Wednesday, December 8, 2010

Snort on FreeBSD i386 the easy way!

This is a quick posting to help you get Snort 2.9.0.x up and running on your FreeBSD!

I can't make it much easier than this, I have created new ports for Snort and DAQ 0.4 (and subsequently packages) that you can install directly.  The ports are submitted so look for the following in your ports tree:

updated: /usr/ports/security/snort
new: /usr/ports/security/daq

Components required:
  • Fresh FreeBSD Install
    • Miminal (i386)
  • Access to the internet from said BSD boxen
  • Basic knowledge of Snort

Once you have the above handled, you can issue the following command:
$ pkg_add -r

Output from the command on a Freshly installed FreeBSD Mimimal system:
$ pkg_add -r
Fetching Done.
Fetching Done.
Fetching Done.
Fetching Done.

Some checksums for your reviewing pleasure:
  • MD5 (daq-0.4.tbz) = 249d2d79fc03eb2d4e2e133da505d146
  • MD5 (libdnet-1.11_3.tbz) = b861399b4710825419240a6443ec0eb9
  • MD5 (libpcap-1.1.1.tbz) = 678ec713419066c884ceda82ebcfe66f
  • MD5 (pcre-8.10.tbz) = 03cc8232b4ea9ecb968eb67211246f20

  • SHA256 (daq-0.4.tbz) = f8e60e09c0ab4acc1726f180b2e9d58c7f557b4736a3e53e137d8cb186d71984
  • SHA256 (libdnet-1.11_3.tbz) = 92f731313eea3867ab36ad789d938a66b83dda282e293a5a3d830f138c56b6f1
  • SHA256 (libpcap-1.1.1.tbz) = fe7991735055bb92bc38a2550d6428200eb7491e0152fa59d75db1569918c4a4
  • SHA256 (pcre-8.10.tbz) = e9517918174e4b569d9b4d1b3c902db529e0c3bd67a4a4ae7f1b830aac66e7b1
The above packages were build with the following configuration options: --enable-dynamicplugin --enable-flexresp3 --enable-ipv6 --enable-gre --enable-targetbsed --enable-decoder-preprocessor-rules --enable-zlib --enable-reload --enable-active-response --enable-normalizer --enable-react --enable-perfprofiling

I will likely be updating the ports / packages, so keep an eye out!


Thursday, October 21, 2010

Haz The Drowning Rat? - PulledPork 0.5.0 is now floating!

This release of PulledPork (The Drowning Rat) represents quite a bit of development to include a number of community requested capabilities, change a few around, and repair some bugs!  Again, I would like to thank the community for their support, contribution and use of the PulledPork Snort rule management system.  The next section is an excerpt from the README.CHANGES and below there I may discuss some example use-cases and include some sample output.

PulledPork Changelog


New Features / changes:
- Automatic VRT tarball name determination (based on local Snort Version)
- Full support for ET Pro rulesets
- Full support for new ET Download scheme
- Issue #27 Modifysid capability
- Capability to retrieve multiple rulesets in a single run
- Issue #24 Added verbose output showing all requests, results and urls
- Verbose output now shows percentage bar for downloads
- Extra Verbose output now shows additional HTTP debug!
- Set value in default.conf file to https for VRT downloads
- Set UA Value to (PulledPork/X.X.X)
- Capability to log critical information to syslog
- Grabonly option, for those that only want to download the tarball(s)
- Issue #34 Added the capability to specify the order of disable / enable / drop
    using the state_order configuration option in the master config file
- Added a contrib directory
- Added to contrib directory
    * converts oinkmaster config files to PP config files
    * Thx Russell Fulton!
- Added README.CONTRIB to track contrib files (ohai manifest)
- Perl Modue Requirement Changes (SEE SECTION BELOW)
- Issue #38 Added capability to extract reference docs from tarball and
    store in a defined path, NOTE this dramatically increases PP runtime
    * runtime value is -r

Bug Fixes:
- Should now correctly use environmentally set proxy settings
    * Shout to pkthound for his work and contribution here!
- Fixed case where rules with multiple flowbit (un)?set values would not
    properly populate all of the flowbit values into the rules hash
- Bug #29 - fixed to allow for proper generation
- Bug #28 - fixed numerous spellification issues
- Bug #32 - fixed to allow for so stub generation in nodownload and !nodownload case

Perl Module Requriement Changes:
- LWP::Simple no longer
- LWP::UserAgent now required
- HTTP::Request now required
- HTTP::Status now required
- SYS::Syslog now required
- Crypt::SSLeay now required
- Carp now required

As you can see, and as I had indicated, there are a number of significant improvements and fixes.  It is important to note that there are a number of changes, that include new and changed options, to the master config and the addition of the modifysid.conf file that allows you to modify rules based on regular expression matches etc...

Of course we also now fully support (ET Pro and the new ET open) rules and the capability to download multiple rulesets in a single run, rather than multiple config files referencing other .rules files as local rules etc...

One other seemingly insignificant change is the capability to change the order that the rules modification routines run, this means that you can more granularly control rule state.  The default processing order is (enable, drop, disable), this can now be changed though to allow for the disabling of all rules in a specific category (or however you would do it) and then selectively enabling rules out of that category, by simply changing the run order to disable,drop,enable.  Of course combining this with the pcre, category, modifysid etc.. capabilities gives you quite a bit of versatility.

So, without further adeau, I give you:
      _____ ____
     `----,\    )
      `--==\\  /    PulledPork v0.5.0 The Drowning Rat
     .-~~~~-.Y|\\_  Copyright (C) 2009-2010 JJ Cummings
  @_/        /  66\_
    |    \   \   _(")
     \   /-| ||'--'  Rules give me wings!
      \_\  \_\\

Checking latest MD5 for snortrules-snapshot-2861.tar.gz....
    They Match
Prepping rules from snortrules-snapshot-2861.tar.gz for work....
Checking latest MD5 for etpro.rules.tar.gz....
    They Match
Prepping rules from etpro.rules.tar.gz for work....
Checking latest MD5 for emerging.rules.tar.gz....
    They Match
Prepping rules from emerging.rules.tar.gz for work....
Reading rules...
Reading rules...
Activating security rulesets....
Setting Flowbit State....
    Enabled 264 flowbits
    Enabled 29 flowbits
    Enabled 4 flowbits
    Enabled 2 flowbits
Writing /home/jj/snort.rules....
Writing /home/jj/
Writing /home/jj/sid_changes.log....
Rule Stats....
    Enabled Rules:----4506
    Dropped Rules:----0
    Disabled Rules:---17797
    Total Rules:------22303
Please review /var/log/sid_changes.log for additional details
Fly Piggy Fly!
Bah, Paste chopped my flying pig up ;-)

Get it here:
pulledpork-0.5.0.tar.gz latest hashes:
MD5SUM = 60c0abe78945876c643760b3bb2afdb6
SHA256 = 9e69873d737e4fc8dfd9b3a98316e4ff41bd8c4accda72f18036b96568c48872


Monday, October 4, 2010

Snort 2.9.0 is teh outed, must haz bakon!!

Snort 2.9.0 introduces:
  • Feature rich IPS mode including improvements to Stream for inline deployments. Additionally a common active response API is used for all packet responses, including those from Stream, Respond, or React. A new response module, respond3, supports the syntax of both resp & resp2, including strafing for passive deployments. When Snort is deployed inline, a new preprocessor has been added to handle packet normalization to allow Snort to interpret a packet the same way as the receiving host.
  • Use of a Data Acquisition API (DAQ) that supports many different packet access methods including libpcap, netfilterq, IPFW, and afpacket. For libpcap, version 1.0 or higher is now required. The DAQ library can be updated independently from Snort and is a separate module that Snort links. See README.daq for details on using Snort and the new DAQ./li>
  • Updates to HTTP Inspect to extract and log IP addresses from X-Forward-For and True-Client-IP header fields when Snort generates events on HTTP traffic.
  • A new rule option 'byte_extract' that allows extracted values to be used in subsequent rule options for isdataat, byte_test, byte_jump, and content distance/within/depth/offset.
  • Updates to SMTP preprocessor to support MIME attachment decoding across multiple packets.
  • Ability to "test" drop rules using Inline Test Mode. Snort will indicate a packet would have been dropped in the unified2 or console event log if policy mode was set to inline.
  • Two new rule options to support base64 decoding of certain pieces of data and inspection of the base64 data via subsequent rule options.
  • Updates to the Snort packet decoders for IPv6 for improvements to anomaly detection.
  • Added a new pattern matcher that supports Intel's Quick Assist Technology for improved performance on supported hardware platforms. Visit to find out more about Intel Quick Assist. The following document describes Snort's integration with the Quick Assist Technology:
  • Reference applications for reading unified2 output that handle all unified2 record formats used by Snort.
Snort 2.9.0 is now available at Please see the Release Notes and ChangeLog for more details.

Wednesday, September 8, 2010

The Pig Doktah is Born! - A Snort Performance Monitor Interpretation Tool

After receiving a variety of feedback via email, irc, twitter and even some comments on this blog, I have decided to start an updated and maintained project to parse, display, and ultimately make configuration / tuning suggestions based on the snort performance monitor output.  As you may have guessed by now, this tool is called the Pig Doktah and can be found at  The current version reads snort performance monitor output and stores in a hash for quick access, sorting etc...

I am still quite interested in what specific metrics people are most interested, so please don't hesitate to hit me up via comment on this blog, irc (freenode - #snort), email, or twitter.

During the development, and for the foreseeable future, I will have the latest version of the code sending output to this location on an hourly basis:

Sample output:
-= Tha Pig Doktah 0.1 Dev =-
Copyright (C) 2010 JJ Cummings

Report Info:
    Processed: /var/tmp/snortstat
    First Entry: Wed Sep  1 11:34:05 2010
    Last Entry: Wed Sep  8 09:00:17 2010
    Time Span: 6 days, 21 hours, 26 minutes and 12 seconds

    High: 10.613 Mbits/Sec | Sat Sep  4 07:59:48 2010
    Low: 0.006 Mbits/Sec | Sat Sep  4 07:12:47 2010
    Avg: 1.953 Mbits/Sec
% Packet Loss:
    High: 10.504% | Sat Sep  4 03:00:00 2010
    Low: 0.000% | Wed Sep  8 08:41:27 2010
    Avg: 1.002%

Additional Info:
    Avg Pkt Size: 803.413 bytes
    Avg Syns/Sec: 0.181
    Avg SynAcks/Sec: 0.124
    Avg Alerts/Sec: 0.001
    Avg Current Cached Sessions: 6671.668

Raw Values:
     alerts avg = 0.001
     alerts high = 0.032
     alerts high_date = Wed Sep  1 12:32:57 2010
     alerts low = 0.000
     alerts low_date = Wed Sep  8 09:00:17 2010
     attrib_hosts_current avg = 0.000
     attrib_hosts_current high = 0.000
     attrib_hosts_current high_date = Wed Sep  8 09:00:17 2010
     attrib_hosts_current low = 0.000
     attrib_hosts_current low_date = Wed Sep  8 09:00:17 2010
     attrib_reloads avg = 0.000
     attrib_reloads high = 0
     attrib_reloads high_date = Wed Sep  8 09:00:17 2010
     attrib_reloads low = 0
     attrib_reloads low_date = Wed Sep  8 09:00:17 2010
     bytes_applayer avg = 0.252
     bytes_applayer high = 1.352
     bytes_applayer high_date = Sat Sep  4 07:59:48 2010
     bytes_applayer low = 0.006
     bytes_applayer low_date = Tue Sep  7 09:13:56 2010
     bytes_ipfrag avg = 0.000
     bytes_ipfrag high = 0
     bytes_ipfrag high_date = Wed Sep  8 09:00:17 2010
     bytes_ipfrag low = 0
     bytes_ipfrag low_date = Wed Sep  8 09:00:17 2010
     bytes_ipreass avg = 2279.291
     bytes_ipreass high = 3660
     bytes_ipreass high_date = Thu Sep  2 13:47:36 2010
     bytes_ipreass low = 368
     bytes_ipreass low_date = Thu Sep  2 10:22:15 2010
     bytes_tcprebuilt avg = 892.669
     bytes_tcprebuilt high = 1458
     bytes_tcprebuilt high_date = Sun Sep  5 15:19:06 2010
     bytes_tcprebuilt low = 136
     bytes_tcprebuilt low_date = Sat Sep  4 00:58:27 2010
     cpu1_idle avg = 95.767
     cpu1_idle high = 99.977
     cpu1_idle high_date = Sat Sep  4 00:58:27 2010
     cpu1_idle low = 69.943
     cpu1_idle low_date = Tue Sep  7 06:20:11 2010
     cpu1_sys avg = 0.051
     cpu1_sys high = 0.287
     cpu1_sys high_date = Sat Sep  4 07:59:48 2010
     cpu1_sys low = 0.000
     cpu1_sys low_date = Wed Sep  8 08:07:19 2010
     cpu1_user avg = 4.183
     cpu1_user high = 29.860
     cpu1_user high_date = Tue Sep  7 06:20:11 2010
     cpu1_user low = 0.023
     cpu1_user low_date = Sat Sep  4 00:58:27 2010
     cpu_count avg = 1.000
     cpu_count high = 1
     cpu_count high_date = Wed Sep  8 09:00:17 2010
     cpu_count low = 1
     cpu_count low_date = Wed Sep  8 09:00:17 2010
     drops avg = 1.002
     drops high = 10.504
     drops high_date = Sat Sep  4 03:00:00 2010
     drops low = 0.000
     drops low_date = Wed Sep  8 08:41:27 2010
     filtered_tcp avg = 3790.598
     filtered_tcp high = 45608
     filtered_tcp high_date = Tue Sep  7 09:24:12 2010
     filtered_tcp low = 85
     filtered_tcp low_date = Wed Sep  1 11:50:25 2010
     filtered_udp avg = 3790.598
     filtered_udp high = 45608
     filtered_udp high_date = Tue Sep  7 09:24:12 2010
     filtered_udp low = 85
     filtered_udp low_date = Wed Sep  1 11:50:25 2010
     frag_auto avg = 0.000
     frag_auto high = 0.000
     frag_auto high_date = Wed Sep  8 09:00:17 2010
     frag_auto low = 0.000
     frag_auto low_date = Wed Sep  8 09:00:17 2010
     frag_complete avg = 0.000
     frag_complete high = 0.000
     frag_complete high_date = Wed Sep  8 09:00:17 2010
     frag_complete low = 0.000
     frag_complete low_date = Wed Sep  8 09:00:17 2010
     frag_current avg = 0.000
     frag_current high = 0
     frag_current high_date = Wed Sep  8 09:00:17 2010
     frag_current low = 0
     frag_current low_date = Wed Sep  8 09:00:17 2010
     frag_delete avg = 0.000
     frag_delete high = 0.000
     frag_delete high_date = Wed Sep  8 09:00:17 2010
     frag_delete low = 0.000
     frag_delete low_date = Wed Sep  8 09:00:17 2010
     frag_faults avg = 0.000
     frag_faults high = 0
     frag_faults high_date = Wed Sep  8 09:00:17 2010
     frag_faults low = 0
     frag_faults low_date = Wed Sep  8 09:00:17 2010
     frag_flushes avg = 0.000
     frag_flushes high = 0.000
     frag_flushes high_date = Wed Sep  8 09:00:17 2010
     frag_flushes low = 0.000
     frag_flushes low_date = Wed Sep  8 09:00:17 2010
     frag_insert avg = 0.000
     frag_insert high = 0.000
     frag_insert high_date = Wed Sep  8 09:00:17 2010
     frag_insert low = 0.000
     frag_insert low_date = Wed Sep  8 09:00:17 2010
     frag_max avg = 0.000
     frag_max high = 0
     frag_max high_date = Wed Sep  8 09:00:17 2010
     frag_max low = 0
     frag_max low_date = Wed Sep  8 09:00:17 2010
     frag_new avg = 0.000
     frag_new high = 0.000
     frag_new high_date = Wed Sep  8 09:00:17 2010
     frag_new low = 0.000
     frag_new low_date = Wed Sep  8 09:00:17 2010
     frag_timeout avg = 0.000
     frag_timeout high = 0
     frag_timeout high_date = Wed Sep  8 09:00:17 2010
     frag_timeout low = 0
     frag_timeout low_date = Wed Sep  8 09:00:17 2010
     kpkts_applayer avg = 121425.178
     kpkts_applayer high = 444882
     kpkts_applayer high_date = Thu Sep  2 22:42:20 2010
     kpkts_applayer low = 5738
     kpkts_applayer low_date = Wed Sep  1 18:55:09 2010
     kpkts_ipfrag avg = 0.000
     kpkts_ipfrag high = 0.000
     kpkts_ipfrag high_date = Wed Sep  8 09:00:17 2010
     kpkts_ipfrag low = 0.000
     kpkts_ipfrag low_date = Wed Sep  8 09:00:17 2010
     kpkts_ipreass avg = 0.022
     kpkts_ipreass high = 0.366
     kpkts_ipreass high_date = Tue Sep  7 06:20:11 2010
     kpkts_ipreass low = 0.000
     kpkts_ipreass low_date = Wed Sep  8 08:31:29 2010
     kpkts_iptcprebuilt avg = 0.273
     kpkts_iptcprebuilt high = 1.646
     kpkts_iptcprebuilt high_date = Thu Sep  2 22:42:20 2010
     kpkts_iptcprebuilt low = 0.006
     kpkts_iptcprebuilt low_date = Tue Sep  7 09:13:56 2010
     kpkts_wire avg = 0.252
     kpkts_wire high = 1.352
     kpkts_wire high_date = Sat Sep  4 07:59:48 2010
     kpkts_wire low = 0.006
     kpkts_wire low_date = Tue Sep  7 09:13:56 2010
     mbits_applayer avg = 803.413
     mbits_applayer high = 1009
     mbits_applayer high_date = Sat Sep  4 08:09:48 2010
     mbits_applayer low = 120
     mbits_applayer low_date = Mon Sep  6 05:52:07 2010
     mbits_ipfrag avg = 2.434
     mbits_ipfrag high = 17.685
     mbits_ipfrag high_date = Tue Sep  7 06:20:11 2010
     mbits_ipfrag low = 0.007
     mbits_ipfrag low_date = Mon Sep  6 17:12:03 2010
     mbits_ipreass avg = 0.000
     mbits_ipreass high = 0.000
     mbits_ipreass high_date = Wed Sep  8 09:00:17 2010
     mbits_ipreass low = 0.000
     mbits_ipreass low_date = Wed Sep  8 09:00:17 2010
     mbits_tcprebuilt avg = 0.482
     mbits_tcprebuilt high = 8.324
     mbits_tcprebuilt high_date = Tue Sep  7 06:20:11 2010
     mbits_tcprebuilt low = 0.000
     mbits_tcprebuilt low_date = Tue Sep  7 01:11:34 2010
     mbps_snort avg = 0.000
     mbps_snort high = 0
     mbps_snort high_date = Wed Sep  8 09:00:17 2010
     mbps_snort low = 0
     mbps_snort low_date = Wed Sep  8 09:00:17 2010
     mbps_wire avg = 1.953
     mbps_wire high = 10.613
     mbps_wire high_date = Sat Sep  4 07:59:48 2010
     mbps_wire low = 0.006
     mbps_wire low_date = Sat Sep  4 07:12:47 2010
     patmatch avg = 320.575
     patmatch high = 556.312
     patmatch high_date = Sun Sep  5 19:37:37 2010
     patmatch low = 2.946
     patmatch low_date = Wed Sep  8 07:11:52 2010
     pktbytes avg = 803.413
     pktbytes high = 1009
     pktbytes high_date = Sat Sep  4 08:09:48 2010
     pktbytes low = 120
     pktbytes low_date = Mon Sep  6 05:52:07 2010
     pkts_blocked avg = 0.229
     pkts_blocked high = 14.322
     pkts_blocked high_date = Sun Sep  5 20:50:12 2010
     pkts_blocked low = 0.109
     pkts_blocked low_date = Sat Sep  4 01:34:34 2010
     pkts_dropped avg = 0.000
     pkts_dropped high = 0
     pkts_dropped high_date = Wed Sep  8 09:00:17 2010
     pkts_dropped low = 0
     pkts_dropped low_date = Wed Sep  8 09:00:17 2010
     pkts_dropped_percentage avg = 0.172
     pkts_dropped_percentage high = 9.096
     pkts_dropped_percentage high_date = Sun Sep  5 20:50:12 2010
     pkts_dropped_percentage low = 0.003
     pkts_dropped_percentage low_date = Wed Sep  1 11:50:25 2010
     pkts_total avg = 2106.252
     pkts_total high = 38320
     pkts_total high_date = Thu Sep  2 22:42:20 2010
     pkts_total low = 0
     pkts_total low_date = Wed Sep  8 08:41:27 2010
     sessions_close avg = 0.000
     sessions_close high = 0.000
     sessions_close high_date = Wed Sep  8 09:00:17 2010
     sessions_close low = 0.000
     sessions_close low_date = Wed Sep  8 09:00:17 2010
     sessions_closed avg = 1024.846
     sessions_closed high = 2980
     sessions_closed high_date = Mon Sep  6 12:37:55 2010
     sessions_closed low = 2
     sessions_closed low_date = Wed Sep  1 11:34:05 2010
     sessions_cur avg = 6671.668
     sessions_cur high = 8173
     sessions_cur high_date = Sun Sep  5 21:10:31 2010
     sessions_cur low = 51
     sessions_cur low_date = Wed Sep  1 11:34:05 2010
     sessions_del avg = 0.177
     sessions_del high = 3.055
     sessions_del high_date = Mon Sep  6 05:52:07 2010
     sessions_del low = 0.000
     sessions_del low_date = Sun Sep  5 19:53:29 2010
     sessions_dropped avg = 0.001
     sessions_dropped high = 0.006
     sessions_dropped high_date = Wed Sep  1 11:50:25 2010
     sessions_dropped low = 0.000
     sessions_dropped low_date = Wed Sep  8 09:00:17 2010
     sessions_est avg = 0.376
     sessions_est high = 11.686
     sessions_est high_date = Sun Sep  5 20:50:12 2010
     sessions_est low = 0.003
     sessions_est low_date = Wed Sep  1 11:50:25 2010
     sessions_init avg = 0.001
     sessions_init high = 0.174
     sessions_init high_date = Tue Sep  7 18:18:34 2010
     sessions_init low = 0.000
     sessions_init low_date = Wed Sep  8 08:46:27 2010
     sessions_max avg = 0.000
     sessions_max high = 0.000
     sessions_max high_date = Wed Sep  8 09:00:17 2010
     sessions_max low = 0.000
     sessions_max low_date = Wed Sep  8 09:00:17 2010
     sessions_midstream avg = 6703.818
     sessions_midstream high = 8175
     sessions_midstream high_date = Sun Sep  5 21:03:29 2010
     sessions_midstream low = 51
     sessions_midstream low_date = Wed Sep  1 11:34:05 2010
     sessions_new avg = 0.165
     sessions_new high = 3.062
     sessions_new high_date = Mon Sep  6 05:52:07 2010
     sessions_new low = 0.016
     sessions_new low_date = Fri Sep  3 20:12:36 2010
     sessions_pruned avg = 579.871
     sessions_pruned high = 953
     sessions_pruned high_date = Sun Sep  5 08:30:47 2010
     sessions_pruned low = 3
     sessions_pruned low_date = Wed Sep  1 11:50:25 2010
     sessions_timedout avg = 5066.950
     sessions_timedout high = 7586
     sessions_timedout high_date = Sun Sep  5 21:22:42 2010
     sessions_timedout low = 31
     sessions_timedout low_date = Wed Sep  1 11:34:05 2010
     sessions_udp_cachedSsns_sec avg = 0.000
     sessions_udp_cachedSsns_sec high = 0
     sessions_udp_cachedSsns_sec high_date = Wed Sep  8 09:00:17 2010
     sessions_udp_cachedSsns_sec low = 0
     sessions_udp_cachedSsns_sec low_date = Wed Sep  8 09:00:17 2010
     sessions_udp_cached_current avg = 0.000
     sessions_udp_cached_current high = 0.000
     sessions_udp_cached_current high_date = Wed Sep  8 09:00:17 2010
     sessions_udp_cached_current low = 0.000
     sessions_udp_cached_current low_date = Wed Sep  8 09:00:17 2010
     sessions_udp_cached_max avg = 0.000
     sessions_udp_cached_max high = 0
     sessions_udp_cached_max high_date = Wed Sep  8 09:00:17 2010
     sessions_udp_cached_max low = 0
     sessions_udp_cached_max low_date = Wed Sep  8 09:00:17 2010
     sessions_udp_cached_sec avg = 0.000
     sessions_udp_cached_sec high = 0
     sessions_udp_cached_sec high_date = Wed Sep  8 09:00:17 2010
     sessions_udp_cached_sec low = 0
     sessions_udp_cached_sec low_date = Wed Sep  8 09:00:17 2010
     stream_fault avg = 13.182
     stream_fault high = 59
     stream_fault high_date = Wed Sep  8 05:04:52 2010
     stream_fault low = 0
     stream_fault low_date = Wed Sep  8 00:51:37 2010
     stream_flush avg = 21.526
     stream_flush high = 365.535
     stream_flush high_date = Tue Sep  7 06:20:11 2010
     stream_flush low = 0.013
     stream_flush low_date = Thu Sep  2 05:44:59 2010
     stream_timeout avg = 239.842
     stream_timeout high = 3578
     stream_timeout high_date = Sun Sep  5 20:50:12 2010
     stream_timeout low = 1
     stream_timeout low_date = Wed Sep  1 11:50:25 2010
     synacks avg = 0.124
     synacks high = 2.771
     synacks high_date = Mon Sep  6 12:42:56 2010
     synacks low = 0.006
     synacks low_date = Sat Sep  4 00:58:27 2010
     syns avg = 0.181
     syns high = 6.072
     syns high_date = Mon Sep  6 05:52:07 2010
     syns low = 0.019
     syns low_date = Fri Sep  3 20:12:36 2010

Wednesday, September 1, 2010

Snort Performance Stats Tool Info

I have noticed that there are not a ton of tools out there (definitely not many currently maintained) that can be used to parse the information from the snort performance monitor.  As such, I am considering writing one and wanted to see what the interest would be.  If there is indeed interest, then I would also like to know what format(s) and types of information would be most useful to the community.  Of course I know what will be useful to myself, and will likely be writing about that in the near future.  For now, here is some sample output from a quick perl parser that I wrote today.

$ ./ /var/tmp/snortstat

-= Tha Pig Doktah 0.1 Dev =-
Copyright (C) 2010 JJ Cummings

Report Info:
    Processed: /var/tmp/snortstat
    First Entry: Wed Sep  1 11:34:05 2010
    Last Entry: Wed Sep  1 22:27:47 2010
    Time Span: 0 days, 10 hours, 53 minutes and 42 seconds

    High: 6.683 Mbits/Sec | Wed Sep  1 12:54:00 2010
    Low: 0.007 Mbits/Sec | Wed Sep  1 18:14:18 2010
    Avg: 0.276 Mbits/Sec
% Packet Loss:
    High: 3.817% | Wed Sep  1 20:13:39 2010
    Low: 0.000% | Wed Sep  1 22:22:47 2010
    Avg: 0.095%

Additional Info:
    Avg Pkt Size: 363 bytes
    Avg Syns/Sec: 0.153
    Avg SynAcks/Sec: 0.105
    Avg Alerts/Sec: 0.001
    Avg Current Cached Sessions: 2326

Obviously this is was only as a quick test and does not include all of the important pieces of data.  Please feel free to hit me up in #snort (on freenode),  twitter, email(if'n you knows it), or post a comment here.


Thursday, July 1, 2010

PulledPork 0.4.2 501 error when downloading rules

This issue most typically stems from a missing Perl Module that is required to communicate via SSL using LWP::Simple.  This required Perl Module is Crypt::SSLeay and is not included in the LWP::Simple redistributed package from the Ubuntu 8.x repositories, and will typically fail to install via CPAN on many Ubuntu server installations.  As such you simply need to do the following (on Ubuntu, since this is the only place I have seen it broken):

sudo apt-get install libcrypt-ssleay-perl

Of course if you are not running Ubuntu then you will need to use CPAN or find whatever repackaged garbage that your distro is using to distribute this ;-).

One other cause could be that your root certificates are outdated, so if you have the aforementioned PM installed and are still receiving a 501.. this is likely the cause... google how to update your root certificates for your distro!  Again, for the sake of completeness, this is how you do it on Ubuntu:

sudo apt-get install ca-certificates
sudo update-ca-certificates

I have also added this to the PP FAQ.


Tuesday, June 29, 2010

PulledPork 0.4.2 - get it while it's hawt!

This release represents a number of significant enhancements and features (all listed below). Probably the most important to note are the changes from a delimeter of | to : when modifying rule state. We also now automatically determine snort version and OS arch. One of the most useful features, IMHO, is the pcre: rule state modification capability.. see the rule modification configs for more details... but let's say that I wanted to disable ALL MSXX rules because I run a strictly *nix environment... simply place something like pcre:MS\d{2}-\d+ into the disablesid.conf and use that file by specifying -i.

As noted below, there are MANY other changes, fixes, and additions so please don't hesitate to ask questions in irc (freenode #pulledpork) or on the
mailing list.

get it here ->


New Features / changes:

  • Capability to modify rules by category (See README.CATEGORIES)
  • Capability to modify rules using regular expressions (pcre:) - See sid modification configs
  • Capability to use regular expressions in specific rule modifications - See sid modification configs
  • Changed the | delimiter for cve,bugtraq etc to :
  • Follow flowbit chains
  • Moved README files to doc
  • Automatically determine arch
  • Automatically determine Snort Version
  • Added some verbiage surrounding HUP vs Restart vs When/where/who and how
  • Added support for new download scheme of
Bug Fixes:
  • Certain rules specific GID values were not being properly parsed by the modifysid sub.
  • Bug #20 fixed, ranges are no longer off by +1 additional rule being enabled
  • Enhancement request #21, added more descript information to dropsid.conf and to README
  • Fixed flaw that caused certain flowbits to not be set (when GID boundaries were crossed and multiple keys were checked)
  • Enhancement request #22 updated the master config file to contain all of the currently available precompiled SO rules
  • Remove risky system calls, use handles instead
pulledpork-0.4.2.tar.gz latest hashes:
MD5SUM = d11b9d884f940a0df293718a4d4b3913
SHA256 = 3491b8c3c99c621cfd6467da2c43866f33ede1d096538e4a497cdf52b49ad677



Monday, April 26, 2010

PulledPork 0.4.1, I see your sensitive data!

In conjunction with the Snort 2.8.6 release and the new Snort Rules tarball format, pulledpork 0.4.1 is now released!  As noted below, there are a number of changes and fixes.  When updating your pulledpork, please be sure to use the latest master configuration file that is included in the release tarball and read through it thoroughly.

Notable changes include the tarball filename change, preprocessor rules and sensitive data rules.  Note that pulledpork 0.4.0 will still work with 2.8.6 but will not properly make use of the new rules that I just listed and that you will need to change the rules tarball name for VRT releases.  Please also note that if you use pulledpork 0.4.1 and are still using Snort that you need to make some changes in the "ignore" variable section of the pulledpork.conf file.

New Features/changes:
  • Flowbit tracking! - This means that all flowbits are not enabled when a specific base ruleset is specified (security etc...) but rather all flowbits are now tracked, allowing for only those that are required to be enabled.
  • Adjusted pulledpork.conf to account for new snort rules tarball naming and packing scheme, post Snort 2.8.6 release.
  • Added option to specify all rule modification files in the master pulledpork.conf file - feature request 19.
  • Added capability to specify base ruleset (see README.RULESETS) in master pulledpork.conf file.

  • Handle preprocessor and sensitive-information rulesets

Bug Fixes:
  • 18 - non-rule lines containing the string sid:xxxx were being populated into the rule data structure, added an extra check to ensure that this does not occur
  • Cleaned up href pointers, syntactical purposes only...
  • Modified master config to allow for better readability on smaller console based systems
  • Error output was not always returning full error, fixed this

Thanks to the community for continued support and feedback!


Snort 2.8.6 Release is OUT, WGET it nao! kthx!

That's right, the new Snort 2.8.6 Release is out, get it at!

Release Notes:

2010-04-22 - Snort 2.8.6

[*] New Additions
   * HTTP Inspect now splits requests into 5 components -
     Method, URI, Header (non-cookie), Cookies, Body.
     Content and PCRE rule options can now search one or more of these buffers.

     HTTP server-specific configurations to normalize the HTTP header and/or
     cookies have been added.

     Support gzip decompression across multiple packets.

   * Added a Sensitive Data preprocessor, which performs detection of
     Personally Identifiable Information (PII).  A new rule option is available
     to define new PII.  See README.sensitive_data and the Snort Manual
     for configuration details.

   * Added a new pattern matcher and related configurations.  The new pattern
     matcher is optimized to use less memory and perform at AC speed.

[*] Improvements
   * Addressed problem to resolve output obfuscation affecting packets
     when Snort is inline.

   * Preprocessors with memcap settings can now be configured in a "disabled"
     state.  This allows you to configure that memcap globally, but only enable
     the preprocessor in targeted configurations.

Friday, March 26, 2010

Pulling Pork with the Drunken Leprechaun (PP 0.4.0)

PulledPork 0.4.0 (Drunken Leprechaun) is officially released and can be downloaded here -> pulledpork-0.4.0.tar.gz

This version constitutes a major rewrite of the rule reading, modification and writing system to improve speed, future module addition, supportability, and of course reliability.  Incidentally, the codename was partially chosen due to a majority of the rewrites being finished on St. Patrick's Day.

One specific change to note is the use of Archive::Tar, this makes PulledPork more system independent.  As such though, you will need to install Archive::Tar if you do not have it currently installed, you can do so using CPAN, please see the PulledPork FAQ for further information.

New Features/changes:
  • Enablesid (-e enablesid.conf)
  • Moved all .conf files under etc/
  • Ability to define sid ranges in any of the sid modification .conf files
  • Ability to specify references in any of the sid modification .conf files
  • Ability to ignore entire rule categories (i.e. not include them)
  • Specify locally stored rules files that need their meta data included in
  • All rulestate modifications, comparisons etc.. are now handled in-memory
  • Rewrite of generation code to allow for all proper character reading and addition to
  • No longer reliant on tar binary, now using Archive::Tar
  • Ability to specify your arch for so_rules
  • Added significant amounts of debug output when an error is detected
  • Rules are now written to only two distinct files
  • Cleaned up changelog and added more information to it
Bug Fixes:
  • Properly account for whitespace in non-standard rulesets such as ET
  • Cleaned up and improved the changelog to display new / deleted sids and rule totals
  • Certian conditions caused the md5 check to fail even when valid - This was primarily an ET issue, but did manifest on VRT rulesets also
  • Many small fixes that were not tracked well :-P
  • Do not overwrite local.rules, but still include in generation
A little more detail about some of the new key features, note that there are more.. please read through all of the conf files and README thoroughly:

Initially you may not notice a significant performance increase, unless you already have a large count of disable or drop sids specified in your configuration because this is where the major improvement was made.  I can't help how slow your internet connection is and thusly how long it takes you to download the tarball itself ;-).

One key change that you will note is that all rules are now written to only two distinct files.. one for GID:1 rules and one for GID:3 rules.  The logic behind this is simple; if a new rule category comes out (a new or different .rules file within the VRT or ET tarball) then it will automatically be included in your snort.conf as you will have only one or both of the aforementioned GID:1 or GID:3 rules files included .  Please note these changes in the rule_path and sostub_path within the pulledpork.conf file.

Somewhat hand-in-hand with the previous change is the addition of the ignore variable within the pulledpork.conf file.. this specifies what categories/rule files that you want excluded from your configuration.  By default these are deleted, experimental, and local.

If you have a local.rules file or other already locally existing rules files, you can specify them  with the local_rules variable, doing so will tell pulledpork to read these rules and populate their meta data into the

Enablesid - This was a widely requested feature, the capability to enable specific sids etc.

Sid modification ranges - This stemmed from one of the enablesid requests (an option to enable ALL sids) and my interpretation of what I thought would be more useful.  This feature gives you the capability to specify a range of sids in any of the sid state modification configuration files in the format of GID:SID-GID:SID.  Please see the individual configuration files for additional information.

Reference modification - This was another community request and allows the user to specify any reference within a rule and perform an operation on that rule (disable, enable, drop...).  The formatting is simple, the user specifies, in one of the sid state modification configuration files, the reference information such as cve|XXX-XXXX,MSXX-XXXX.  Please see the individual configuration files for additional information.

Excerpt from an example configuration file:
# example of enabling ranges and references!
# you should be specific when enabling a range of rules.. don't just put an extremely high number
# this would be at the cost of speed and memory usage.

Excerpt from new changelog format:
-=Begin Changes Logged for Tue Mar 23 19:15:02 2010 GMT=-

New Rules

Set Policy: security

Rule Totals

-=End Changes Logged for Tue Mar 23 19:15:02 2010 GMT=-
You will want to take the paths out of your old pulledpork.conf and use the new pulledpork.conf, since there are so many new features and variables pulledpork will not function without the updated pulledpork.conf file.  All of the other sid modification conf files remain unchanged, however.

Please be sure that you read the README and all configuration files thoroughly as there are many changes.


Thursday, February 25, 2010

Hogging the Snort Host Attribute Table

Hogger is a new Snort supportive tool written in Perl, by Parker Crook, that allows you to create a Host Attribute Table from an nmap scan. But first, a little primer; A feature within Snort that has received some traction lately is that of the --enable-targetbased configuration option. This allows you to specify a Host Attribute Table that contains critical information about what your network host topology is (i.e. OS, services etc..). Using this information, snort can then properly reassemble fragments, track streams and a number of other things. All of these items are covered in Joel Esler's recent CSO article that can be found at This URL. This is an excellent article that covers what Host Attribute Tables are and how to use them, so please read the article for a better understanding!

Now that you know all about the Host Attribute Table, let's jump into the purpose and use of hogger. As mentioned previously, hogger was written by Parker Crook to create a Host Attribute Table using the resulting output of an nmap scan. Without further adieu, let's walk through the usage of hogger!

  1. Install XML::Writer
  2. Get hogger
  3. Install Nmap
  4. Run Nmap with correct options
  5. Run hogger against Nmap output file
  6. Start your snorting!
1: Installing XML::Writer
$perl -MCPAN -e shell
cpan[1]> install XML::Writer
2: Get Hogger
$tar xvfz hogger.tar.gz
3: Install Nmap
Use whatever tool that your distribution / OS uses to install Nmap, or get the source from and build it yourself!
4: Run Nmap
$mkdir ~/hogger/nmap
$cd ~/hogger/nmap
$nmap -sV -T4 -oN scan.nmap
Starting Nmap 5.21 ( ) at 2010-02-25 18:46 UTC
..output suppressed...
5: Run hogger (against scan.nmap)
$cd ~/hogger
$./ -c nmap/hostmap.csv -n nmap/scan.nmap -x nmap/host_attrib_table.xml
6: Start your snorting - At this point you can take the newly created host_attrib_table.xml file and place the path to it in your snort.conf, assuming your built snort with the correct option:
attribute_table filename /path/to/host_attrib_table.xml
Now that we have all of this running, let's examine some of the options that are currently available in hogger and dissect our hogger run: "./ -c nmap/hostmap.csv -n nmap/scan.nmap -x nmap/host_attrib_table.xml".

Hogger help output:
Usage: ./ [-r? -help] -n -c -x

-c Where the human-readable/modifiable csv file containing host information lives.
-n Where the nmap file containing host information lives.
-r Process the csv file and output to xml for snort, but do not read an nmap file.
-x Where you want to create the host_attribute table.xml (Overwrites existing files)
-help/? Print this information

Starting with the -c flag, this is a file that will be created by hogger if it does not exist, and is simply a csv file that you can modify (for those hosts that nmap either misses or is not as accurate as you would like). A few sample entries in the file (hostmap.csv) that we created in the above test run:, Linux, 23|tcp|telnet 53|tcp|domain 443|tcp|ssl/http, Linux, 23|tcp|telnet 53|tcp|domain 443|tcp|ssl/http, FreeBSD, 22|tcp|ssh 53|tcp|domain 80|tcp|http 3000|tcp|http 3128|tcp|http-proxy 3306|tcp|mysql 5000|tcp|http-proxy 8443|tcp|http
Next we see the -n flag, this is the flag that specifies where the nmap output file (that we previously created using the nmap -oN scan.nmap option). This is the file that hogger reads to create entries in the -c .

The -r flag is fairly straightforward and specifies that you ONLY want to read the csv file specified with the -c flag value.

The final flag that we will discuss is the -x flag, this is a required flag and tells hogger where you want the resulting output (the Host Attribute Table) to be placed. Examples from the output, matching those noted in the -c flag information above:
<HOST IP="">
<HOST IP="">
<HOST IP="">
Having said all of this, I am not going to go into detail about the flags used during the Nmap scan, suffice it to say that those are the suggested flags and that the -oN is required to produce the output file for hogger to read.

Overall I think that the concept behind hogger is excellent and that it should provide useful aide to all you snort heads out there! This tool gets a thumbs up from me and should be one that you put into your snort bag of tricks and is also one that I am planning on contributing to.


Tuesday, February 23, 2010

Writing Snort Rules Correctly (via Joel Esler)

Joel Esler recently published an article entitled "Writing Snort Rules Correctly". I certainly suggest having a read through of this ,as it discusses a number of the finer points (including PCRE) when writing a snort rule using a previously published example rule. Joel dissects the rule, pointing out the good and bad while making note of better methods.

Just a short post, but I thought it worth posting to bring more attention to the aforementioned article by Joel Esler.


Tuesday, January 12, 2010

ET Rules and /\s?/

It was recently brought to my attention that many of the rules within the various Emerging Threats ruleset have a whitespace after value definitions such as flowbits:set and msg:"\s?". Unfortunately I did not notice this within the ET rulesets.

PulledPork was originally written to handle VRT rulesets from (none have this formatting flaw) and as such I had not accounted for it, as mentioned previously. The fix is a simple regex modification to the PulledPork code, you can get the patch here: and apply it to

For those that might ask the question "what if there are multiple whitespaces, ala \s*" this is NOT the case, I spoke with rotorhead from the ET team and all ET rules are normalized to atleast remove multiple whitespace chars.

This fix has already been checked into svn but I will not be re-releasing 0.3.4 to account for this.. but will likely be generating daily snapshots in the near future.


Monday, January 11, 2010

Time to own your rules - PulledPork 0.3.4 Released!

After what seems like forever since I have made a post about anything, I am pleased to announce the general availability of the latest version of PulledPork! This new version (v0.3.4) has a significant number of bugfixes for a variety of OS/distributions in addition to the numerous feature enhancements noted below.

I would like to thank all of the individuals that provided beta testing assistance and valuable feedback. I would also like to thank all of the users that have adopted PulledPork and sent in comments / feature requests. PulledPork certainly would not be where it is without your support and contributions!

Now that we are through the mushy stuff, on to the features!

VRT Rulesets! - Support metadata based VRT recommended rulesets - The short of it is that you can now specify a default pre-defined ruleset, yes.. this ruleset was designed by the VRT! The individual pre-defined rulesets that can be specified are fairly straightforward:
  • Connectivity - You run a lot of real time applications (VOIP, financial transactions, etc), and don't want to run any rules that could affect the current performance of your sensor. The rules in this category make snort happy, additionally this category focuses on the high profile most likely to affect the largest number of people type of vulnerabilities.
  • Balanced - You are normal, you run normal stuff and you want normal security protections. This is the best policy to start from if you are new, old, or just plain average. If you don't have any special requirements for super high speeds or super secure networks, start here.
  • Security - You don't care about dropping your bosses email, everything in your environment is tightly regulated and you don't tolerate people stepping outside of your security policy. This policy hates on IM, P2P, vulnerabilities, malware, web apps that cause productivity loss, remote access, and just about anything not related to getting work done. If you run your network with an iron fist, start here!

Changelog - This feature allows you to specify that you want a changelog (any rule that has any change in it from your previous ruleset, i.e. disabled, enabled, modified etc..) maintained for any and all changes, in a specified log file.

Inline Drops - This feature allows you to specify what SIDs you want to be set to drop, for those running an inline setup!

Multiline Rules - Added full support for parsing of multiline rules.

Enhancements - Many minor enhancements made to the debugging output, speed enhancements, code cleanup, error handling etc...

There are quite a few runtime options and configuration options, please be sure to read through the README files thoroughly, also please be sure to use the latest pulledpork.conf that is included in the tarball! That's about it for now, please feel free to participate by asking questions on the mail list at or on freenode in #snort or #pulledpork

One final note, all of the release tarballs will now be named as pulledpork-X.X.X.tar.gz to help out with those maintaining packages and ports, thanks!

Download the tarball here pulledpork-0.3.4.tar.gz
MD5SUM = 034f90a2555c5f82e760b0ce68489ad2
SHA256 = 8b775e6476d653733f3d29ea9c962a76feaf148f3204a90fd47c646802448b80