Added -q command line switch to squelch everything except fatal errors
  • Code clean up for readability
  • Move debug output to allow for better debugging of actual variable values
  • Update config to allow for ssl from ET
  • Update config to allow for new snort rules gzip
  • Bug #55 - Create capability to ignore more granularly (plaintext, preproc, shared object or global).
  • Bug #50 - You can now create backups and archives of your existing config and rules files etc...
    • This adds the PM requirement of File::Find
  • Bug #56 - More verbose output when a flowbit is re-enabled (only when run with -v)
  • Bug #60 - added -E flag that will cause ONLY enabled rules to be written to output files
  • Bug #47 - added -R flag that will set the state of the rules specified in enablesid.conf back to their ORIGINAL state, as read from the source rules tarball.
  • Bug #63 - added sid MSG information to changelog output.
  • Added -k and -K options to allow for the writing of the original source file rather than one large output file.
  • Bug #66 - Prepend VRT rulesets with VRT- and ET rulesets with ET- to allow for paralell ruleset operations.  This also provides more granularity in that scenario wherein the user could set state in a VRT or ET category only by specifying VRT-category or ET-category in the sid state modification files.
  • Added support for 500 errors, specifying that users should update their root cert store!
Bug Fixes:
  • Bug #39 - updated to allow for use of username:pass@proxy.url
  • Bug #49 - fix for race condition not allowing HUP to work with -nTH switches specified
  • Bug #40 - allow so_rules to be handled when non VRT rulesets are downloaded
  • Bug #45 - create a blank so_stub rules file so that we don't get an error re: a blank file from snort when generating so_stubs! (only if the file does not already exist, and only if you are using SOs!)
  • Bug #46 - throw error if a config file that is specified does not exist   
  • Bug #42 - Added OpenSUSE-11-3 to list
  • Fixed race condition that did not properly handle certain spaces in flowbits set and isset values, resulting in unchecked flowbits etc...
  • Bug #51 - Increased timeout value to 60 seconds
  • Bug #53 - Fixed pcre issue that caused certain rules containing isset and set flobwits values to incorrectly be auto-enabled.
  • Bug #61 - Fixed so that .so rules are not touched!
  • Bug #67 - Fixed regex to allow for space between ( and msg.
  • Bug #71 - Flaw in if statement logic did not allow for proper multiline rule parsing
  • Undocumented ID - Flaw in changelog routine did not allow for proper writing of sid-msg or sid in "deleted rules" section of the changelog.
  • Bug #62 - Added check for amd64 string during arch detection!

Special Notes:
  • Bug #47 - This should be used by advanced users only, it can produce results that may not make sense to the typical user.  And frankly, I don't understand it ;-)
  • Bug #60 - This fix WILL cause inconsistency in your changelog, as when PP reads the old rules from the existing rules file, it will have only the enabled rules in it.. thus any rules that were not enabled in that file will show up as NEW rules in the changelog output, you have been warned, so no whining!
 That should just about cover it for now, as always, I want to also thank the community for their support and feedback!  If you have any questions, comments, concerns, or otherwise then please feel free to hit me up in #snort or #pulledpork on freenode.  You are also always welcome and encouraged to join the mailing list that can be found at http://groups.google.com/group/pulledpork-users/.  And of course you can also submit feedback / bugs / feature requests at http://pulledpork.googlecode.com.

Regards,
JJC
    Posted by at No comments:
    Labels: , , , ,

    Wednesday, July 15, 2009

    Snorby for Snort, a Recipe with Barnyard2 and Unified2

    Snorby, an all new frontend (yes, it's still Beta) for snort has recently emerged. As such I decided that I would take a look and give my thoughts as well as a quick recipe to get it running fairly quickly using barnyard2. During my testing of Snorby, I talked with the creator (mephux) about his plans for Snorby and also worked through a couple of bugs, that he jumped on right away.

    Note: This posting details how to get Snorby working with apache and passenger, NOT Webrick.. if you want that please read the details of how to do so at the Snorby site.

    Recipe Components:
    • FreeBSD 8.0R
    • apache22
    • ruby-gems
    • ruby-iconv
    • prawn (gem)
    • rake (gem)
    • mysql (gem)
    • rails (gem)
    • passenger (formerly modrails)
    • mysql
    • snort
    • barnyard2
    • git
    Ok, let's get the dependencies and such out of the way. I am making several assumptions in writing this... the least of which is that you know how to use google if you can't figure something out... also that you already have the base of some of these items installed (ala, FreeBSD, apache, snort). If not, I have previous posts that discuss the setup of said items, and I am again going to drop the google bomb!

    We need ruby-gems to get passenger running and ultimately Snorby:
    $ cd /usr/ports/devel/git/ && sudo make install clean
    ...I deselect all of the options, I just want regular old git for this exercise
    ...output suppressed
    $ cd /usr/ports/devel/ruby-gems/ && sudo make install clean
    ...output suppressed
    $ sudo gem install prawn --no-rdoc --no-ri
    ...output suppressed
    $ sudo gem install rake --no-rdoc --no-ri
    ...output suppressed
    $ sudo gem install rails --no-rdoc --no-ri
    ...output suppressed
    $ sudo gem install mysql --no-rdoc --no-ri
    ...output suppressed
    $ sudo gem install passenger --no-rdoc --no-ri
    ...output suppressed
    $ sudo passenger-install-apache2-module
    ...run through the setup and perform the steps that are noted to activate the passenger capabilities with apache.. ala vi httpd.conf and add the 3 lines that you are told to.
    $ cd /usr/local/www/ && sudo git clone git://github.com/mephux/Snorby.git
    ...output suppressed/usr/ports/converters/ruby-iconv
    $ cd /usr/ports/converters/ruby-iconv && sudo make install clean

    At this point you are ready to modify your database and email configuration for Snorby. If you have not done so, you should create a snort database (I have called mine snort and created a user "snorby" with password "snorby".. ok that's not really the password but for this writeup it is! This user has full access (not grant) to the snort database. I have also created the apt tables in this database using the create_mysql sql that is included in both Snorby and Snort!
    $ sudo cp /usr/local/www/Snorby/config/database.yml.example /usr/local/www/Snorby/config/database.yml
    $ sudo cp /usr/local/www/Snorby/config/email.yml.example /usr/local/www/Snorby/config/email.yml

    Now choose your preferred editor and modify the /usr/local/www/Snorby/config/database.yml file.. we are only concerned with the production info... you can also modify the email.yml but don't have to for our current purposes.

    Install additional gem requirements and setup Snorby to run!
    $ cd /usr/local/www/Snorby && sudo rake gems:install
    ...output suppressed
    $ cd /usr/local/www/Snorby && sudo rake snorby:setup RAILS_ENV=production
    ...output suppressed

    At this point you are ready to tell apache all about Snorby, so lets modify our vhost or apache config again. Simply add the following under the vhost of your choice, you need to be sure that RewriteEngine On and RewriteOptions inherit are specified in this vhost (or in scope of your config):
    DocumentRoot /usr/local/www/Snorby/public

    RailsBaseURI /

    <directory "/usr/local/www/Snorby/public">
    AllowOverride All
    Order deny,allow
    Allow from all
    </directory>

    Once this is complete, restart apache and you will get the login for Snorby when you browse to that vhost. The default username is snorby and password is admin.

    We are now ready to modify our snort config to output unified2, modify your snort.conf and comment out your old output plugins or simply replace them with the following:
    output unified2: filename snortunified2.log, limit 128

    Note that unified2 contains all log and alert data, so no longer do you need two files! And now it's time for barnyard2. Go ahead and fetch the latest version from securixlive.com, configure with "--with-mysql" option. Once that is done copy the barnyard.conf to /usr/local/etc/snort/ and let's go ahead and edit that file, putting in the mysql information that you used with Snorby earlier and making sure that we have our input specified as unified2. You should go through and make sure that all of the paths to the map and ref files are specified correctly. Once that's done, you are ready to fire it up!
    sudo barnyard2 -c /usr/local/etc/snort/barnyard2.conf -d /var/log/snort -f snortunified2.log -w /var/log/snort/barnyard2.waldo -D

    You should now be receiving events in the snort mysql database and seeing them in Snorby.

    Please note that there are a number of security considerations that I did not take into account (ala running all this stuff under root) so please take that into consideration.

    Overall, I give Snorby a good rating, it certainly has lots of eye candy at this point. Mephux promises that much of the functionality that everyone wants is coming shortly... I would say that Snorby has a good start and promises to be a decent usable frontend for viewing snort events. Is it a sguil, certainly not... but it does look like it will be a decent alternative to BASE.

    Cheers,
    JJC
    Posted by at No comments:
    Labels: , , , , ,
    Subscribe to: Posts (Atom)