Friday, March 26, 2010

Pulling Pork with the Drunken Leprechaun (PP 0.4.0)


PulledPork 0.4.0 (Drunken Leprechaun) is officially released and can be downloaded here -> pulledpork-0.4.0.tar.gz


This version constitutes a major rewrite of the rule reading, modification and writing system to improve speed, future module addition, supportability, and of course reliability.  Incidentally, the codename was partially chosen due to a majority of the rewrites being finished on St. Patrick's Day.

One specific change to note is the use of Archive::Tar, this makes PulledPork more system independent.  As such though, you will need to install Archive::Tar if you do not have it currently installed, you can do so using CPAN, please see the PulledPork FAQ for further information.

New Features/changes:
  • Enablesid (-e enablesid.conf)
  • Moved all .conf files under etc/
  • Ability to define sid ranges in any of the sid modification .conf files
  • Ability to specify references in any of the sid modification .conf files
  • Ability to ignore entire rule categories (i.e. not include them)
  • Specify locally stored rules files that need their meta data included in sid-msg.map
  • All rulestate modifications, comparisons etc.. are now handled in-memory
  • Rewrite of sid-msg.map generation code to allow for all proper character reading and addition to sid-msg.map
  • No longer reliant on tar binary, now using Archive::Tar
  • Ability to specify your arch for so_rules
  • Added significant amounts of debug output when an error is detected
  • Rules are now written to only two distinct files
  • Cleaned up changelog and added more information to it
Bug Fixes:
  • Properly account for whitespace in non-standard rulesets such as ET
  • Cleaned up and improved the changelog to display new / deleted sids and rule totals
  • Certian conditions caused the md5 check to fail even when valid - This was primarily an ET issue, but did manifest on VRT rulesets also
  • Many small fixes that were not tracked well :-P
  • Do not overwrite local.rules, but still include in sid-msg.map generation
A little more detail about some of the new key features, note that there are more.. please read through all of the conf files and README thoroughly:

Initially you may not notice a significant performance increase, unless you already have a large count of disable or drop sids specified in your configuration because this is where the major improvement was made.  I can't help how slow your internet connection is and thusly how long it takes you to download the tarball itself ;-).

One key change that you will note is that all rules are now written to only two distinct files.. one for GID:1 rules and one for GID:3 rules.  The logic behind this is simple; if a new rule category comes out (a new or different .rules file within the VRT or ET tarball) then it will automatically be included in your snort.conf as you will have only one or both of the aforementioned GID:1 or GID:3 rules files included .  Please note these changes in the rule_path and sostub_path within the pulledpork.conf file.

Somewhat hand-in-hand with the previous change is the addition of the ignore variable within the pulledpork.conf file.. this specifies what categories/rule files that you want excluded from your configuration.  By default these are deleted, experimental, and local.

If you have a local.rules file or other already locally existing rules files, you can specify them  with the local_rules variable, doing so will tell pulledpork to read these rules and populate their meta data into the sid-msg.map.

Enablesid - This was a widely requested feature, the capability to enable specific sids etc.

Sid modification ranges - This stemmed from one of the enablesid requests (an option to enable ALL sids) and my interpretation of what I thought would be more useful.  This feature gives you the capability to specify a range of sids in any of the sid state modification configuration files in the format of GID:SID-GID:SID.  Please see the individual configuration files for additional information.

Reference modification - This was another community request and allows the user to specify any reference within a rule and perform an operation on that rule (disable, enable, drop...).  The formatting is simple, the user specifies, in one of the sid state modification configuration files, the reference information such as cve|XXX-XXXX,MSXX-XXXX.  Please see the individual configuration files for additional information.

Excerpt from an example configuration file:
# example of enabling ranges and references!
# you should be specific when enabling a range of rules.. don't just put an extremely high number
# this would be at the cost of speed and memory usage.
1:1101,1:800,1:1200-1:2000,cve|1999-0499,bugtraq|22026,MS09-004

Excerpt from new changelog format:
-=Begin Changes Logged for Tue Mar 23 19:15:02 2010 GMT=-

New Rules
        1:16492
        1:16493
        1:16494
        1:16495
        1:16496
        1:16497
        1:16498
        1:16499
        1:16500

Set Policy: security

Rule Totals
        New:-------9
        Deleted:---0
        Enabled:---5378
        Dropped:---0
        Disabled:--3606
        Total:-----8984

-=End Changes Logged for Tue Mar 23 19:15:02 2010 GMT=-
You will want to take the paths out of your old pulledpork.conf and use the new pulledpork.conf, since there are so many new features and variables pulledpork will not function without the updated pulledpork.conf file.  All of the other sid modification conf files remain unchanged, however.

Please be sure that you read the README and all configuration files thoroughly as there are many changes.

JJC