Tuesday, June 29, 2010

PulledPork 0.4.2 - get it while it's hawt!

This release represents a number of significant enhancements and features (all listed below). Probably the most important to note are the changes from a delimeter of | to : when modifying rule state. We also now automatically determine snort version and OS arch. One of the most useful features, IMHO, is the pcre: rule state modification capability.. see the rule modification configs for more details... but let's say that I wanted to disable ALL MSXX rules because I run a strictly *nix environment... simply place something like pcre:MS\d{2}-\d+ into the disablesid.conf and use that file by specifying -i.

As noted below, there are MANY other changes, fixes, and additions so please don't hesitate to ask questions in irc (freenode #pulledpork) or on the
mailing list.

get it here ->
http://code.google.com/p/pulledpork

v0.4.2


New Features / changes:

  • Capability to modify rules by category (See README.CATEGORIES)
  • Capability to modify rules using regular expressions (pcre:) - See sid modification configs
  • Capability to use regular expressions in specific rule modifications - See sid modification configs
  • Changed the | delimiter for cve,bugtraq etc to :
  • Added README.CATEGORIES
  • Added README.SHAREDOBJECTS
  • Follow flowbit chains
  • Moved README files to doc
  • Automatically determine arch
  • Automatically determine Snort Version
  • Added some verbiage surrounding HUP vs Restart vs When/where/who and how
  • Added support for new snort.org download scheme of http://snort.org/reg-rules...
Bug Fixes:
  • Certain rules specific GID values were not being properly parsed by the modifysid sub.
  • Bug #20 fixed, ranges are no longer off by +1 additional rule being enabled
  • Enhancement request #21, added more descript information to dropsid.conf and to README
  • Fixed flaw that caused certain flowbits to not be set (when GID boundaries were crossed and multiple keys were checked)
  • Enhancement request #22 updated the master config file to contain all of the currently available precompiled SO rules
  • Remove risky system calls, use handles instead
pulledpork-0.4.2.tar.gz latest hashes:
MD5SUM = d11b9d884f940a0df293718a4d4b3913
SHA256 = 3491b8c3c99c621cfd6467da2c43866f33ede1d096538e4a497cdf52b49ad677

Cheers,

JJC