Monday, April 26, 2010

PulledPork 0.4.1, I see your sensitive data!

In conjunction with the Snort 2.8.6 release and the new Snort Rules tarball format, pulledpork 0.4.1 is now released!  As noted below, there are a number of changes and fixes.  When updating your pulledpork, please be sure to use the latest master configuration file that is included in the release tarball and read through it thoroughly.

Notable changes include the tarball filename change, preprocessor rules and sensitive data rules.  Note that pulledpork 0.4.0 will still work with 2.8.6 but will not properly make use of the new rules that I just listed and that you will need to change the rules tarball name for VRT releases.  Please also note that if you use pulledpork 0.4.1 and are still using Snort that you need to make some changes in the "ignore" variable section of the pulledpork.conf file.

New Features/changes:
  • Flowbit tracking! - This means that all flowbits are not enabled when a specific base ruleset is specified (security etc...) but rather all flowbits are now tracked, allowing for only those that are required to be enabled.
  • Adjusted pulledpork.conf to account for new snort rules tarball naming and packing scheme, post Snort 2.8.6 release.
  • Added option to specify all rule modification files in the master pulledpork.conf file - feature request 19.
  • Added capability to specify base ruleset (see README.RULESETS) in master pulledpork.conf file.

  • Handle preprocessor and sensitive-information rulesets

Bug Fixes:
  • 18 - non-rule lines containing the string sid:xxxx were being populated into the rule data structure, added an extra check to ensure that this does not occur
  • Cleaned up href pointers, syntactical purposes only...
  • Modified master config to allow for better readability on smaller console based systems
  • Error output was not always returning full error, fixed this

Thanks to the community for continued support and feedback!


Snort 2.8.6 Release is OUT, WGET it nao! kthx!

That's right, the new Snort 2.8.6 Release is out, get it at!

Release Notes:

2010-04-22 - Snort 2.8.6

[*] New Additions
   * HTTP Inspect now splits requests into 5 components -
     Method, URI, Header (non-cookie), Cookies, Body.
     Content and PCRE rule options can now search one or more of these buffers.

     HTTP server-specific configurations to normalize the HTTP header and/or
     cookies have been added.

     Support gzip decompression across multiple packets.

   * Added a Sensitive Data preprocessor, which performs detection of
     Personally Identifiable Information (PII).  A new rule option is available
     to define new PII.  See README.sensitive_data and the Snort Manual
     for configuration details.

   * Added a new pattern matcher and related configurations.  The new pattern
     matcher is optimized to use less memory and perform at AC speed.

[*] Improvements
   * Addressed problem to resolve output obfuscation affecting packets
     when Snort is inline.

   * Preprocessors with memcap settings can now be configured in a "disabled"
     state.  This allows you to configure that memcap globally, but only enable
     the preprocessor in targeted configurations.