tag:blogger.com,1999:blog-34861443220433400302024-02-08T00:57:15.681-05:00Security - The Global Perspective010001000100100101000001010001100010000001101110001100000011000001100010
<br>Fighting Cyber Terrorism, one n00b at a time!
010001000100100101000001010001100010000001101110001100000011000001100010JJChttp://www.blogger.com/profile/08102466843919236000noreply@blogger.comBlogger119125tag:blogger.com,1999:blog-3486144322043340030.post-57076889927603038582011-10-31T19:30:00.000-04:002011-10-31T19:30:25.474-04:00Automated Teller Phone PhishingEarly this morning I was awakened by my ringing cell phone. When I answered it, I was greeted by an automated teller stating that my Wells Fargo debit card had been disabled. The cause was due to potentially fraud activity. This of course was highly worrisome as I can now not use my non-existent Wells Fargo debit card. Subsequently I hung up on the automated teller while swearing at it and throwing miscellaneous items around the bedroom.<br />
<br />
This is all well and good until I received another call a bit over 10 hours later stating the same thing. This time though, I decided to play along. To play along, I had to enter a 1 to be immediately transferred to debit card security services. Upon selecting one, the same automated teller stated that it would require four pieces of information from me to re-activate my card. The first was the last four of my social, duly entered "6666". The next was the full 16 digits of my card.. I could not get past this point as the automated teller was checking for at least basic validity of the card. Note that I am prepared now though and have generated some bogus numbers that I will enter. I'll also record and post said recording.<br />
<br />
The automated teller clearly sounds like a generic asterisk type. That said, I'm gonna actually try to post some more useful security and BSD stuff!JJChttp://www.blogger.com/profile/08102466843919236000noreply@blogger.com1tag:blogger.com,1999:blog-3486144322043340030.post-14746209531927781502011-03-28T19:45:00.004-04:002011-03-31T18:36:19.585-04:00PulledPork 0.6.0 the Smoking Pig, He's on Fire!<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiAjCjMQiaPqae5TQ6w2Z4oSXqxccZWjaHRCsh9bf-pHfysdc9KWevr_3OY4hHEUpviysdUrehAbCNzU2y2gVIrpResYeeZWPLYW4gT0eAbt9YHFwzucx1WzKP_vYz63qToXPex76TvY5E/s1600/SMOKING+PIG.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="200" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiAjCjMQiaPqae5TQ6w2Z4oSXqxccZWjaHRCsh9bf-pHfysdc9KWevr_3OY4hHEUpviysdUrehAbCNzU2y2gVIrpResYeeZWPLYW4gT0eAbt9YHFwzucx1WzKP_vYz63qToXPex76TvY5E/s200/SMOKING+PIG.jpg" width="145" /></a></div>It has been some time since I posted anything at all, I had considered adding "relevant". But that's simply not true, since it's been dead air for a while.<br />
<br />
Having said this, I am pleased to announce <a href="http://pulledpork.googlecode.com/">PulledPork V 0.6.0 - the Smoking Pig</a> is finally released as of, well, right now!<br />
<br />
This version represents a decent amount of time spent improving the core of the tool to enhance speed, a large number of feature enhancements and also not an insignificant number of bugfixes! A few quick notes before I copy and paste the changelog notes; If you are changing rulestate by doing anything in the drop|enable|disable config files with the category, you will now need to prepend the category that you want to modify with <a href="http://emergingthreats.net/">ET-</a> or <a href="http://snort.org/vrt">VRT-</a> (based on where the rules came from). Another item of note is that multiple rulesets are now fully supported, thus no need to run two or more instances of <a href="http://pulledpork.googlecode.com/">PulledPork</a>. Lastly but certainly not least is the capability to ignore source files on a more granular level: (plaintext, preproc, shared object or global).<br />
<br />
One more big feature enhancement that I would like to point out, is the capability to create a backup/archive of your existing rules files / config files / whatever else you want! kthx, moving on... <br />
<br />
Please be sure to read through the documentation THOROUGHLY, a couple of the above noted changes could affect your implementation and I don't want you to be terribly shocked by that. Plus, the things that you will need to update are trivial!<br />
<br />
The new <a href="http://pulledpork.googlecode.com/">PulledPork</a> can be downloaded at the following location:<br />
<a href="http://pulledpork.googlecode.com/files/pulledpork-0.6.0.tar.gz">http://pulledpork.googlecode.com/files/pulledpork-0.6.0.tar.gz </a><br />
SHA1 Checksum: c4fdf58c716017a0ebad3c46f770fda54c8f23b2<br />
MD5 Checksum: d65c4ef29956823a1a5a05921f219a29<br />
Without further rambling on my part, the changelog notes:<br />
<br />
v0.6.0 the Smoking Pig<br />
<br />
<b>New Features / changes:</b><br />
<ul><li>Added -q command line switch to squelch everything except fatal errors</li>
<li>Code clean up for readability</li>
<li>Move debug output to allow for better debugging of actual variable values</li>
<li>Update config to allow for ssl from ET</li>
<li>Update config to allow for new snort rules gzip</li>
<li>Bug #55 - Create capability to ignore more granularly (plaintext, preproc, shared object or global).</li>
<li>Bug #50 - You can now create backups and archives of your existing config and rules files etc...</li>
<ul><li>This adds the PM requirement of File::Find</li>
</ul><li>Bug #56 - More verbose output when a flowbit is re-enabled (only when run with -v)</li>
<li>Bug #60 - added -E flag that will cause ONLY enabled rules to be written to output files</li>
<li>Bug #47 - added -R flag that will set the state of the rules specified in enablesid.conf back to their ORIGINAL state, as read from the source rules tarball.</li>
<li>Bug #63 - added sid MSG information to changelog output.</li>
<li>Added -k and -K options to allow for the writing of the original source file rather than one large output file.</li>
<li>Bug #66 - Prepend VRT rulesets with VRT- and ET rulesets with ET- to allow for paralell ruleset operations. This also provides more granularity in that scenario wherein the user could set state in a VRT or ET category only by specifying VRT-category or ET-category in the sid state modification files.</li>
<li>Added support for 500 errors, specifying that users should update their root cert store!</li>
</ul><b>Bug Fixes:</b><br />
<ul><li>Bug #39 - updated to allow for use of username:pass@proxy.url</li>
<li>Bug #49 - fix for race condition not allowing HUP to work with -nTH switches specified</li>
<li>Bug #40 - allow so_rules to be handled when non VRT rulesets are downloaded</li>
<li>Bug #45 - create a blank so_stub rules file so that we don't get an error re: a blank file from snort when generating so_stubs! (only if the file does not already exist, and only if you are using SOs!)</li>
<li>Bug #46 - throw error if a config file that is specified does not exist </li>
<li>Bug #42 - Added OpenSUSE-11-3 to list</li>
<li>Fixed race condition that did not properly handle certain spaces in flowbits set and isset values, resulting in unchecked flowbits etc...</li>
<li>Bug #51 - Increased timeout value to 60 seconds</li>
<li>Bug #53 - Fixed pcre issue that caused certain rules containing isset and set flobwits values to incorrectly be auto-enabled.</li>
<li>Bug #61 - Fixed so that .so rules are not touched!</li>
<li>Bug #67 - Fixed regex to allow for space between ( and msg.</li>
<li>Bug #71 - Flaw in if statement logic did not allow for proper multiline rule parsing</li>
<li>Undocumented ID - Flaw in changelog routine did not allow for proper writing of sid-msg or sid in "deleted rules" section of the changelog.</li>
<li>Bug #62 - Added check for amd64 string during arch detection! </li>
</ul><br />
<b>Special Notes:</b><br />
<ul><li>Bug #47 - This should be used by advanced users only, it can produce results that may not make sense to the typical user. And frankly, I don't understand it ;-)</li>
<li>Bug #60 - This fix WILL cause inconsistency in your changelog, as when PP reads the old rules from the existing rules file, it will have only the enabled rules in it.. thus any rules that were not enabled in that file will show up as NEW rules in the changelog output, you have been warned, so no whining!</li>
</ul> That should just about cover it for now, as always, I want to also thank the community for their support and feedback! If you have any questions, comments, concerns, or otherwise then please feel free to hit me up in #snort or #pulledpork on <a href="http://freenode.net/">freenode</a>. You are also always welcome and encouraged to join the mailing list that can be found at <a href="http://groups.google.com/group/pulledpork-users/">http://groups.google.com/group/pulledpork-users/</a>. And of course you can also submit feedback / bugs / feature requests at <a href="http://pulledpork.googlecode.com/">http://pulledpork.googlecode.com</a>.<br />
<br />
Regards,<br />
JJC<br />
<ul></ul>JJChttp://www.blogger.com/profile/08102466843919236000noreply@blogger.com0tag:blogger.com,1999:blog-3486144322043340030.post-14327050201359165482010-12-08T18:19:00.003-05:002010-12-08T19:01:12.485-05:00Snort 2.9.0.2 on FreeBSD i386 the easy way!<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjcNTHU6d7vbij47o1-XZUl-SUSfsq7H90Zev__KM8CO7XBsvK7sTWlVI5tDBFSNaJKoQ_nVYF3d4SxX7AcSVNPhXWmpHLo5z99Hunf7xCYn0UtPQd981Vpk84ZlY0AU6QJT1mWfQNS8SE/s1600/freebsd.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="200" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjcNTHU6d7vbij47o1-XZUl-SUSfsq7H90Zev__KM8CO7XBsvK7sTWlVI5tDBFSNaJKoQ_nVYF3d4SxX7AcSVNPhXWmpHLo5z99Hunf7xCYn0UtPQd981Vpk84ZlY0AU6QJT1mWfQNS8SE/s200/freebsd.png" width="200" /></a></div>This is a quick posting to help you get Snort 2.9.0.x up and running on your FreeBSD!<br />
<br />
I can't make it much easier than this, I have created new ports for Snort 2.9.0.2 and DAQ 0.4 (and subsequently packages) that you can install directly. The ports are submitted so look for the following in your ports tree:<br />
<br />
updated: /usr/ports/security/snort<br />
new: /usr/ports/security/daq<br />
<br />
<br />
Components required:<br />
<ul><li>Fresh FreeBSD Install</li>
<ul><li>Miminal (i386)</li>
</ul><li>Access to the internet from said BSD boxen</li>
<li>Basic knowledge of Snort</li>
</ul><div><br />
Once you have the above handled, you can issue the following command:</div><div>$ pkg_add -r http://www.rootedyour.com/enhanced/snort/snort-2.9.0.2.tbz</div><div><br />
</div><div>Output from the command on a Freshly installed FreeBSD Mimimal system:</div><div><blockquote><span class="Apple-style-span" style="font-size: x-small;">$ pkg_add -r http://www.rootedyour.com/enhanced/snort/snort-2.9.0.2.tbz</span></blockquote><blockquote><span class="Apple-style-span" style="font-size: x-small;">Fetching http://www.rootedyour.com/enhanced/snort/snort-2.9.0.2.tbz... Done.</span></blockquote><blockquote><span class="Apple-style-span" style="font-size: x-small;">Fetching http://www.rootedyour.com/enhanced/All/libpcap-1.1.1.tbz... Done.</span></blockquote><blockquote><span class="Apple-style-span" style="font-size: x-small;">Fetching http://www.rootedyour.com/enhanced/All/libdnet-1.11_3.tbz... Done.</span></blockquote><blockquote><span class="Apple-style-span" style="font-size: x-small;">Fetching http://www.rootedyour.com/enhanced/All/daq-0.4.tbz... Done.</span></blockquote><br />
Some checksums for your reviewing pleasure:<br />
<ul><li><span class="Apple-style-span" style="font-size: x-small;">MD5 (daq-0.4.tbz) = 249d2d79fc03eb2d4e2e133da505d146</span></li>
<li><span class="Apple-style-span" style="font-size: x-small;">MD5 (libdnet-1.11_3.tbz) = b861399b4710825419240a6443ec0eb9</span></li>
<li><span class="Apple-style-span" style="font-size: x-small;">MD5 (libpcap-1.1.1.tbz) = 678ec713419066c884ceda82ebcfe66f</span></li>
<li><span class="Apple-style-span" style="font-size: x-small;">MD5 (pcre-8.10.tbz) = 03cc8232b4ea9ecb968eb67211246f20</span></li>
<li><span class="Apple-style-span" style="font-size: x-small;"><br />
</span></li>
<li><span class="Apple-style-span" style="font-size: x-small;">SHA256 (daq-0.4.tbz) = f8e60e09c0ab4acc1726f180b2e9d58c7f557b4736a3e53e137d8cb186d71984</span></li>
<li><span class="Apple-style-span" style="font-size: x-small;">SHA256 (libdnet-1.11_3.tbz) = 92f731313eea3867ab36ad789d938a66b83dda282e293a5a3d830f138c56b6f1</span></li>
<li><span class="Apple-style-span" style="font-size: x-small;">SHA256 (libpcap-1.1.1.tbz) = fe7991735055bb92bc38a2550d6428200eb7491e0152fa59d75db1569918c4a4</span></li>
<li><span class="Apple-style-span" style="font-size: x-small;">SHA256 (pcre-8.10.tbz) = e9517918174e4b569d9b4d1b3c902db529e0c3bd67a4a4ae7f1b830aac66e7b1</span></li>
</ul><div>The above packages were build with the following configuration options: --enable-dynamicplugin --enable-flexresp3 --enable-ipv6 --enable-gre --enable-targetbsed --enable-decoder-preprocessor-rules --enable-zlib --enable-reload --enable-active-response --enable-normalizer --enable-react --enable-perfprofiling<br />
<br />
I will likely be updating the ports / packages, so keep an eye out!</div><div><br />
</div><div>JJC</div></div>JJChttp://www.blogger.com/profile/08102466843919236000noreply@blogger.com2tag:blogger.com,1999:blog-3486144322043340030.post-41252751578441331192010-10-21T15:31:00.000-04:002010-10-21T15:31:22.543-04:00Haz The Drowning Rat? - PulledPork 0.5.0 is now floating!<div class="separator" style="clear: both; font-family: inherit; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEilMvvlJNPuEvD3PLafuhPQ4MYSz9t9UpasiUlqPmfu3XeaoPE7zkh2pQZPHlwKNE9HAe5ty9MlDPOyPm3gkfDqqggYCgFb1KMvPO17VqrI3WK93WGrEey4IkKDxY734eaYAvG-Lp8m_MI/s1600/HelpUsDrownTheRats.JPG" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="155" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEilMvvlJNPuEvD3PLafuhPQ4MYSz9t9UpasiUlqPmfu3XeaoPE7zkh2pQZPHlwKNE9HAe5ty9MlDPOyPm3gkfDqqggYCgFb1KMvPO17VqrI3WK93WGrEey4IkKDxY734eaYAvG-Lp8m_MI/s200/HelpUsDrownTheRats.JPG" width="200" /></a></div><div style="font-family: inherit;">This release of <a href="http://pulledpork.googlecode.com/">PulledPork</a> (The Drowning Rat) represents quite a bit of development to include a number of community requested capabilities, change a few around, and repair some bugs! Again, I would like to thank the community for their support, contribution and use of the PulledPork <a href="http://www.snort.org/">Snort</a> rule management system. The next section is an excerpt from the README.CHANGES and below there I may discuss some example use-cases and include some sample output.</div><div style="font-family: inherit;"><br />
</div><blockquote style="font-family: inherit;"><i>PulledPork Changelog<br />
<br />
v0.5.0<br />
<br />
New Features / changes:<br />
- Automatic VRT tarball name determination (based on local Snort Version)<br />
- Full support for ET Pro rulesets<br />
- Full support for new ET Download scheme<br />
- Issue #27 Modifysid capability<br />
- Capability to retrieve multiple rulesets in a single run<br />
- Issue #24 Added verbose output showing all requests, results and urls<br />
- Verbose output now shows percentage bar for downloads<br />
- Extra Verbose output now shows additional HTTP debug!<br />
- Set value in default.conf file to https for VRT downloads<br />
- Set UA Value to (PulledPork/X.X.X)<br />
- Capability to log critical information to syslog<br />
- Grabonly option, for those that only want to download the tarball(s)<br />
- Issue #34 Added the capability to specify the order of disable / enable / drop<br />
using the state_order configuration option in the master config file<br />
- Added a contrib directory<br />
- Added oink-conv.pl to contrib directory<br />
* converts oinkmaster config files to PP config files<br />
* Thx Russell Fulton!<br />
- Added README.CONTRIB to track contrib files (ohai manifest)<br />
- Perl Modue Requirement Changes (SEE SECTION BELOW)<br />
- Issue #38 Added capability to extract reference docs from tarball and<br />
store in a defined path, NOTE this dramatically increases PP runtime<br />
* runtime value is -r<br />
<br />
Bug Fixes:<br />
- Should now correctly use environmentally set proxy settings<br />
* Shout to pkthound for his work and contribution here!<br />
- Fixed case where rules with multiple flowbit (un)?set values would not<br />
properly populate all of the flowbit values into the rules hash<br />
- Bug #29 - fixed to allow for proper sid-msg.map generation<br />
- Bug #28 - fixed numerous spellification issues<br />
- Bug #32 - fixed to allow for so stub generation in nodownload and !nodownload case<br />
<br />
<br />
Perl Module Requriement Changes:<br />
- LWP::Simple no longer<br />
- LWP::UserAgent now required<br />
- HTTP::Request now required<br />
- HTTP::Status now required<br />
- SYS::Syslog now required<br />
- Crypt::SSLeay now required<br />
- Carp now required</i></blockquote><div style="font-family: inherit;"><br />
</div><div style="font-family: inherit;">As you can see, and as I had indicated, there are a number of significant improvements and fixes. It is important to note that there are a number of changes, that include new and changed options, to the master config and the addition of the modifysid.conf file that allows you to modify rules based on regular expression matches etc...<br />
<br />
Of course we also now fully support (ET Pro and the new ET open) rules and the capability to download multiple rulesets in a single run, rather than multiple config files referencing other .rules files as local rules etc... </div><div style="font-family: inherit;"><br />
</div><div style="font-family: inherit;">One other seemingly insignificant change is the capability to change the order that the rules modification routines run, this means that you can more granularly control rule state. The default processing order is (enable, drop, disable), this can now be changed though to allow for the disabling of all rules in a specific category (or however you would do it) and then selectively enabling rules out of that category, by simply changing the run order to disable,drop,enable. Of course combining this with the pcre, category, modifysid etc.. capabilities gives you quite a bit of versatility.</div><div style="font-family: inherit;"><br />
</div><div style="font-family: inherit;">So, without further adeau, I give you:</div><div style="font-family: inherit;"></div><blockquote style="font-family: inherit;"> http://code.google.com/p/pulledpork/<br />
_____ ____<br />
`----,\ )<br />
`--==\\ / PulledPork v0.5.0 The Drowning Rat<br />
`--==\\/<br />
.-~~~~-.Y|\\_ Copyright (C) 2009-2010 JJ Cummings<br />
@_/ / 66\_ cummingsj@gmail.com<br />
| \ \ _(")<br />
\ /-| ||'--' Rules give me wings!<br />
\_\ \_\\<br />
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br />
<br />
Checking latest MD5 for snortrules-snapshot-2861.tar.gz....<br />
They Match<br />
Done!<br />
Prepping rules from snortrules-snapshot-2861.tar.gz for work....<br />
Done!<br />
Checking latest MD5 for etpro.rules.tar.gz....<br />
They Match<br />
Done!<br />
Prepping rules from etpro.rules.tar.gz for work....<br />
Done!<br />
Checking latest MD5 for emerging.rules.tar.gz....<br />
They Match<br />
Done!<br />
Prepping rules from emerging.rules.tar.gz for work....<br />
Done!<br />
Reading rules...<br />
Reading rules...<br />
Activating security rulesets....<br />
Done<br />
Setting Flowbit State....<br />
Enabled 264 flowbits<br />
Enabled 29 flowbits<br />
Enabled 4 flowbits<br />
Enabled 2 flowbits<br />
Done<br />
Writing /home/jj/snort.rules....<br />
Done<br />
Generating sid-msg.map....<br />
Done<br />
Writing /home/jj/sid-msg.map....<br />
Done<br />
Writing /home/jj/sid_changes.log....<br />
Done<br />
Rule Stats....<br />
New:-------0<br />
Deleted:---0<br />
Enabled Rules:----4506<br />
Dropped Rules:----0<br />
Disabled Rules:---17797<br />
Total Rules:------22303<br />
Done<br />
Please review /var/log/sid_changes.log for additional details<br />
Fly Piggy Fly!</blockquote><div style="font-family: inherit;"></div><div style="font-family: inherit;"></div><div style="font-family: inherit;"></div><div style="font-family: inherit;">Bah, Paste chopped my flying pig up ;-) </div><div style="font-family: inherit;"><br />
</div><div style="font-family: inherit;">Get it here:</div><div style="font-family: inherit;"></div><div style="font-family: inherit;"><span style="font-size: small;"><span class="Apple-style-span" style="border-collapse: separate; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span class="Apple-style-span"><a href="http://pulledpork.googlecode.com/files/pulledpork-0.5.0.tar.gz" rel="nofollow">pulledpork-0.5.0.tar.gz</a><span class="Apple-converted-space"> </span>latest hashes:<br />
MD5SUM = 60c0abe78945876c643760b3bb2afdb6<br />
SHA256 = 9e69873d737e4fc8dfd9b3a98316e4ff41bd8c4accda72f18036b96568c48872</span></span></span></div><div style="font-family: inherit;"><br />
</div><div style="font-family: inherit;"><span style="font-size: small;"><span class="Apple-style-span" style="border-collapse: separate; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span class="Apple-style-span">Cheers,</span></span></span></div><div style="font-family: inherit;"><span style="font-size: small;"><span class="Apple-style-span" style="border-collapse: separate; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"><span class="Apple-style-span">JJC </span></span></span> </div>JJChttp://www.blogger.com/profile/08102466843919236000noreply@blogger.com0tag:blogger.com,1999:blog-3486144322043340030.post-66038900073057587182010-10-04T20:30:00.000-04:002010-10-04T20:30:33.375-04:00Snort 2.9.0 is teh outed, must haz bakon!!Snort 2.9.0 introduces:<br />
<ul><li>Feature rich IPS mode including improvements to Stream for inline deployments. Additionally a common active response API is used for all packet responses, including those from Stream, Respond, or React. A new response module, respond3, supports the syntax of both resp & resp2, including strafing for passive deployments. When Snort is deployed inline, a new preprocessor has been added to handle packet normalization to allow Snort to interpret a packet the same way as the receiving host.</li>
<li>Use of a Data Acquisition API (DAQ) that supports many different packet access methods including libpcap, netfilterq, IPFW, and afpacket. For libpcap, version 1.0 or higher is now required. The DAQ library can be updated independently from Snort and is a separate module that Snort links. See README.daq for details on using Snort and the new DAQ./li></li>
<li>Updates to HTTP Inspect to extract and log IP addresses from X-Forward-For and True-Client-IP header fields when Snort generates events on HTTP traffic.</li>
<li>A new rule option 'byte_extract' that allows extracted values to be used in subsequent rule options for isdataat, byte_test, byte_jump, and content distance/within/depth/offset.</li>
<li>Updates to SMTP preprocessor to support MIME attachment decoding across multiple packets.</li>
<li>Ability to "test" drop rules using Inline Test Mode. Snort will indicate a packet would have been dropped in the unified2 or console event log if policy mode was set to inline.</li>
<li>Two new rule options to support base64 decoding of certain pieces of data and inspection of the base64 data via subsequent rule options.</li>
<li>Updates to the Snort packet decoders for IPv6 for improvements to anomaly detection.</li>
<li>Added a new pattern matcher that supports Intel's Quick Assist Technology for improved performance on supported hardware platforms. Visit http://www.intel.com to find out more about Intel Quick Assist. The following document describes Snort's integration with the Quick Assist Technology: http://download.intel.com/embedded/applications/networksecurity/324029.pdf.</li>
<li>Reference applications for reading unified2 output that handle all unified2 record formats used by Snort.</li>
</ul>Snort 2.9.0 is now available at <a href="http://www.snort.org/snort-downloads">http://www.snort.org/snort-downloads</a>. Please see the Release Notes and ChangeLog for more details.JJChttp://www.blogger.com/profile/08102466843919236000noreply@blogger.com1tag:blogger.com,1999:blog-3486144322043340030.post-16647072731091300732010-09-08T10:59:00.002-04:002010-09-08T11:06:01.587-04:00The Pig Doktah is Born! - A Snort Performance Monitor Interpretation Tool<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhzV3kih5gEJblR2P7vWuAeW7goltdgPx-q7jLHU-V-IQTpMkDW7UtaKg6NrvegU3WAKggvRHSBrq7xM1fRgiwOvqIoj9C5uBOzSkMtAjzlu1xszMQ_zm3QDYQ5kVt2nod65fTmBf_2UuM/s1600/logo" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhzV3kih5gEJblR2P7vWuAeW7goltdgPx-q7jLHU-V-IQTpMkDW7UtaKg6NrvegU3WAKggvRHSBrq7xM1fRgiwOvqIoj9C5uBOzSkMtAjzlu1xszMQ_zm3QDYQ5kVt2nod65fTmBf_2UuM/s320/logo" /></a></div>After receiving a variety of feedback via email, irc, twitter and even some comments on this blog, I have decided to start an updated and maintained project to parse, display, and ultimately make configuration / tuning suggestions based on the snort performance monitor output. As you may have guessed by now, this tool is called the Pig Doktah and can be found at <a href="http://thepigdoktah.googlecode.com/">http://thepigdoktah.googlecode.com</a>. The current version reads snort performance monitor output and stores in a hash for quick access, sorting etc...<br />
<br />
I am still quite interested in what specific metrics people are most interested, so please don't hesitate to hit me up via comment on this blog, irc (freenode - #snort), email, or <a href="http://twitter.com/enhancedx">twitter</a>.<br />
<br />
During the development, and for the foreseeable future, I will have the latest version of the code sending output to this location on an hourly basis: <a href="http://rootedyour.com/enhanced/pminfo.htm">http://rootedyour.com/enhanced/pminfo.htm</a><br />
<br />
Sample output:<br />
<blockquote><span style="font-size: x-small;">-= Tha Pig Doktah 0.1 Dev =-<br />
Copyright (C) 2010 JJ Cummings<br />
<br />
Report Info:<br />
Processed: /var/tmp/snortstat<br />
First Entry: Wed Sep 1 11:34:05 2010<br />
Last Entry: Wed Sep 8 09:00:17 2010<br />
Time Span: 6 days, 21 hours, 26 minutes and 12 seconds<br />
<br />
Wirespeed:<br />
High: 10.613 Mbits/Sec | Sat Sep 4 07:59:48 2010<br />
Low: 0.006 Mbits/Sec | Sat Sep 4 07:12:47 2010<br />
Avg: 1.953 Mbits/Sec<br />
<br />
% Packet Loss:<br />
High: 10.504% | Sat Sep 4 03:00:00 2010<br />
Low: 0.000% | Wed Sep 8 08:41:27 2010<br />
Avg: 1.002%<br />
<br />
Additional Info:<br />
Avg Pkt Size: 803.413 bytes<br />
Avg Syns/Sec: 0.181<br />
Avg SynAcks/Sec: 0.124<br />
Avg Alerts/Sec: 0.001<br />
Avg Current Cached Sessions: 6671.668<br />
<br />
Raw Values:<br />
alerts avg = 0.001<br />
alerts high = 0.032<br />
alerts high_date = Wed Sep 1 12:32:57 2010<br />
alerts low = 0.000<br />
alerts low_date = Wed Sep 8 09:00:17 2010<br />
attrib_hosts_current avg = 0.000<br />
attrib_hosts_current high = 0.000<br />
attrib_hosts_current high_date = Wed Sep 8 09:00:17 2010<br />
attrib_hosts_current low = 0.000<br />
attrib_hosts_current low_date = Wed Sep 8 09:00:17 2010<br />
attrib_reloads avg = 0.000<br />
attrib_reloads high = 0<br />
attrib_reloads high_date = Wed Sep 8 09:00:17 2010<br />
attrib_reloads low = 0<br />
attrib_reloads low_date = Wed Sep 8 09:00:17 2010<br />
bytes_applayer avg = 0.252<br />
bytes_applayer high = 1.352<br />
bytes_applayer high_date = Sat Sep 4 07:59:48 2010<br />
bytes_applayer low = 0.006<br />
bytes_applayer low_date = Tue Sep 7 09:13:56 2010<br />
bytes_ipfrag avg = 0.000<br />
bytes_ipfrag high = 0<br />
bytes_ipfrag high_date = Wed Sep 8 09:00:17 2010<br />
bytes_ipfrag low = 0<br />
bytes_ipfrag low_date = Wed Sep 8 09:00:17 2010<br />
bytes_ipreass avg = 2279.291<br />
bytes_ipreass high = 3660<br />
bytes_ipreass high_date = Thu Sep 2 13:47:36 2010<br />
bytes_ipreass low = 368<br />
bytes_ipreass low_date = Thu Sep 2 10:22:15 2010<br />
bytes_tcprebuilt avg = 892.669<br />
bytes_tcprebuilt high = 1458<br />
bytes_tcprebuilt high_date = Sun Sep 5 15:19:06 2010<br />
bytes_tcprebuilt low = 136<br />
bytes_tcprebuilt low_date = Sat Sep 4 00:58:27 2010<br />
cpu1_idle avg = 95.767<br />
cpu1_idle high = 99.977<br />
cpu1_idle high_date = Sat Sep 4 00:58:27 2010<br />
cpu1_idle low = 69.943<br />
cpu1_idle low_date = Tue Sep 7 06:20:11 2010<br />
cpu1_sys avg = 0.051<br />
cpu1_sys high = 0.287<br />
cpu1_sys high_date = Sat Sep 4 07:59:48 2010<br />
cpu1_sys low = 0.000<br />
cpu1_sys low_date = Wed Sep 8 08:07:19 2010<br />
cpu1_user avg = 4.183<br />
cpu1_user high = 29.860<br />
cpu1_user high_date = Tue Sep 7 06:20:11 2010<br />
cpu1_user low = 0.023<br />
cpu1_user low_date = Sat Sep 4 00:58:27 2010<br />
cpu_count avg = 1.000<br />
cpu_count high = 1<br />
cpu_count high_date = Wed Sep 8 09:00:17 2010<br />
cpu_count low = 1<br />
cpu_count low_date = Wed Sep 8 09:00:17 2010<br />
drops avg = 1.002<br />
drops high = 10.504<br />
drops high_date = Sat Sep 4 03:00:00 2010<br />
drops low = 0.000<br />
drops low_date = Wed Sep 8 08:41:27 2010<br />
filtered_tcp avg = 3790.598<br />
filtered_tcp high = 45608<br />
filtered_tcp high_date = Tue Sep 7 09:24:12 2010<br />
filtered_tcp low = 85<br />
filtered_tcp low_date = Wed Sep 1 11:50:25 2010<br />
filtered_udp avg = 3790.598<br />
filtered_udp high = 45608<br />
filtered_udp high_date = Tue Sep 7 09:24:12 2010<br />
filtered_udp low = 85<br />
filtered_udp low_date = Wed Sep 1 11:50:25 2010<br />
frag_auto avg = 0.000<br />
frag_auto high = 0.000<br />
frag_auto high_date = Wed Sep 8 09:00:17 2010<br />
frag_auto low = 0.000<br />
frag_auto low_date = Wed Sep 8 09:00:17 2010<br />
frag_complete avg = 0.000<br />
frag_complete high = 0.000<br />
frag_complete high_date = Wed Sep 8 09:00:17 2010<br />
frag_complete low = 0.000<br />
frag_complete low_date = Wed Sep 8 09:00:17 2010<br />
frag_current avg = 0.000<br />
frag_current high = 0<br />
frag_current high_date = Wed Sep 8 09:00:17 2010<br />
frag_current low = 0<br />
frag_current low_date = Wed Sep 8 09:00:17 2010<br />
frag_delete avg = 0.000<br />
frag_delete high = 0.000<br />
frag_delete high_date = Wed Sep 8 09:00:17 2010<br />
frag_delete low = 0.000<br />
frag_delete low_date = Wed Sep 8 09:00:17 2010<br />
frag_faults avg = 0.000<br />
frag_faults high = 0<br />
frag_faults high_date = Wed Sep 8 09:00:17 2010<br />
frag_faults low = 0<br />
frag_faults low_date = Wed Sep 8 09:00:17 2010<br />
frag_flushes avg = 0.000<br />
frag_flushes high = 0.000<br />
frag_flushes high_date = Wed Sep 8 09:00:17 2010<br />
frag_flushes low = 0.000<br />
frag_flushes low_date = Wed Sep 8 09:00:17 2010<br />
frag_insert avg = 0.000<br />
frag_insert high = 0.000<br />
frag_insert high_date = Wed Sep 8 09:00:17 2010<br />
frag_insert low = 0.000<br />
frag_insert low_date = Wed Sep 8 09:00:17 2010<br />
frag_max avg = 0.000<br />
frag_max high = 0<br />
frag_max high_date = Wed Sep 8 09:00:17 2010<br />
frag_max low = 0<br />
frag_max low_date = Wed Sep 8 09:00:17 2010<br />
frag_new avg = 0.000<br />
frag_new high = 0.000<br />
frag_new high_date = Wed Sep 8 09:00:17 2010<br />
frag_new low = 0.000<br />
frag_new low_date = Wed Sep 8 09:00:17 2010<br />
frag_timeout avg = 0.000<br />
frag_timeout high = 0<br />
frag_timeout high_date = Wed Sep 8 09:00:17 2010<br />
frag_timeout low = 0<br />
frag_timeout low_date = Wed Sep 8 09:00:17 2010<br />
kpkts_applayer avg = 121425.178<br />
kpkts_applayer high = 444882<br />
kpkts_applayer high_date = Thu Sep 2 22:42:20 2010<br />
kpkts_applayer low = 5738<br />
kpkts_applayer low_date = Wed Sep 1 18:55:09 2010<br />
kpkts_ipfrag avg = 0.000<br />
kpkts_ipfrag high = 0.000<br />
kpkts_ipfrag high_date = Wed Sep 8 09:00:17 2010<br />
kpkts_ipfrag low = 0.000<br />
kpkts_ipfrag low_date = Wed Sep 8 09:00:17 2010<br />
kpkts_ipreass avg = 0.022<br />
kpkts_ipreass high = 0.366<br />
kpkts_ipreass high_date = Tue Sep 7 06:20:11 2010<br />
kpkts_ipreass low = 0.000<br />
kpkts_ipreass low_date = Wed Sep 8 08:31:29 2010<br />
kpkts_iptcprebuilt avg = 0.273<br />
kpkts_iptcprebuilt high = 1.646<br />
kpkts_iptcprebuilt high_date = Thu Sep 2 22:42:20 2010<br />
kpkts_iptcprebuilt low = 0.006<br />
kpkts_iptcprebuilt low_date = Tue Sep 7 09:13:56 2010<br />
kpkts_wire avg = 0.252<br />
kpkts_wire high = 1.352<br />
kpkts_wire high_date = Sat Sep 4 07:59:48 2010<br />
kpkts_wire low = 0.006<br />
kpkts_wire low_date = Tue Sep 7 09:13:56 2010<br />
mbits_applayer avg = 803.413<br />
mbits_applayer high = 1009<br />
mbits_applayer high_date = Sat Sep 4 08:09:48 2010<br />
mbits_applayer low = 120<br />
mbits_applayer low_date = Mon Sep 6 05:52:07 2010<br />
mbits_ipfrag avg = 2.434<br />
mbits_ipfrag high = 17.685<br />
mbits_ipfrag high_date = Tue Sep 7 06:20:11 2010<br />
mbits_ipfrag low = 0.007<br />
mbits_ipfrag low_date = Mon Sep 6 17:12:03 2010<br />
mbits_ipreass avg = 0.000<br />
mbits_ipreass high = 0.000<br />
mbits_ipreass high_date = Wed Sep 8 09:00:17 2010<br />
mbits_ipreass low = 0.000<br />
mbits_ipreass low_date = Wed Sep 8 09:00:17 2010<br />
mbits_tcprebuilt avg = 0.482<br />
mbits_tcprebuilt high = 8.324<br />
mbits_tcprebuilt high_date = Tue Sep 7 06:20:11 2010<br />
mbits_tcprebuilt low = 0.000<br />
mbits_tcprebuilt low_date = Tue Sep 7 01:11:34 2010<br />
mbps_snort avg = 0.000<br />
mbps_snort high = 0<br />
mbps_snort high_date = Wed Sep 8 09:00:17 2010<br />
mbps_snort low = 0<br />
mbps_snort low_date = Wed Sep 8 09:00:17 2010<br />
mbps_wire avg = 1.953<br />
mbps_wire high = 10.613<br />
mbps_wire high_date = Sat Sep 4 07:59:48 2010<br />
mbps_wire low = 0.006<br />
mbps_wire low_date = Sat Sep 4 07:12:47 2010<br />
patmatch avg = 320.575<br />
patmatch high = 556.312<br />
patmatch high_date = Sun Sep 5 19:37:37 2010<br />
patmatch low = 2.946<br />
patmatch low_date = Wed Sep 8 07:11:52 2010<br />
pktbytes avg = 803.413<br />
pktbytes high = 1009<br />
pktbytes high_date = Sat Sep 4 08:09:48 2010<br />
pktbytes low = 120<br />
pktbytes low_date = Mon Sep 6 05:52:07 2010<br />
pkts_blocked avg = 0.229<br />
pkts_blocked high = 14.322<br />
pkts_blocked high_date = Sun Sep 5 20:50:12 2010<br />
pkts_blocked low = 0.109<br />
pkts_blocked low_date = Sat Sep 4 01:34:34 2010<br />
pkts_dropped avg = 0.000<br />
pkts_dropped high = 0<br />
pkts_dropped high_date = Wed Sep 8 09:00:17 2010<br />
pkts_dropped low = 0<br />
pkts_dropped low_date = Wed Sep 8 09:00:17 2010<br />
pkts_dropped_percentage avg = 0.172<br />
pkts_dropped_percentage high = 9.096<br />
pkts_dropped_percentage high_date = Sun Sep 5 20:50:12 2010<br />
pkts_dropped_percentage low = 0.003<br />
pkts_dropped_percentage low_date = Wed Sep 1 11:50:25 2010<br />
pkts_total avg = 2106.252<br />
pkts_total high = 38320<br />
pkts_total high_date = Thu Sep 2 22:42:20 2010<br />
pkts_total low = 0<br />
pkts_total low_date = Wed Sep 8 08:41:27 2010<br />
sessions_close avg = 0.000<br />
sessions_close high = 0.000<br />
sessions_close high_date = Wed Sep 8 09:00:17 2010<br />
sessions_close low = 0.000<br />
sessions_close low_date = Wed Sep 8 09:00:17 2010<br />
sessions_closed avg = 1024.846<br />
sessions_closed high = 2980<br />
sessions_closed high_date = Mon Sep 6 12:37:55 2010<br />
sessions_closed low = 2<br />
sessions_closed low_date = Wed Sep 1 11:34:05 2010<br />
sessions_cur avg = 6671.668<br />
sessions_cur high = 8173<br />
sessions_cur high_date = Sun Sep 5 21:10:31 2010<br />
sessions_cur low = 51<br />
sessions_cur low_date = Wed Sep 1 11:34:05 2010<br />
sessions_del avg = 0.177<br />
sessions_del high = 3.055<br />
sessions_del high_date = Mon Sep 6 05:52:07 2010<br />
sessions_del low = 0.000<br />
sessions_del low_date = Sun Sep 5 19:53:29 2010<br />
sessions_dropped avg = 0.001<br />
sessions_dropped high = 0.006<br />
sessions_dropped high_date = Wed Sep 1 11:50:25 2010<br />
sessions_dropped low = 0.000<br />
sessions_dropped low_date = Wed Sep 8 09:00:17 2010<br />
sessions_est avg = 0.376<br />
sessions_est high = 11.686<br />
sessions_est high_date = Sun Sep 5 20:50:12 2010<br />
sessions_est low = 0.003<br />
sessions_est low_date = Wed Sep 1 11:50:25 2010<br />
sessions_init avg = 0.001<br />
sessions_init high = 0.174<br />
sessions_init high_date = Tue Sep 7 18:18:34 2010<br />
sessions_init low = 0.000<br />
sessions_init low_date = Wed Sep 8 08:46:27 2010<br />
sessions_max avg = 0.000<br />
sessions_max high = 0.000<br />
sessions_max high_date = Wed Sep 8 09:00:17 2010<br />
sessions_max low = 0.000<br />
sessions_max low_date = Wed Sep 8 09:00:17 2010<br />
sessions_midstream avg = 6703.818<br />
sessions_midstream high = 8175<br />
sessions_midstream high_date = Sun Sep 5 21:03:29 2010<br />
sessions_midstream low = 51<br />
sessions_midstream low_date = Wed Sep 1 11:34:05 2010<br />
sessions_new avg = 0.165<br />
sessions_new high = 3.062<br />
sessions_new high_date = Mon Sep 6 05:52:07 2010<br />
sessions_new low = 0.016<br />
sessions_new low_date = Fri Sep 3 20:12:36 2010<br />
sessions_pruned avg = 579.871<br />
sessions_pruned high = 953<br />
sessions_pruned high_date = Sun Sep 5 08:30:47 2010<br />
sessions_pruned low = 3<br />
sessions_pruned low_date = Wed Sep 1 11:50:25 2010<br />
sessions_timedout avg = 5066.950<br />
sessions_timedout high = 7586<br />
sessions_timedout high_date = Sun Sep 5 21:22:42 2010<br />
sessions_timedout low = 31<br />
sessions_timedout low_date = Wed Sep 1 11:34:05 2010<br />
sessions_udp_cachedSsns_sec avg = 0.000<br />
sessions_udp_cachedSsns_sec high = 0<br />
sessions_udp_cachedSsns_sec high_date = Wed Sep 8 09:00:17 2010<br />
sessions_udp_cachedSsns_sec low = 0<br />
sessions_udp_cachedSsns_sec low_date = Wed Sep 8 09:00:17 2010<br />
sessions_udp_cached_current avg = 0.000<br />
sessions_udp_cached_current high = 0.000<br />
sessions_udp_cached_current high_date = Wed Sep 8 09:00:17 2010<br />
sessions_udp_cached_current low = 0.000<br />
sessions_udp_cached_current low_date = Wed Sep 8 09:00:17 2010<br />
sessions_udp_cached_max avg = 0.000<br />
sessions_udp_cached_max high = 0<br />
sessions_udp_cached_max high_date = Wed Sep 8 09:00:17 2010<br />
sessions_udp_cached_max low = 0<br />
sessions_udp_cached_max low_date = Wed Sep 8 09:00:17 2010<br />
sessions_udp_cached_sec avg = 0.000<br />
sessions_udp_cached_sec high = 0<br />
sessions_udp_cached_sec high_date = Wed Sep 8 09:00:17 2010<br />
sessions_udp_cached_sec low = 0<br />
sessions_udp_cached_sec low_date = Wed Sep 8 09:00:17 2010<br />
stream_fault avg = 13.182<br />
stream_fault high = 59<br />
stream_fault high_date = Wed Sep 8 05:04:52 2010<br />
stream_fault low = 0<br />
stream_fault low_date = Wed Sep 8 00:51:37 2010<br />
stream_flush avg = 21.526<br />
stream_flush high = 365.535<br />
stream_flush high_date = Tue Sep 7 06:20:11 2010<br />
stream_flush low = 0.013<br />
stream_flush low_date = Thu Sep 2 05:44:59 2010<br />
stream_timeout avg = 239.842<br />
stream_timeout high = 3578<br />
stream_timeout high_date = Sun Sep 5 20:50:12 2010<br />
stream_timeout low = 1<br />
stream_timeout low_date = Wed Sep 1 11:50:25 2010<br />
synacks avg = 0.124<br />
synacks high = 2.771<br />
synacks high_date = Mon Sep 6 12:42:56 2010<br />
synacks low = 0.006<br />
synacks low_date = Sat Sep 4 00:58:27 2010<br />
syns avg = 0.181<br />
syns high = 6.072<br />
syns high_date = Mon Sep 6 05:52:07 2010<br />
syns low = 0.019<br />
syns low_date = Fri Sep 3 20:12:36 2010</span></blockquote><blockquote><pre><pre><pre></pre><span style="font-size: x-small;"><span class="Apple-style-span" style="border-collapse: separate; color: black; font-family: 'Times New Roman'; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;"></span></span></pre></pre></blockquote><div class="separator" style="clear: both; text-align: center;"><a href="http://rootedyour.com/enhanced/mbps.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="200" src="http://rootedyour.com/enhanced/mbps.png" width="400" /></a></div><div class="separator" style="clear: both; text-align: center;"><a href="http://rootedyour.com/enhanced/syns.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="200" src="http://rootedyour.com/enhanced/syns.png" width="400" /></a></div>JJChttp://www.blogger.com/profile/08102466843919236000noreply@blogger.com0tag:blogger.com,1999:blog-3486144322043340030.post-82573358431169014482010-09-01T19:11:00.009-04:002010-09-02T00:39:37.041-04:00Snort Performance Stats Tool InfoI have noticed that there are not a ton of tools out there (definitely not many currently maintained) that can be used to parse the information from the snort performance monitor. As such, I am considering writing one and wanted to see what the interest would be. If there is indeed interest, then I would also like to know what format(s) and types of information would be most useful to the community. Of course I know what will be useful to myself, and will likely be writing about that in the near future. For now, here is some sample output from a quick perl parser that I wrote today.<br />
<br />
<blockquote>$ ./pminfo.pl /var/tmp/snortstat <br />
<br />
-= Tha Pig Doktah 0.1 Dev =-<br />
Copyright (C) 2010 JJ Cummings<br />
<br />
Report Info:<br />
Processed: /var/tmp/snortstat<br />
First Entry: Wed Sep 1 11:34:05 2010<br />
Last Entry: Wed Sep 1 22:27:47 2010<br />
Time Span: 0 days, 10 hours, 53 minutes and 42 seconds<br />
<br />
Wirespeed:<br />
High: 6.683 Mbits/Sec | Wed Sep 1 12:54:00 2010<br />
Low: 0.007 Mbits/Sec | Wed Sep 1 18:14:18 2010<br />
Avg: 0.276 Mbits/Sec<br />
<br />
% Packet Loss:<br />
High: 3.817% | Wed Sep 1 20:13:39 2010<br />
Low: 0.000% | Wed Sep 1 22:22:47 2010<br />
Avg: 0.095%<br />
<br />
Additional Info:<br />
Avg Pkt Size: 363 bytes<br />
Avg Syns/Sec: 0.153<br />
Avg SynAcks/Sec: 0.105<br />
Avg Alerts/Sec: 0.001<br />
Avg Current Cached Sessions: 2326</blockquote><div class="separator" style="clear: both; text-align: center;"></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEih8qvwqGz5Jg_AtUnP1sDAIWxUo-fsUMIxxU-fpq0XNCahU_5Kcmu8ZRu6k1FSjLm7xfRTsKO4i1aC27oILy_yw8XfCP16ofP7xqT8s0kz3OoSx3k4JXn8qNKhJpCD6iLMvhPzj_PYQ7I/s1600/file.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="200" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEih8qvwqGz5Jg_AtUnP1sDAIWxUo-fsUMIxxU-fpq0XNCahU_5Kcmu8ZRu6k1FSjLm7xfRTsKO4i1aC27oILy_yw8XfCP16ofP7xqT8s0kz3OoSx3k4JXn8qNKhJpCD6iLMvhPzj_PYQ7I/s400/file.png" width="400" /></a></div><br />
<div class="separator" style="clear: both; text-align: center;"></div><br />
Obviously this is was only as a quick test and does not include all of the important pieces of data. Please feel free to hit me up in #snort (on freenode), <a href="http://twitter.com/enhancedx">twitter</a>, email(if'n you knows it), or post a comment here.<br />
<br />
Cheers,<br />
JJCJJChttp://www.blogger.com/profile/08102466843919236000noreply@blogger.com2tag:blogger.com,1999:blog-3486144322043340030.post-46996110183583410842010-07-01T13:50:00.000-04:002010-07-01T13:50:18.599-04:00PulledPork 0.4.2 501 error when downloading rules<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEguBzggqULga3tuGjwk0n__xV-1_RwRzP-Gcf7iw3N80Xsr0m4QDTp-VI8unGi8Us3sxeSf46zdy2MVJv0VsZ2nok3O75zu_VMGPLuDZg7bid4ms5D-b8Ke1yGaRyT7ewzwtYpX8Q9oLWQ/s1600/lameuntuwy3.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="292" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEguBzggqULga3tuGjwk0n__xV-1_RwRzP-Gcf7iw3N80Xsr0m4QDTp-VI8unGi8Us3sxeSf46zdy2MVJv0VsZ2nok3O75zu_VMGPLuDZg7bid4ms5D-b8Ke1yGaRyT7ewzwtYpX8Q9oLWQ/s320/lameuntuwy3.jpg" width="320" /></a>This issue most typically stems from a missing Perl Module that is required to communicate via SSL using <a href="http://search.cpan.org/%7Egaas/libwww-perl-5.836/lib/LWP/Simple.pm">LWP::Simple</a>. This required Perl Module is <a href="http://search.cpan.org/%7Edland/Crypt-SSLeay-0.57/SSLeay.pm">Crypt::SSLeay</a> and is not included in the <a href="http://search.cpan.org/%7Egaas/libwww-perl-5.836/lib/LWP/Simple.pm">LWP::Simple</a> redistributed package from the Ubuntu 8.x repositories, and will typically fail to install via CPAN on many Ubuntu server installations. As such you simply need to do the following (on Ubuntu, since this is the only place I have seen it broken):<br />
<br />
sudo apt-get install libcrypt-ssleay-perl<br />
<br />
Of course if you are not running Ubuntu then you will need to use <a href="http://search.cpan.org/">CPAN</a> or find whatever repackaged garbage that your distro is using to distribute this ;-).<br />
<br />
One other cause could be that your root certificates are outdated, so if you have the aforementioned PM installed and are still receiving a 501.. this is likely the cause... google how to update your root certificates for your distro! Again, for the sake of completeness, this is how you do it on Ubuntu:<br />
<br />
sudo apt-get install ca-certificates<br />
sudo update-ca-certificates<br />
<br />
I have also added this to the <a href="http://code.google.com/p/pulledpork/wiki/FAQ">PP FAQ</a>.<br />
<br />
Cheers,<br />
JJCJJChttp://www.blogger.com/profile/08102466843919236000noreply@blogger.com0tag:blogger.com,1999:blog-3486144322043340030.post-83025169375308443492010-06-29T17:12:00.006-04:002010-07-01T13:52:22.593-04:00PulledPork 0.4.2 - get it while it's hawt!<span style="font-size: small;">This release represents a number of significant enhancements and features (all listed below). Probably the most important to note are the changes from a delimeter of | to : when modifying rule state. We also now automatically determine snort version and OS arch. One of the most useful features, IMHO, is the pcre: rule state modification capability.. see the rule modification configs for more details... but let's say that I wanted to disable ALL MSXX rules because I run a strictly *nix environment... simply place something like pcre:MS\d{2}-\d+ into the disablesid.conf and use that file by specifying -i.<br />
<br />
As noted below, there are MANY other changes, fixes, and additions so please don't hesitate to ask questions in irc (freenode #pulledpork) or on the </span> <span style="font-size: small;"><a href="http://groups.google.com/group/pulledpork-users">mailing list</a>.<br />
<br />
get it here -> </span> <span style="font-size: small;"><a href="http://code.google.com/p/pulledpork">http://code.google.com/p/pulledpork</a><br />
<br />
v0.4.2</span> <span style="font-size: small;"><br />
<br />
New Features / changes: </span><br />
<ul><li><span style="font-size: small;">Capability to modify rules by category (See README.CATEGORIES) </span></li>
<li><span style="font-size: small;">Capability to modify rules using regular expressions (pcre:) - See sid modification configs </span></li>
<li><span style="font-size: small;">Capability to use regular expressions in specific rule modifications - See sid modification configs </span></li>
<li><span style="font-size: small;">Changed the | delimiter for cve,bugtraq etc to : </span></li>
<li><span style="font-size: small;">Added README.CATEGORIES </span></li>
<li><span style="font-size: small;">Added README.SHAREDOBJECTS </span></li>
<li><span style="font-size: small;">Follow flowbit chains </span></li>
<li><span style="font-size: small;">Moved README files to doc </span></li>
<li><span style="font-size: small;">Automatically determine arch </span></li>
<li><span style="font-size: small;">Automatically determine Snort Version </span></li>
<li><span style="font-size: small;">Added some verbiage surrounding HUP vs Restart vs When/where/who and how </span></li>
<li><span style="font-size: small;">Added support for new snort.org download scheme of <a href="http://snort.org/reg-rules">http://snort.org/reg-rules</a>... </span></li>
</ul><span style="font-size: small;">Bug Fixes: </span><br />
<ul><li><span style="font-size: small;">Certain rules specific GID values were not being properly parsed by the modifysid sub. </span></li>
<li><span style="font-size: small;"><a href="http://www.blogger.com/p/pulledpork/issues/detail?id=20"> Bug #20 </a> fixed, ranges are no longer off by +1 additional rule being enabled </span></li>
<li><span style="font-size: small;">Enhancement request #21, added more descript information to dropsid.conf and to README </span></li>
<li><span style="font-size: small;">Fixed flaw that caused certain flowbits to not be set (when GID boundaries were crossed and multiple keys were checked) </span></li>
<li><span style="font-size: small;">Enhancement request #22 updated the master config file to contain all of the currently available precompiled SO rules </span></li>
<li><span style="font-size: small;">Remove risky system calls, use handles instead </span></li>
</ul><span style="font-size: small;"><a href="http://pulledpork.googlecode.com/files/pulledpork-0.4.2.tar.gz">pulledpork-0.4.2.tar.gz</a> latest hashes:<br />
MD5SUM = d11b9d884f940a0df293718a4d4b3913<br />
SHA256 = 3491b8c3c99c621cfd6467da2c43866f33ede1d096538e4a497cdf52b49ad677<br />
<br />
Cheers,</span> <span style="font-size: small;"><br />
JJC</span>JJChttp://www.blogger.com/profile/08102466843919236000noreply@blogger.com0tag:blogger.com,1999:blog-3486144322043340030.post-22569681783051224782010-04-26T20:14:00.000-04:002010-04-26T20:14:47.638-04:00PulledPork 0.4.1, I see your sensitive data!<div class="separator" style="clear: both; text-align: center;"><a href="http://www.alispagnola.com/leprechaun1.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="200" src="http://www.alispagnola.com/leprechaun1.jpg" width="154" /></a></div>In conjunction with the <a href="http://snort.org/">Snort 2.8.6</a> release and the new Snort Rules tarball format, <a href="http://pulledpork.googlecode.com/files/pulledpork-0.4.1.tar.gz">pulledpork 0.4.1</a> is now released! As noted below, there are a number of changes and fixes. When updating your pulledpork, please be sure to use the latest master configuration file that is included in the release tarball and read through it thoroughly.<br />
<br />
Notable changes include the tarball filename change, preprocessor rules and sensitive data rules. Note that pulledpork 0.4.0 will still work with 2.8.6 but will not properly make use of the new rules that I just listed and that you will need to change the rules tarball name for VRT releases. Please also note that if you use <a href="http://pulledpork.googlecode.com/files/pulledpork-0.4.1.tar.gz">pulledpork 0.4.1</a> and are still using Snort 2.8.5.3 that you need to make some changes in the "ignore" variable section of the pulledpork.conf file.<br />
<br />
New Features/changes:<br />
<ul><li>Flowbit tracking! - This means that all flowbits are not enabled when a specific base ruleset is specified (security etc...) but rather all flowbits are now tracked, allowing for only those that are required to be enabled.</li>
</ul><ul><li>Adjusted pulledpork.conf to account for new snort rules tarball naming and packing scheme, post Snort 2.8.6 release.</li>
</ul><ul><li>Added option to specify all rule modification files in the master pulledpork.conf file - feature request 19.</li>
</ul><ul><li>Added capability to specify base ruleset (see README.RULESETS) in master pulledpork.conf file.</li>
</ul><br />
<ul><li>Handle preprocessor and sensitive-information rulesets</li>
</ul><br />
Bug Fixes:<br />
<ul><li>18 - non-rule lines containing the string sid:xxxx were being populated into the rule data structure, added an extra check to ensure that this does not occur</li>
</ul><ul><li>Cleaned up href pointers, syntactical purposes only...</li>
</ul><ul><li>Modified master config to allow for better readability on smaller console based systems</li>
</ul><ul><li>Error output was not always returning full error, fixed this</li>
</ul><br />
Thanks to the community for continued support and feedback!<br />
<br />
Cheers,<br />
JJCJJChttp://www.blogger.com/profile/08102466843919236000noreply@blogger.com0tag:blogger.com,1999:blog-3486144322043340030.post-18137741016139463902010-04-26T14:25:00.000-04:002010-04-26T14:25:32.906-04:00Snort 2.8.6 Release is OUT, WGET it nao! kthx!That's right, the new <a href="http://www.snort.org/downloads/">Snort 2.8.6 Release</a> is out, get it at <a href="http://www.snort.org/downloads/">snort.org!</a><br />
<br />
Release Notes: <br />
<br />
2010-04-22 - Snort 2.8.6<br />
<br />
[*] New Additions<br />
* HTTP Inspect now splits requests into 5 components -<br />
Method, URI, Header (non-cookie), Cookies, Body.<br />
Content and PCRE rule options can now search one or more of these buffers.<br />
<br />
HTTP server-specific configurations to normalize the HTTP header and/or<br />
cookies have been added.<br />
<br />
Support gzip decompression across multiple packets.<br />
<br />
* Added a Sensitive Data preprocessor, which performs detection of<br />
Personally Identifiable Information (PII). A new rule option is available<br />
to define new PII. See README.sensitive_data and the Snort Manual<br />
for configuration details.<br />
<br />
* Added a new pattern matcher and related configurations. The new pattern<br />
matcher is optimized to use less memory and perform at AC speed.<br />
<br />
[*] Improvements<br />
* Addressed problem to resolve output obfuscation affecting packets<br />
when Snort is inline.<br />
<br />
* Preprocessors with memcap settings can now be configured in a "disabled"<br />
state. This allows you to configure that memcap globally, but only enable<br />
the preprocessor in targeted configurations.JJChttp://www.blogger.com/profile/08102466843919236000noreply@blogger.com0tag:blogger.com,1999:blog-3486144322043340030.post-37536357187275788102010-03-26T12:41:00.002-04:002010-03-26T12:47:15.132-04:00Pulling Pork with the Drunken Leprechaun (PP 0.4.0)<div class="separator" style="clear: both; text-align: center;"></div><br />
<a href="http://4.bp.blogspot.com/_E2Wa1M6x1fI/Sb-hidyZsOI/AAAAAAAAChI/WcqIadQxf5Q/s1600/Drunk_Leprechaun.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;"><img border="0" src="http://4.bp.blogspot.com/_E2Wa1M6x1fI/Sb-hidyZsOI/AAAAAAAAChI/WcqIadQxf5Q/s320/Drunk_Leprechaun.jpg" /></span></a><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;"><a href="http://code.google.com/p/pulledpork">PulledPork</a> 0.4.0 (Drunken Leprechaun) is officially released and can be downloaded here -> <a href="http://pulledpork.googlecode.com/files/pulledpork-0.4.0.tar.gz">pulledpork-0.4.0.tar.gz</a></span><br />
<span class="Apple-style-span" style="font-family: arial, sans-serif;"></span><br />
<div style="max-width: 65em;"><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;"><br />
</span></div><div style="max-width: 65em;"><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;">This version constitutes a major rewrite of the rule reading, modification and writing system to improve speed, future module addition, supportability, and of course reliability. Incidentally, the codename was partially chosen due to a majority of the rewrites being finished on St. Patrick's Day.</span></div><div style="max-width: 65em;"><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;"><br />
</span></div><div style="max-width: 65em;"><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;">One specific change to note is the use of Archive::Tar, this makes PulledPork more system independent. As such though, you will need to install Archive::Tar if you do not have it currently installed, you can do so using CPAN, please see the PulledPork </span><a href="http://code.google.com/p/pulledpork/wiki/FAQ"><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;">FAQ</span></a><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;"> for further information.</span></div><div style="max-width: 65em;"><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;"><br />
</span></div><div style="max-width: 65em;"><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;">New Features/changes:</span></div><ul style="max-width: 65em; padding-left: 40px;"><li><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;">Enablesid (-e enablesid.conf)</span></li>
<li><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;">Moved all .conf files under etc/</span></li>
<li><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;">Ability to define sid ranges in any of the sid modification .conf files</span></li>
<li><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;">Ability to specify references in any of the sid modification .conf files</span></li>
<li><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;">Ability to ignore entire rule categories (i.e. not include them)</span></li>
<li><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;">Specify locally stored rules files that need their meta data included in sid-msg.map</span></li>
<li><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;">All rulestate modifications, comparisons etc.. are now handled in-memory</span></li>
<li><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;">Rewrite of sid-msg.map generation code to allow for all proper character reading and addition to sid-msg.map</span></li>
<li><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;">No longer reliant on tar binary, now using Archive::Tar</span></li>
<li><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;">Ability to specify your arch for so_rules</span></li>
<li><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;">Added significant amounts of debug output when an error is detected</span></li>
<li><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;">Rules are now written to only two distinct files</span></li>
<li><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;">Cleaned up changelog and added more information to it</span></li>
</ul><div style="max-width: 65em;"></div><div style="max-width: 65em;"><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;">Bug Fixes:</span></div><ul style="max-width: 65em; padding-left: 40px;"><li><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;">Properly account for whitespace in non-standard rulesets such as ET</span></li>
<li><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;">Cleaned up and improved the changelog to display new / deleted sids and rule totals</span></li>
<li><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;">Certian conditions caused the md5 check to fail even when valid - This was primarily an ET issue, but did manifest on VRT rulesets also</span></li>
<li><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;">Many small fixes that were not tracked well :-P</span></li>
<li><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;">Do not overwrite local.rules, but still include in sid-msg.map generation</span></li>
</ul><div><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;">A little more detail about some of the new key features, note that there are more.. please read through all of the conf files and README thoroughly:</span></div><div><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;"><br />
</span></div><div><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;">Initially you may not notice a significant performance increase, unless you already have a large count of disable or drop sids specified in your configuration because this is where the major improvement was made. I can't help how slow your internet connection is and thusly how long it takes you to download the tarball itself ;-).</span></div><div><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;"><br />
</span></div><div><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;">One key change that you will note is that all rules are now written to only two distinct files.. one for GID:1 rules and one for GID:3 rules. The logic behind this is simple; if a new rule category comes out (a new or different .rules file within the VRT or ET tarball) then it will automatically be included in your snort.conf as you will have only one or both of the aforementioned GID:1 or GID:3 rules files included . Please note these changes in the rule_path and sostub_path within the pulledpork.conf file.</span></div><div><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;"><br />
</span></div><div><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;">Somewhat hand-in-hand with the previous change is the addition of the ignore variable within the pulledpork.conf file.. this specifies what categories/rule files that you want excluded from your configuration. By default these are deleted, experimental, and local.</span></div><div><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;"><br />
</span></div><div><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;">If you have a local.rules file or other already locally existing rules files, you can specify them with the local_rules variable, doing so will tell pulledpork to read these rules and populate their meta data into the sid-msg.map.</span></div><div><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;"><br />
</span></div><div><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;">Enablesid - This was a widely requested feature, the capability to enable specific sids etc.</span></div><div><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;"><br />
</span></div><div><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;">Sid modification ranges - This stemmed from one of the enablesid requests (an option to enable ALL sids) and my interpretation of what I thought would be more useful. This feature gives you the capability to specify a range of sids in any of the sid state modification configuration files in the format of GID:SID-GID:SID. Please see the individual configuration files for additional information.</span></div><div><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;"><br />
</span></div><div><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;">Reference modification - This was another community request and allows the user to specify any reference within a rule and perform an operation on that rule (disable, enable, drop...). The formatting is simple, the user specifies, in one of the sid state modification configuration files, the reference information such as cve|XXX-XXXX,MSXX-XXXX. Please see the individual configuration files for additional information.</span></div><div><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;"><br />
</span></div><div><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;">Excerpt from an example configuration file:</span></div><div><blockquote><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;"># example of enabling ranges and references!</span></blockquote><blockquote><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;"># you should be specific when enabling a range of rules.. don't just put an extremely high number</span></blockquote><blockquote><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;"># this would be at the cost of speed and memory usage.</span></blockquote><blockquote><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;">1:1101,1:800,1:1200-1:2000,cve|1999-0499,bugtraq|22026,MS09-00</span><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;">4</span></blockquote><br />
Excerpt from new changelog format:<br />
<blockquote>-=Begin Changes Logged for Tue Mar 23 19:15:02 2010 GMT=-</blockquote><blockquote><br />
</blockquote><blockquote>New Rules</blockquote><blockquote> 1:16492</blockquote><blockquote> 1:16493</blockquote><blockquote> 1:16494</blockquote><blockquote> 1:16495</blockquote><blockquote> 1:16496</blockquote><blockquote> 1:16497</blockquote><blockquote> 1:16498</blockquote><blockquote> 1:16499</blockquote><blockquote> 1:16500</blockquote><blockquote><br />
</blockquote><blockquote>Set Policy: security</blockquote><blockquote><br />
</blockquote><blockquote>Rule Totals</blockquote><blockquote> New:-------9</blockquote><blockquote> Deleted:---0</blockquote><blockquote> Enabled:---5378</blockquote><blockquote> Dropped:---0</blockquote><blockquote> Disabled:--3606</blockquote><blockquote> Total:-----8984</blockquote><blockquote><br />
</blockquote><blockquote>-=End Changes Logged for Tue Mar 23 19:15:02 2010 GMT=-</blockquote></div><div><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;">You will want to take the paths out of your old pulledpork.conf and use the new pulledpork.conf, since there are so many new features and variables pulledpork will not function without the updated pulledpork.conf file. All of the other sid modification conf files remain unchanged, however.</span></div><div><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;"><br />
</span></div><div><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;">Please be sure that you read the README and all configuration files thoroughly as there are many changes.</span></div><div><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;"><br />
</span></div><div><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;">JJC</span></div>JJChttp://www.blogger.com/profile/08102466843919236000noreply@blogger.com0tag:blogger.com,1999:blog-3486144322043340030.post-22759912282875658272010-02-25T12:56:00.013-05:002010-02-25T15:22:17.305-05:00Hogging the Snort Host Attribute Table<div style="text-align: justify;"><a href="http://code.google.com/p/hogger">Hogger</a> is a new <a href="http://snort.org/">Snort</a> supportive tool written in Perl, by Parker Crook, that allows you to create a <a href="http://www.csoonline.com/article/546763/Tuning_Snort_with_Host_Attribute_Tables">Host Attribute Table</a> from an <a href="http://nmap.org/">nmap</a> scan. But first, a little primer; A feature within Snort that has received some traction lately is that of the --enable-targetbased configuration option. This allows you to specify a Host Attribute Table that contains critical information about what your network host topology is (i.e. OS, services etc..). Using this information, snort can then properly reassemble fragments, track streams and a number of other things. All of these items are covered in <a href="http://blog.joelesler.net/">Joel Esler's</a> recent <a href="http://www.csoonline.com/">CSO</a> article that can be found a<span class="Apple-style-span" style="font-size:medium;">t </span><a href="http://www.csoonline.com/article/546763/Tuning_Snort_with_Host_Attribute_Tables"><span class="Apple-style-span" style="font-size:medium;">This URL</span></a>. This is an excellent article that covers what Host Attribute Tables are and how to use them, so please read the article for a better understanding!</div><div><br /></div><div style="text-align: justify;">Now that you know all about the Host Attribute Table, let's jump into the purpose and use of hogger. As mentioned previously, hogger was written by Parker Crook to create a Host Attribute Table using the resulting output of an nmap scan. Without further adieu, let's walk through the usage of hogger!</div><div><br /></div><div>Requirements: </div><div><ul><li><a href="http://www.perl.org/">Perl</a></li><li><a href="http://search.cpan.org/~josephw/XML-Writer-0.606/Writer.pm">XML::Writer</a> (perl module)</li><li><a href="http://nmap.org/">Nmap</a></li><li><a href="http://code.google.com/p/hogger">Hogger</a></li></ul></div><div>Steps:</div><div><ol><li>Install XML::Writer</li><li>Get hogger</li><li>Install Nmap</li><li>Run Nmap with correct options</li><li>Run hogger against Nmap output file</li><li>Start your snorting!</li></ol><div>1: Installing XML::Writer</div><div></div><blockquote><div><span class="Apple-style-span" style="font-size:small;">$perl -MCPAN -e shell</span></div><div><div><span class="Apple-style-span" style="font-size:small;">cpan[1]> install XML::Write</span>r</div></div></blockquote><div><div></div><div>2: Get Hogger</div><div></div><blockquote><div><span class="Apple-style-span" style="font-size:small;">$wget http://hogger.googlecode.com/files/hogger.tar.gz</span></div><div><span class="Apple-style-span" style="font-size:small;">$tar xvfz hogger.tar.gz</span></div></blockquote><div></div><div>3: Install Nmap</div><div><blockquote><span class="Apple-style-span" style="font-size:small;">Use whatever tool that your distribution / OS uses to install Nmap, or get the source from <a href="http://nmap.org/">nmap.org</a> and build it yourself!</span></blockquote>4: Run Nmap</div><div></div><blockquote><div><span class="Apple-style-span" style="font-size:small;">$mkdir ~/hogger/nmap</span></div><div><span class="Apple-style-span" style="font-size:small;">$cd ~/hogger/nmap</span></div><div><span class="Apple-style-span" style="font-size:small;">$nmap -sV -T4 -oN scan.nmap 192.168.1.0/24</span></div><div><span class="Apple-style-span" style="font-size:small;">Starting Nmap 5.21 ( http://nmap.org ) at 2010-02-25 18:46 UTC</span></div><div><span class="Apple-style-span" style="font-size:small;">..output suppressed...</span></div></blockquote><div>5: Run hogger (against scan.nmap)</div><div></div><blockquote><div><span class="Apple-style-span" style="font-size:small;">$cd ~/hogger</span></div><div><span class="Apple-style-span" style="font-size:small;">$./hogger.pl -c nmap/hostmap.csv -n nmap/scan.nmap -x nmap/host_attrib_table.xml</span></div></blockquote><div></div><div>6: Start your snorting - At this point you can take the newly created host_attrib_table.xml file and place the path to it in your snort.conf, assuming your built snort with the correct option:</div><div><blockquote><span class="Apple-style-span" style="font-size:small;">attribute_table filename /path/to/host_attrib_table.xml</span></blockquote></div><div>Now that we have all of this running, let's examine some of the options that are currently available in hogger and dissect our hogger run: <i>"./hogger.pl -c nmap/hostmap.csv -n nmap/scan.nmap -x nmap/host_attrib_table.xml</i>".</div><div><br /></div><div>Hogger help output:</div><div><div><i> Usage: ./hogger.pl [-r? -help] -n <nmap> -c <csv> -x <host_attribute></host_attribute></csv></nmap></i></div><div><i><br /></i></div><div><i> Options:</i></div><div><i> -c Where the human-readable/modifiable csv file containing host information lives.</i></div><div><i> -n Where the nmap file containing host information lives.</i></div><div><i> -r Process the csv file and output to xml for snort, but do not read an nmap file.</i></div><div><i> -x Where you want to create the host_attribute table.xml (Overwrites existing files)</i></div><div><i> -help/? Print this information</i></div><div><br /></div><div>Starting with the -c flag, this is a file that will be created by hogger if it does not exist, and is simply a csv file that you can modify (for those hosts that nmap either misses or is not as accurate as you would like). A few sample entries in the file (hostmap.csv) that we created in the above test run:</div><div><div></div><blockquote><div><span class="Apple-style-span" style="font-size:small;">192.168.1.1, Linux, 23|tcp|telnet 53|tcp|domain 443|tcp|ssl/http</span></div><div><span class="Apple-style-span" style="font-size:small;">192.168.1.2, Linux, 23|tcp|telnet 53|tcp|domain 443|tcp|ssl/http</span></div><div><span class="Apple-style-span" style="font-size:small;">192.168.1.7, FreeBSD, 22|tcp|ssh 53|tcp|domain 80|tcp|http 3000|tcp|http 3128|tcp|http-proxy 3306|tcp|mysql 5000|tcp|http-proxy 8443|tcp|http</span></div></blockquote><div></div></div><div>Next we see the -n flag, this is the flag that specifies where the nmap output file (that we previously created using the nmap -oN scan.nmap option). This is the file that hogger reads to create entries in the -c <file> .</file></div><div><br /></div><div>The -r flag is fairly straightforward and specifies that you ONLY want to read the csv file specified with the -c flag value.</div><div><br /></div><div>The final flag that we will discuss is the -x flag, this is a required flag and tells hogger where you want the resulting output (the Host Attribute Table) to be placed. Examples from the output, matching those noted in the -c flag information above:</div><div><div></div><blockquote><div><div><SNORT_ATTRIBUTES></div><div> <ATTRIBUTE_TABLE></div><div> <HOST IP="192.168.1.1"></div><div> <OPERATING_SYSTEM></div><div> <NAME ATTRIBUTE_VALUE="Linux" CONFIDENCE="90"></NAME></div><div> <FRAG_POLICY>Linux</FRAG_POLICY></div><div> <STREAM_POLICY>linux</STREAM_POLICY></div><div> </OPERATING_SYSTEM></div><div> <SERVICES></div><div> <SERVICE></div><div> <PORT ATTRIBUTE_VALUE=" 23" CONFIDENCE="100"></PORT></div><div> <IPPROTO ATTRIBUTE_VALUE="tcp" CONFIDENCE="100"></IPPROTO></div><div> <PROTOCOL ATTRIBUTE_VALUE="telnet 53" CONFIDENCE="95"></PROTOCOL></div><div> </SERVICE></div><div> </SERVICES></div><div> </HOST></div><div> <HOST IP="192.168.1.2"></div><div> <OPERATING_SYSTEM></div><div> <NAME ATTRIBUTE_VALUE="Linux" CONFIDENCE="90"></NAME></div><div> <FRAG_POLICY>Linux</FRAG_POLICY></div><div> <STREAM_POLICY>linux</STREAM_POLICY></div><div> </OPERATING_SYSTEM></div><div> <SERVICES></div><div> <SERVICE></div><div> <PORT ATTRIBUTE_VALUE=" 23" CONFIDENCE="100"></PORT></div><div> <IPPROTO ATTRIBUTE_VALUE="tcp" CONFIDENCE="100"></IPPROTO></div><div> <PROTOCOL ATTRIBUTE_VALUE="telnet 53" CONFIDENCE="95"></PROTOCOL></div><div> </SERVICE></div><div> </SERVICES></div><div> </HOST></div><div> <HOST IP="192.168.1.7"></div><div> <OPERATING_SYSTEM></div><div> <NAME ATTRIBUTE_VALUE="FreeBSD" CONFIDENCE="90"></NAME></div><div> <FRAG_POLICY>BSD</FRAG_POLICY></div><div> <STREAM_POLICY>bsd</STREAM_POLICY></div><div> </OPERATING_SYSTEM></div><div> <SERVICES></div><div> <SERVICE></div><div> <PORT ATTRIBUTE_VALUE=" 22" CONFIDENCE="100"></PORT></div><div> <IPPROTO ATTRIBUTE_VALUE="tcp" CONFIDENCE="100"></IPPROTO></div><div> <PROTOCOL ATTRIBUTE_VALUE="ssh 53" CONFIDENCE="95"></PROTOCOL></div><div> </SERVICE></div><div> </SERVICES></div><div> </HOST></div></div></blockquote></div><div><div></div><div>Having said all of this, I am not going to go into detail about the flags used during the Nmap scan, suffice it to say that those are the suggested flags and that the -oN <outputfilename> is required to produce the output file for hogger to read.</outputfilename></div><div><br /></div><div>Overall I think that the concept behind hogger is excellent and that it should provide useful aide to all you snort heads out there! This tool gets a thumbs up from me and should be one that you put into your snort bag of tricks and is also one that I am planning on contributing to.</div><div><br /></div><div>Cheers,</div><div>JJC</div></div></div></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div></div>JJChttp://www.blogger.com/profile/08102466843919236000noreply@blogger.com4tag:blogger.com,1999:blog-3486144322043340030.post-4366657290023190402010-02-23T10:41:00.005-05:002010-02-23T11:27:33.551-05:00Writing Snort Rules Correctly (via Joel Esler)<a href="http://blog.joelesler.net/">Joel Esler </a>recently published an article entitled <a href="http://blog.joelesler.net/2010/02/writing-snort-rules-is-harder-than-it-looks.html">"Writing Snort Rules Correctly"</a>. I certainly suggest having a read through of this ,as it discusses a number of the finer points (including PCRE) when writing a snort rule using a previously published example rule. Joel dissects the rule, pointing out the good and bad while making note of better methods.<div><br /></div><div>Just a short post, but I thought it worth posting to bring more attention to the aforementioned article by <a href="http://blog.joelesler.net/">Joel Esler</a>.</div><div><br /></div><div>JJC</div>JJChttp://www.blogger.com/profile/08102466843919236000noreply@blogger.com0tag:blogger.com,1999:blog-3486144322043340030.post-17351959915025120042010-01-12T18:12:00.003-05:002010-01-12T18:25:03.532-05:00ET Rules and /\s?/It was recently brought to my attention that many of the rules within the various<a href="http://emergingthreats.net/"> Emerging Threats</a> ruleset have a whitespace after value definitions such as flowbits:<whitespace>set and msg:<whitespace>"\s?". Unfortunately I did not notice this within the<a href="http://emergingthreats.net/"> ET </a>rulesets. <br /><br /><div style="text-align: left;">PulledPork was originally written to handle VRT rulesets from snort.org (none have this formatting flaw) and as such I had not accounted for it, as mentioned previously. The fix is a simple regex modification to the PulledPork code, you can get the patch here: <a href="http://pulledpork.googlecode.com/files/pp_304_whitespace.patch">http://pulledpork.googlecode.com/files/pp_304_whitespace.patch</a> and apply it to pulledpork.pl.<br /><br />For those that might ask the question "what if there are multiple whitespaces, ala \s*" this is NOT the case, I spoke with rotorhead from the ET team and all ET rules are normalized to atleast remove multiple whitespace chars.<br /><br />This fix has already been checked into svn but I will not be re-releasing 0.3.4 to account for this.. but will likely be generating daily snapshots in the near future.<br /><br />Cheers,<br />JJC<br /></div>JJChttp://www.blogger.com/profile/08102466843919236000noreply@blogger.com0tag:blogger.com,1999:blog-3486144322043340030.post-53439308630861845702010-01-11T15:34:00.010-05:002010-01-11T18:45:34.608-05:00Time to own your rules - PulledPork 0.3.4 Released!<a style="" onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh4o1UUjjs04QJ08rfKzmom9upMT9FNbdOk3b2095EVXLSoKXmLtO9yGaP6mGF1QYa3GYCtjSxyW9bKEX1LNeBUvHj6zmHTy4PSMn3cn5LhCq8CrkwDDIIxZuiBebB6Zzx4cfeBNIydZkc/s1600-h/flying_pig.gif"><img style="margin: 0pt 10px 10px 0pt; float: left; cursor: pointer; width: 320px; height: 274px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh4o1UUjjs04QJ08rfKzmom9upMT9FNbdOk3b2095EVXLSoKXmLtO9yGaP6mGF1QYa3GYCtjSxyW9bKEX1LNeBUvHj6zmHTy4PSMn3cn5LhCq8CrkwDDIIxZuiBebB6Zzx4cfeBNIydZkc/s320/flying_pig.gif" alt="" id="BLOGGER_PHOTO_ID_5425618446669317842" border="0" /></a><br />After what seems like forever since I have made a post about anything, I am pleased to announce the general availability of the latest version of <a href="http://code.google.com/p/pulledpork/">PulledPork!</a> This new version (v0.3.4) has a significant number of bugfixes for a variety of OS/distributions in addition to the numerous feature enhancements noted below.<br /><br />I would like to thank all of the individuals that provided beta testing assistance and valuable feedback. I would also like to thank all of the users that have adopted <a href="http://code.google.com/p/pulledpork/">PulledPork</a> and sent in comments / feature requests. <a href="http://code.google.com/p/pulledpork/">PulledPork</a> certainly would not be where it is without your support and contributions!<br /><br />Now that we are through the mushy stuff, on to the features!<br /><br /><span style="font-weight: bold;">VRT Rulesets! -</span> Support metadata based <a href="http://www.snort.org/vrt">VRT</a> recommended rulesets - The short of it is that you can now specify a default pre-defined ruleset, yes.. this ruleset was designed by the <a href="http://www.snort.org/vrt">VRT!</a> The individual pre-defined rulesets that can be specified are fairly straightforward:<br /><ul><li><span style="font-style: italic;">Connectivity - </span>You run a lot of real time applications (VOIP, financial transactions, etc), and don't want to run any rules that could affect the current performance of your sensor. The rules in this category make snort happy, additionally this category focuses on the high profile most likely to affect the largest number of people type of vulnerabilities.<span style="font-style: italic;"></span></li></ul><ul><li><span style="font-style: italic;">Balanced - </span>You are normal, you run normal stuff and you want normal security protections. This is the best policy to start from if you are new, old, or just plain average. If you don't have any special requirements for super high speeds or super secure networks, start here.</li></ul><ul><li><span style="font-style: italic;">Security - </span>You don't care about dropping your bosses email, everything in your environment is tightly regulated and you don't tolerate people stepping outside of your security policy. This policy hates on IM, P2P, vulnerabilities, malware, web apps that cause productivity loss, remote access, and just about anything not related to getting work done. If you run your network with an iron fist, start here!</li></ul><br /><span style="font-weight: bold;">Changelog -</span> This feature allows you to specify that you want a changelog (any rule that has any change in it from your previous ruleset, i.e. disabled, enabled, modified etc..) maintained for any and all changes, in a specified log file.<br /><br /><span style="font-weight: bold;">Inline Drops - </span>This feature allows you to specify what SIDs you want to be set to drop, for those running an inline setup!<br /><br /><span style="font-weight: bold;">Multiline Rules -</span> Added full support for parsing of multiline rules.<br /><br /><span style="font-weight: bold;">Enhancements -</span> Many minor enhancements made to the debugging output, speed enhancements, code cleanup, error handling etc...<br /><br />There are quite a few runtime options and configuration options, please be sure to read through the README files thoroughly, also please be sure to use the latest pulledpork.conf that is included in the tarball! That's about it for now, please feel free to participate by asking questions on the mail list at <a href="http://www.snort.org/vrt">http://groups.google.com/group/pulledpork-users/</a> or on freenode in #snort or #pulledpork<br /><br />One final note, all of the release tarballs will now be named as pulledpork-X.X.X.tar.gz to help out with those maintaining packages and ports, thanks!<br /><br />Download the tarball here <a href="http://pulledpork.googlecode.com/files/pulledpork-0.3.4.tar.gz">pulledpork-0.3.4.tar.gz<br /></a><span style="font-size:85%;">MD5SUM = 034f90a2555c5f82e760b0ce68489ad2<br />SHA256 = 8b775e6476d653733f3d29ea9c962a76feaf148f3204a90fd47c646802448b80<br /><br />Cheers,<br />JJC<br /></span>JJChttp://www.blogger.com/profile/08102466843919236000noreply@blogger.com1tag:blogger.com,1999:blog-3486144322043340030.post-18920273186590107532009-10-14T10:29:00.004-04:002009-10-14T11:22:08.911-04:00Pulledpork v0.2.5 - Released<a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://code.google.com/p/pulledpork/logo?logo_id=1243350201"><img style="float:left; margin:0 10px 10px 0;cursor:pointer; cursor:hand;width: 71px; height: 55px;" src="http://code.google.com/p/pulledpork/logo?logo_id=1243350201" border="0" alt="" /></a><div>A new and updated version of <a href="http://code.google.com/p/pulledpork/">pulledpork</a> is out, this version adds functionality and also addresses a number of previously reported bugs, a few simple examples:</div><div><br /></div><div><ul><li>Improved and cleaned up code for efficiency and speed</li><li>Do not overwrite local.rules on run</li><li>Do not attempt to copy . and .. as rules files</li><li>Much more...</li></ul></div><div>The primary feature that has been added allows for the capability to download rules from sites other than <a href="http://snort.org/">snort.org</a> (VRT). Any url can be specified to download a rules tarball from, however md5 hash verification will only work when<a href="http://vrt-sourcefire.blogspot.com/"> VRT</a> or <a href="http://emergingthreats.net/">ET</a> locations are specified. If a different location (i.e. a local redistribution point) is specified, please be sure to specify the -d (do not verify md5) option. Please see the README and pulledpork.conf files for more information on usage of new and existing options and features.</div><div><br /></div><div>New option runtime flag:</div><div><ul><li>-u Where do you want me to pull the rules tarball from </li></ul></div><div> (ET, Snort.org, see pulledpork config base_url option for value ideas)</div><div><br /></div><div>A new tarball containing all of the new features will be published today at <a href="http://code.google.com/p/pulledpork/downloads/list">http://code.google.com/p/pulledpork/downloads/list</a></div>JJChttp://www.blogger.com/profile/08102466843919236000noreply@blogger.com0tag:blogger.com,1999:blog-3486144322043340030.post-56939110390979602362009-09-16T16:16:00.001-04:002009-09-16T16:31:57.320-04:00Snort 2.8.5 at snort.org... get it while it's hot!Snort 2.8.5 is teh outed, get it or DIAF!<br /><br />Snort 2.8.5 introduces:<br /><br />- Ability to specify multiple configurations (snort.conf and everything<br /> it includes), bound either by Vlan ID or IP Address. This allows you<br /> to run one instance of Snort with multiple snort.conf files, rather<br /> than having separate processes. See README.multipleconfigs for<br /> details.<br /><br />- Continued inspection of traffic while reloading a configuration.<br /> Add --enable-reload option to your configure script prior to building.<br /> See README.reload for details.<br /><br />- Rate Based Attack Prevention for Connection Attempts, Concurrent<br /> Connections, and improved rule/event filtering. See README.filters<br /> for details.<br /><br />- SSH preprocessor<br /><br />- Performance improvements in various places<br /><br />Please see the Release Notes and ChangeLog for more details.<br /><br />http://www.snort.org/downloads<br /><br />kthyx<br /><br />JJCJJChttp://www.blogger.com/profile/08102466843919236000noreply@blogger.com0tag:blogger.com,1999:blog-3486144322043340030.post-90716428230149966632009-07-16T20:57:00.003-04:002009-07-16T20:59:41.068-04:00pulledpork google groupNot that anyone actually needs help, but if you want a different place where you can share comments, thought, desired features or complaints, I have created a google group for pulled pork:<br /><br /><span style="text-decoration: underline;">=> </span><a href="http://groups.google.com/group/pulledpork-users" rel="nofollow">http://groups.google.com/group/pulledpork-users</a><br /><br />Cheers,<br />JJCJJChttp://www.blogger.com/profile/08102466843919236000noreply@blogger.com0tag:blogger.com,1999:blog-3486144322043340030.post-41668153171364052352009-07-16T20:38:00.002-04:002009-07-16T20:55:22.389-04:00pulledpork 0.2.2 and new featuresGet it while it's hot <a href="http://pulledpork.googlecode.com/files/pulledpork20090716.tar.gz">@here!</a><br /><br />I have received a few requests to build support into <a href="http://code.google.com/p/pulledpork">pulledpork</a> for the restarting of processes (i.e. snort after downloading new rules or modifying the ruleset using disablesid). In response to this, it is done ^-^. You will note in the pulledpork.conf file that there is a new option at the bottom called pid_path. Simply list the path to your pid files (/var/run/snort_intx.pid,/path/to/another/pid.pid) etc... and specify -H at runtime.. you will be magically pleased (assuming you run pulledpork under a context that has permissions to restart said PID).<br /><br />I also added a second option "-n" that will allow you to make modifications to the disablesid.conf file and re-execute pulledpork without attempting to download the current ruleset or md5 again (ala tuning exercises...).<br /><br />Please see the included README for additional info and general guidelines on usage... below is some sample output.<br /><br /><blockquote> ./pulledpork.pl -c ../pulledpork.conf -i disablesid.conf -THn<br />Prepping files for work....<br /> Done!<br />Copying rules files....<br /> Done!<br />Disabling your chosen SID's....<br /> Disabled 1 rules in /usr/local/etc/snort/rules/web-iis.rules<br /> Disabled 2 rules in /usr/local/etc/snort/rules/backdoor.rules<br /> Disabled 1 rules in /usr/local/etc/snort/rules/rpc.rules<br /> Disabled 1 rules in /usr/local/etc/snort/rules/exploit.rules<br /> Done<br />HangUP Time....<br /> Done!<br />Fly Piggy Fly!</blockquote>That's all for now, enjoy!<br /><br />JJCJJChttp://www.blogger.com/profile/08102466843919236000noreply@blogger.com0tag:blogger.com,1999:blog-3486144322043340030.post-27762314676850219182009-07-15T12:15:00.021-04:002010-05-14T12:15:40.493-04:00Snorby for Snort, a Recipe with Barnyard2 and Unified2<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjFvfiLFn0JVEn9bHIpAmTRcdBN6dv5Bd2N-OeG0oEizXkeaqGdJiaeNHEjXK-R5BSI_JowkzGqhCZxKdNO_O2EOr0-hHHLy_OZt7izzMjogNqcEojmfsfSFxXZ4NCMO_zJtF2PUxpZpPQ/s1600-h/snorby_logo.png" onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}"><img alt="" border="0" id="BLOGGER_PHOTO_ID_5358846826468526962" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjFvfiLFn0JVEn9bHIpAmTRcdBN6dv5Bd2N-OeG0oEizXkeaqGdJiaeNHEjXK-R5BSI_JowkzGqhCZxKdNO_O2EOr0-hHHLy_OZt7izzMjogNqcEojmfsfSFxXZ4NCMO_zJtF2PUxpZpPQ/s200/snorby_logo.png" style="cursor: pointer; float: left; height: 34px; margin: 0pt 10px 10px 0pt; width: 150px;" /></a><a href="http://snorby.org/">Snorby</a>, an all new frontend (yes, it's still Beta) for <a href="http://snort.org/">snort</a> has recently emerged. As such I decided that I would take a look and give my thoughts as well as a quick recipe to get it running fairly quickly using barnyard2. During my testing of Snorby, I talked with the creator (mephux) about his plans for Snorby and also worked through a couple of bugs, that he jumped on right away.<br />
<br />
Note: This posting details how to get Snorby working with apache and passenger, NOT Webrick.. if you want that please read the details of how to do so at the Snorby site.<br />
<br />
Recipe Components:<br />
<ul><li>FreeBSD 8.0R</li>
<li>apache22</li>
<li>ruby-gems</li>
<li>ruby-iconv<br />
</li>
<li>prawn (gem)<br />
</li>
<li>rake (gem)<br />
</li>
<li>mysql (gem)</li>
<li>rails (gem)<br />
</li>
<li>passenger (formerly modrails)</li>
<li>mysql</li>
<li>snort</li>
<li>barnyard2</li>
<li>git</li>
</ul>Ok, let's get the dependencies and such out of the way. I am making several assumptions in writing this... the least of which is that you know how to use google if you can't figure something out... also that you already have the base of some of these items installed (ala, FreeBSD, apache, snort). If not, I have previous posts that discuss the setup of said items, and I am again going to drop the google bomb!<br />
<br />
We need ruby-gems to get passenger running and ultimately Snorby:<br />
<blockquote>$ cd /usr/ports/devel/git/ && sudo make install clean<br />
...I deselect all of the options, I just want regular old git for this exercise<br />
...output suppressed<br />
$ cd /usr/ports/devel/ruby-gems/ && sudo make install clean<br />
...output suppressed<br />
$ sudo gem install prawn --no-rdoc --no-ri<br />
...output suppressed<br />
$ sudo gem install rake --no-rdoc --no-ri<br />
...output suppressed<br />
$ sudo gem install rails --no-rdoc --no-ri<br />
...output suppressed<br />
$ sudo gem install mysql --no-rdoc --no-ri<br />
...output suppressed<br />
$ sudo gem install passenger --no-rdoc --no-ri<br />
...output suppressed<br />
$ sudo passenger-install-apache2-module<br />
...run through the setup and perform the steps that are noted to activate the passenger capabilities with apache.. ala vi httpd.conf and add the 3 lines that you are told to.<br />
$ cd /usr/local/www/ && sudo git clone git://github.com/mephux/Snorby.git<br />
...output suppressed/usr/ports/converters/ruby-iconv<br />
$ cd /usr/ports/converters/ruby-iconv && sudo make install clean</blockquote><br />
At this point you are ready to modify your database and email configuration for Snorby. If you have not done so, you should create a snort database (I have called mine snort and created a user "snorby" with password "snorby".. ok that's not really the password but for this writeup it is! This user has full access (not grant) to the snort database. I have also created the apt tables in this database using the create_mysql sql that is included in both Snorby and Snort!<br />
<blockquote>$ sudo cp /usr/local/www/Snorby/config/database.yml.example /usr/local/www/Snorby/config/database.yml<br />
$ sudo cp /usr/local/www/Snorby/config/email.yml.example /usr/local/www/Snorby/config/email.yml</blockquote><br />
Now choose your preferred editor and modify the /usr/local/www/Snorby/config/database.yml file.. we are only concerned with the production info... you can also modify the email.yml but don't have to for our current purposes.<br />
<br />
Install additional gem requirements and setup Snorby to run!<br />
<blockquote>$ cd /usr/local/www/Snorby && sudo rake gems:install<br />
...output suppressed<br />
$ cd /usr/local/www/Snorby && sudo<span style="font-family: monospace;"> </span>rake snorby:setup RAILS_ENV=production<br />
...output suppressed</blockquote><br />
At this point you are ready to tell apache all about Snorby, so lets modify our vhost or apache config again. Simply add the following under the vhost of your choice, you need to be sure that RewriteEngine On and RewriteOptions inherit are specified in this vhost (or in scope of your config):<br />
<blockquote>DocumentRoot /usr/local/www/Snorby/public<br />
<br />
RailsBaseURI /<br />
<br />
<directory "/usr/local/www/Snorby/public"><br />
AllowOverride All<br />
Order deny,allow<br />
Allow from all<br />
</directory></blockquote><br />
Once this is complete, restart apache and you will get the login for Snorby when you browse to that vhost. The default username is snorby and password is admin.<br />
<br />
We are now ready to modify our snort config to output unified2, modify your snort.conf and comment out your old output plugins or simply replace them with the following:<br />
<blockquote>output unified2: filename snortunified2.log, limit 128</blockquote><br />
Note that unified2 contains all log and alert data, so no longer do you need two files! And now it's time for barnyard2. Go ahead and fetch the latest version from securixlive.com, configure with "--with-mysql" option. Once that is done copy the barnyard.conf to /usr/local/etc/snort/ and let's go ahead and edit that file, putting in the mysql information that you used with Snorby earlier and making sure that we have our input specified as unified2. You should go through and make sure that all of the paths to the map and ref files are specified correctly. Once that's done, you are ready to fire it up!<br />
<blockquote>sudo barnyard2 -c /usr/local/etc/snort/barnyard2.conf -d /var/log/snort -f snortunified2.log -w /var/log/snort/barnyard2.waldo -D</blockquote><br />
You should now be receiving events in the snort mysql database and seeing them in Snorby.<br />
<br />
Please note that there are a number of security considerations that I did not take into account (ala running all this stuff under root) so please take that into consideration.<br />
<br />
Overall, I give Snorby a good rating, it certainly has lots of eye candy at this point. Mephux promises that much of the functionality that everyone wants is coming shortly... I would say that Snorby has a good start and promises to be a decent usable frontend for viewing snort events. Is it a <a href="http://sguil.sourceforge.net/">sguil</a>, certainly not... but it does look like it will be a decent alternative to <a href="http://base.secureideas.net/">BASE</a>.<br />
<br />
Cheers,<br />
JJCJJChttp://www.blogger.com/profile/08102466843919236000noreply@blogger.com0tag:blogger.com,1999:blog-3486144322043340030.post-2566394541282338492009-07-15T12:11:00.002-04:002009-07-15T12:14:57.047-04:00PayPal shuts Hackers for Chartity down?Yesterday, paypal froze the assets of <a href="hackersforcharity.or">hackersforcharity.or</a>g down, please read more here and spread the word of the evils ;-)<br /><blockquote>"I had a subscription system running under WP-MEMBER for about a year before that software flaked out on me. Multiple domains caused problems that were irreconcilable. I had donations for our work in Africa coming in (not through wp-member) and a few hundred subscribers to Informer through wp-member. All said, when I switched to Suma, I had 10,000$US in my personal paypal account. That was my family’s support money as well as money for our food program in Kenya."<br /></blockquote><a href="http://www.hackersforcharity.org/259/paypal-shuts-us-down/">http://www.hackersforcharity.org/259/paypal-shuts-us-down/</a><br /><br />I thought about writing a long rant today, but simply don't have the energy... please read the above link for rant material.<br /><br />JJCJJChttp://www.blogger.com/profile/08102466843919236000noreply@blogger.com1tag:blogger.com,1999:blog-3486144322043340030.post-48457762190768249612009-06-25T15:26:00.007-04:002009-06-25T15:42:01.563-04:00BASE / ACID outdated reference links - a fix<a style="" onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh9LPE2P5vhbnfXnDjy7EA8ePGTwJ0kEoppLMKAlr7MlerNjdIaVJv0t8abF5Mgh6iFYOqUPXpMjMY2yo-NabSK5xA4RvR2uFt7WmwtnE8NuJXCRyCooMYLo7zMn7buLx25Wy8oJQX7YCo/s1600-h/reference.gif"><img style="margin: 0pt 10px 10px 0pt; float: left; cursor: pointer; width: 200px; height: 142px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh9LPE2P5vhbnfXnDjy7EA8ePGTwJ0kEoppLMKAlr7MlerNjdIaVJv0t8abF5Mgh6iFYOqUPXpMjMY2yo-NabSK5xA4RvR2uFt7WmwtnE8NuJXCRyCooMYLo7zMn7buLx25Wy8oJQX7YCo/s200/reference.gif" alt="" id="BLOGGER_PHOTO_ID_5351351282075068322" border="0" /></a>Recently, with changes to the <a href="http://www.blogger.com/snort.org">snort.org</a> site, the <a href="http://www.blogger.com/snort.org">Snort</a> mailing lists have been quite inundated with questions about the link to the SID reference and how it is no more. As a partial means of compensating for this and to help the community, we have recently added an up-to-date tool at rootedyour.com that will allow for you to once again have a valid snort reference link.<br /><br /><br />In BASE, simply locate the following section of your base_conf.php:<br /><blockquote> /* Signature references */<br />$external_sig_link = array('bugtraq' => array('http://www.securityfocus.com/bid/', ''),<br /> 'snort' => array('http://www.snort.org/pub-bin/sigs.cgi?sid=', ''),<br /> 'cve' => array('http://cve.mitre.org/cgi-bin/cvename.cgi?name=', ''),<br /> 'arachnids' => array('http://www.whitehats.com/info/ids', ''),<br /> 'mcafee' => array('http://vil.nai.com/vil/content/v_', '.htm'),<br /> 'icat' => array('http://icat.nist.gov/icat.cfm?cvename=CAN-', ''),<br /> 'nessus' => array('http://www.nessus.org/plugins/index.php?view=single&id=', ''),<br /> 'url' => array('http://', ''),<br /> 'local' => array('signatures/', '.txt'));</blockquote><br /><br />and modify the 'snort' line to match:<br /><blockquote>'snort' => array('http://www.rootedyour.com/snortsid?sid=', ''),</blockquote>Once this is done, you are all set, the snort documentation link will now take you to rootedyour.com and display the info for that SID.<br /><br />Obviously if you want to do this in other applications, simply point them to http://www.rootedyour.com/snortsid?sid=xxxxx where xxxxx is the SID that you want to know about. ex: <a href="http://rootedyour.com/snortsid?sid=234">http://rootedyour.com/snortsid?sid=234<br /></a><br />Cheers,<br />JJCJJChttp://www.blogger.com/profile/08102466843919236000noreply@blogger.com2tag:blogger.com,1999:blog-3486144322043340030.post-172010176168656162009-06-23T11:41:00.004-04:002009-06-23T11:51:37.411-04:00Fly Clear, Sensitive Data Disposal ConcernsEarly today, the company that produces the Clear Pass announced via press release and on their website that they were shutting down operations effective at 23:00 on June 22.<br /><br />Noted on their website:<br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjXj12-mhzn1kfarw8YI__XAd9r-Mft4dPkCdjuuNNE3Uk65ZkaYrQJ6W-5Ko2pZIGa78V7naJw8Aqg9ihXyYqhslVNrMGEJ9Sy8wY_r9bnXj22uN1qeDuqf23FpNbigcXfv0-igGgk3Kg/s1600-h/flyclear.png"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer; width: 320px; height: 142px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjXj12-mhzn1kfarw8YI__XAd9r-Mft4dPkCdjuuNNE3Uk65ZkaYrQJ6W-5Ko2pZIGa78V7naJw8Aqg9ihXyYqhslVNrMGEJ9Sy8wY_r9bnXj22uN1qeDuqf23FpNbigcXfv0-igGgk3Kg/s320/flyclear.png" alt="" id="BLOGGER_PHOTO_ID_5350549653220914946" border="0" /></a>Spokespeople at various Clear equipped airports said that qualified clear users would be allowed to pass through the "premium" lanes at said airports.<br /><br />Of course, to me, this leaves a big question out there: WHAT IS GOING TO HAPPEN WITH THE BIOMETRIC DATA? I mean, these guys collected BIOMETRIC and more info (retinal scans, complete fingerprint sets, background information, credit information etc...) and what is going to happen to this data? Will it be sold off to the highest bidder, handed over to one of the many alphabet soup government agencies, placed into a dumpster by an angry employee or what? That is of course the only question that I have. If you were one of the many that signed up, you had the option to opt in or out of their program that shared the biometric information with the feds, but what now? My largest concern is of course the first and thirt item that I listed. What do you think?<br /><br />Cheers,<br />JJCJJChttp://www.blogger.com/profile/08102466843919236000noreply@blogger.com0tag:blogger.com,1999:blog-3486144322043340030.post-85100950552986593632009-06-16T13:07:00.003-04:002009-06-16T13:14:26.400-04:00pulledpork included in Security Onion LiveCD<a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgyqDVM0mOZQLZAFMkbuqkPZ1Aj7lkl5yR0TmoENO9T6gmqIarRFchyCqCSpqT-uyTP5V030WzAwyof0DEQtHCNpQE8ZEXbIAJwOML4gTEPm7rDkKnP6fqlsMCN5o3xEFH_RQyXrtF8DHU/s1600-h/flaming_cd_hand.jpg"><img style="margin: 0pt 10px 10px 0pt; float: left; cursor: pointer; width: 156px; height: 156px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgyqDVM0mOZQLZAFMkbuqkPZ1Aj7lkl5yR0TmoENO9T6gmqIarRFchyCqCSpqT-uyTP5V030WzAwyof0DEQtHCNpQE8ZEXbIAJwOML4gTEPm7rDkKnP6fqlsMCN5o3xEFH_RQyXrtF8DHU/s200/flaming_cd_hand.jpg" alt="" id="BLOGGER_PHOTO_ID_5347974838021365602" border="0" /></a>Today,<a href="http://securityonion.blogspot.com/"> Doug Burks</a> (the creator of the<a href="http://distro.ibiblio.org/pub/linux/distributions/security-onion/"> Security Onion LiveCD</a>) announced the release of the latest rev of this tool. Included in this tool are "you guessed it" <a href="http://code.google.com/p/pulledpork/">pulledpork</a> and a number of other useful tools to the sekuritah professional :-)<br /><br />Read more here => <a href="http://securityonion.blogspot.com/2009/06/security-onion-livecd-20090613.html">http://securityonion.blogspot.com/2009/06/security-onion-livecd-20090613.html</a><br /><br />I would like to extend a thanks to Doug for his work on this tool and the inclusion of <a href="http://code.google.com/p/pulledpork/">pulledpork</a> and the other tools. While I have not yet had the opportunity to download and try out this LiveCD, I will be doing so soon.<br /><br />Cheers,<br />JJCJJChttp://www.blogger.com/profile/08102466843919236000noreply@blogger.com0