Tuesday, April 21, 2009

Baconator - Shared Object Snort Rule Management!

Recently while taking a plane ride from one lovely airport to another and doing some snort shared object rule development, I realized that I did not have a clean and easy way of fetching the latest snort rule tarball.

Don't get me wrong and misinterpret this post, I love Oinkmaster and have been a user of it for many a year!

Now, having said that... Oinkmaster does have it's shortcomings (for me anyway); the least of which is certainly not the fact that it currently does NOT handle shared object rules. With the release of Snort 2.8.4 and it's awesome new dcerpc2 preprocessor... the use of so_rules will most likely be much more prevalent.. and as such, with threats like Conficker and it's varients out there, I needed a way to handle this.

I did consider modifying Oinkmaster to fit my needs, but when I started writing the code at 30,000 feet... I didn't have the Oinkmaster codebase with me.

As a direct result of this thought and the lack of codebase on the plane... I started Baconator. Baconator is a Snort rule management tool that also handles so_rules, the creation of stub files from said so_rules, complete file validation (via MD5) against current VRT releases. It also does much more... or, will anyway.

I'll be posting more about Baconator as I complete the code. For now, if you want to try it out (it's not yet complete) you can checkout the code from the svn repo at http://code.google.com/p/baconator/.

The current code will fetch the latest ruleset from snort.org (ultimately I'll probably build the functionality in to fetch from ET). If you have an existing copy of the rules tarball from snort.org it will fetch the latest rule tarball md5 from snort.org and compare so that it doesn't re-fetch the same tarball again. It then performs the various extraction routines as defined in the conf file or at runtime and puts the files where you tell it to.. the rules files that is!

More info can be found on the google code page for Baconator. I'll also be updating that site regularly with updates to the timeline, current svn etc...

Cheers,
JJC

Tuesday, April 7, 2009

Can Haz Snort 2.8.4!

With the new release of snort 2.8.4 you will need to upgrade immediately from whatever version you are on. If you do not upgrade, your sensorfail will be epic when you try to run any updated rules. This is due to the new DCERPC preprocessor and all new rules being built to use this new functionality.

Snort 2.8.4 is now available on snort.org, at http://www.snort.org/dl/

Snort 2.8.4 introduces:

- A revised DCE/RPC preprocessor with more rule options

With the new DCE/RPC preprocessor, there will be a number of updates
to the rules. Please be sure to update your rules to the latest
when that package is available (next few days).

- Support for IPv6 in Frag3 and all application preprocessors

- Improved target-based support in preprocessors

- Option to automatically pre-filter traffic that is not inspected in
order to improve performance

- Several other improvements and fixes

Please see the release notes and changelog for more details.

Cheers,
JJC

Sunday, April 5, 2009

Snort 3.0 Beta 3!


This last Thursday, Martin Roesch published a new blog entry discussing the Snort 3.0 architecture and some testing that has been conducted and has yet to be conducted. Definitely a good read and example of how software should be optimized and developed to work with current architectures and feature-sets!

Find this here: http://securitysauce.blogspot.com/2009/04/snort-30-beta-3-released.html

Cheers,
JJC