Monday, April 26, 2010

PulledPork 0.4.1, I see your sensitive data!

In conjunction with the Snort 2.8.6 release and the new Snort Rules tarball format, pulledpork 0.4.1 is now released!  As noted below, there are a number of changes and fixes.  When updating your pulledpork, please be sure to use the latest master configuration file that is included in the release tarball and read through it thoroughly.

Notable changes include the tarball filename change, preprocessor rules and sensitive data rules.  Note that pulledpork 0.4.0 will still work with 2.8.6 but will not properly make use of the new rules that I just listed and that you will need to change the rules tarball name for VRT releases.  Please also note that if you use pulledpork 0.4.1 and are still using Snort 2.8.5.3 that you need to make some changes in the "ignore" variable section of the pulledpork.conf file.

New Features/changes:
  • Flowbit tracking! - This means that all flowbits are not enabled when a specific base ruleset is specified (security etc...) but rather all flowbits are now tracked, allowing for only those that are required to be enabled.
  • Adjusted pulledpork.conf to account for new snort rules tarball naming and packing scheme, post Snort 2.8.6 release.
  • Added option to specify all rule modification files in the master pulledpork.conf file - feature request 19.
  • Added capability to specify base ruleset (see README.RULESETS) in master pulledpork.conf file.

  • Handle preprocessor and sensitive-information rulesets

Bug Fixes:
  • 18 - non-rule lines containing the string sid:xxxx were being populated into the rule data structure, added an extra check to ensure that this does not occur
  • Cleaned up href pointers, syntactical purposes only...
  • Modified master config to allow for better readability on smaller console based systems
  • Error output was not always returning full error, fixed this

Thanks to the community for continued support and feedback!

Cheers,
JJC