Thursday, October 21, 2010

Haz The Drowning Rat? - PulledPork 0.5.0 is now floating!

This release of PulledPork (The Drowning Rat) represents quite a bit of development to include a number of community requested capabilities, change a few around, and repair some bugs!  Again, I would like to thank the community for their support, contribution and use of the PulledPork Snort rule management system.  The next section is an excerpt from the README.CHANGES and below there I may discuss some example use-cases and include some sample output.

PulledPork Changelog

v0.5.0

New Features / changes:
- Automatic VRT tarball name determination (based on local Snort Version)
- Full support for ET Pro rulesets
- Full support for new ET Download scheme
- Issue #27 Modifysid capability
- Capability to retrieve multiple rulesets in a single run
- Issue #24 Added verbose output showing all requests, results and urls
- Verbose output now shows percentage bar for downloads
- Extra Verbose output now shows additional HTTP debug!
- Set value in default.conf file to https for VRT downloads
- Set UA Value to (PulledPork/X.X.X)
- Capability to log critical information to syslog
- Grabonly option, for those that only want to download the tarball(s)
- Issue #34 Added the capability to specify the order of disable / enable / drop
    using the state_order configuration option in the master config file
- Added a contrib directory
- Added oink-conv.pl to contrib directory
    * converts oinkmaster config files to PP config files
    * Thx Russell Fulton!
- Added README.CONTRIB to track contrib files (ohai manifest)
- Perl Modue Requirement Changes (SEE SECTION BELOW)
- Issue #38 Added capability to extract reference docs from tarball and
    store in a defined path, NOTE this dramatically increases PP runtime
    * runtime value is -r

Bug Fixes:
- Should now correctly use environmentally set proxy settings
    * Shout to pkthound for his work and contribution here!
- Fixed case where rules with multiple flowbit (un)?set values would not
    properly populate all of the flowbit values into the rules hash
- Bug #29 - fixed to allow for proper sid-msg.map generation
- Bug #28 - fixed numerous spellification issues
- Bug #32 - fixed to allow for so stub generation in nodownload and !nodownload case


Perl Module Requriement Changes:
- LWP::Simple no longer
- LWP::UserAgent now required
- HTTP::Request now required
- HTTP::Status now required
- SYS::Syslog now required
- Crypt::SSLeay now required
- Carp now required

As you can see, and as I had indicated, there are a number of significant improvements and fixes.  It is important to note that there are a number of changes, that include new and changed options, to the master config and the addition of the modifysid.conf file that allows you to modify rules based on regular expression matches etc...

Of course we also now fully support (ET Pro and the new ET open) rules and the capability to download multiple rulesets in a single run, rather than multiple config files referencing other .rules files as local rules etc...

One other seemingly insignificant change is the capability to change the order that the rules modification routines run, this means that you can more granularly control rule state.  The default processing order is (enable, drop, disable), this can now be changed though to allow for the disabling of all rules in a specific category (or however you would do it) and then selectively enabling rules out of that category, by simply changing the run order to disable,drop,enable.  Of course combining this with the pcre, category, modifysid etc.. capabilities gives you quite a bit of versatility.

So, without further adeau, I give you:
    http://code.google.com/p/pulledpork/
      _____ ____
     `----,\    )
      `--==\\  /    PulledPork v0.5.0 The Drowning Rat
       `--==\\/
     .-~~~~-.Y|\\_  Copyright (C) 2009-2010 JJ Cummings
  @_/        /  66\_  cummingsj@gmail.com
    |    \   \   _(")
     \   /-| ||'--'  Rules give me wings!
      \_\  \_\\
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Checking latest MD5 for snortrules-snapshot-2861.tar.gz....
    They Match
    Done!
Prepping rules from snortrules-snapshot-2861.tar.gz for work....
    Done!
Checking latest MD5 for etpro.rules.tar.gz....
    They Match
    Done!
Prepping rules from etpro.rules.tar.gz for work....
    Done!
Checking latest MD5 for emerging.rules.tar.gz....
    They Match
    Done!
Prepping rules from emerging.rules.tar.gz for work....
    Done!
Reading rules...
Reading rules...
Activating security rulesets....
    Done
Setting Flowbit State....
    Enabled 264 flowbits
    Enabled 29 flowbits
    Enabled 4 flowbits
    Enabled 2 flowbits
    Done
Writing /home/jj/snort.rules....
    Done
Generating sid-msg.map....
    Done
Writing /home/jj/sid-msg.map....
    Done
Writing /home/jj/sid_changes.log....
    Done
Rule Stats....
    New:-------0
    Deleted:---0
    Enabled Rules:----4506
    Dropped Rules:----0
    Disabled Rules:---17797
    Total Rules:------22303
    Done
Please review /var/log/sid_changes.log for additional details
Fly Piggy Fly!
Bah, Paste chopped my flying pig up ;-)

Get it here:
pulledpork-0.5.0.tar.gz latest hashes:
MD5SUM = 60c0abe78945876c643760b3bb2afdb6
SHA256 = 9e69873d737e4fc8dfd9b3a98316e4ff41bd8c4accda72f18036b96568c48872

Cheers,
JJC 

No comments: