Thursday, October 21, 2010

Haz The Drowning Rat? - PulledPork 0.5.0 is now floating!

This release of PulledPork (The Drowning Rat) represents quite a bit of development to include a number of community requested capabilities, change a few around, and repair some bugs!  Again, I would like to thank the community for their support, contribution and use of the PulledPork Snort rule management system.  The next section is an excerpt from the README.CHANGES and below there I may discuss some example use-cases and include some sample output.

PulledPork Changelog

v0.5.0

New Features / changes:
- Automatic VRT tarball name determination (based on local Snort Version)
- Full support for ET Pro rulesets
- Full support for new ET Download scheme
- Issue #27 Modifysid capability
- Capability to retrieve multiple rulesets in a single run
- Issue #24 Added verbose output showing all requests, results and urls
- Verbose output now shows percentage bar for downloads
- Extra Verbose output now shows additional HTTP debug!
- Set value in default.conf file to https for VRT downloads
- Set UA Value to (PulledPork/X.X.X)
- Capability to log critical information to syslog
- Grabonly option, for those that only want to download the tarball(s)
- Issue #34 Added the capability to specify the order of disable / enable / drop
    using the state_order configuration option in the master config file
- Added a contrib directory
- Added oink-conv.pl to contrib directory
    * converts oinkmaster config files to PP config files
    * Thx Russell Fulton!
- Added README.CONTRIB to track contrib files (ohai manifest)
- Perl Modue Requirement Changes (SEE SECTION BELOW)
- Issue #38 Added capability to extract reference docs from tarball and
    store in a defined path, NOTE this dramatically increases PP runtime
    * runtime value is -r

Bug Fixes:
- Should now correctly use environmentally set proxy settings
    * Shout to pkthound for his work and contribution here!
- Fixed case where rules with multiple flowbit (un)?set values would not
    properly populate all of the flowbit values into the rules hash
- Bug #29 - fixed to allow for proper sid-msg.map generation
- Bug #28 - fixed numerous spellification issues
- Bug #32 - fixed to allow for so stub generation in nodownload and !nodownload case


Perl Module Requriement Changes:
- LWP::Simple no longer
- LWP::UserAgent now required
- HTTP::Request now required
- HTTP::Status now required
- SYS::Syslog now required
- Crypt::SSLeay now required
- Carp now required

As you can see, and as I had indicated, there are a number of significant improvements and fixes.  It is important to note that there are a number of changes, that include new and changed options, to the master config and the addition of the modifysid.conf file that allows you to modify rules based on regular expression matches etc...

Of course we also now fully support (ET Pro and the new ET open) rules and the capability to download multiple rulesets in a single run, rather than multiple config files referencing other .rules files as local rules etc...

One other seemingly insignificant change is the capability to change the order that the rules modification routines run, this means that you can more granularly control rule state.  The default processing order is (enable, drop, disable), this can now be changed though to allow for the disabling of all rules in a specific category (or however you would do it) and then selectively enabling rules out of that category, by simply changing the run order to disable,drop,enable.  Of course combining this with the pcre, category, modifysid etc.. capabilities gives you quite a bit of versatility.

So, without further adeau, I give you:
    http://code.google.com/p/pulledpork/
      _____ ____
     `----,\    )
      `--==\\  /    PulledPork v0.5.0 The Drowning Rat
       `--==\\/
     .-~~~~-.Y|\\_  Copyright (C) 2009-2010 JJ Cummings
  @_/        /  66\_  cummingsj@gmail.com
    |    \   \   _(")
     \   /-| ||'--'  Rules give me wings!
      \_\  \_\\
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Checking latest MD5 for snortrules-snapshot-2861.tar.gz....
    They Match
    Done!
Prepping rules from snortrules-snapshot-2861.tar.gz for work....
    Done!
Checking latest MD5 for etpro.rules.tar.gz....
    They Match
    Done!
Prepping rules from etpro.rules.tar.gz for work....
    Done!
Checking latest MD5 for emerging.rules.tar.gz....
    They Match
    Done!
Prepping rules from emerging.rules.tar.gz for work....
    Done!
Reading rules...
Reading rules...
Activating security rulesets....
    Done
Setting Flowbit State....
    Enabled 264 flowbits
    Enabled 29 flowbits
    Enabled 4 flowbits
    Enabled 2 flowbits
    Done
Writing /home/jj/snort.rules....
    Done
Generating sid-msg.map....
    Done
Writing /home/jj/sid-msg.map....
    Done
Writing /home/jj/sid_changes.log....
    Done
Rule Stats....
    New:-------0
    Deleted:---0
    Enabled Rules:----4506
    Dropped Rules:----0
    Disabled Rules:---17797
    Total Rules:------22303
    Done
Please review /var/log/sid_changes.log for additional details
Fly Piggy Fly!
Bah, Paste chopped my flying pig up ;-)

Get it here:
pulledpork-0.5.0.tar.gz latest hashes:
MD5SUM = 60c0abe78945876c643760b3bb2afdb6
SHA256 = 9e69873d737e4fc8dfd9b3a98316e4ff41bd8c4accda72f18036b96568c48872

Cheers,
JJC 
Posted by JJC 0 comments
Labels: , , , ,

Monday, October 4, 2010

Snort 2.9.0 is teh outed, must haz bakon!!

Snort 2.9.0 introduces:
  • Feature rich IPS mode including improvements to Stream for inline deployments. Additionally a common active response API is used for all packet responses, including those from Stream, Respond, or React. A new response module, respond3, supports the syntax of both resp & resp2, including strafing for passive deployments. When Snort is deployed inline, a new preprocessor has been added to handle packet normalization to allow Snort to interpret a packet the same way as the receiving host.
  • Use of a Data Acquisition API (DAQ) that supports many different packet access methods including libpcap, netfilterq, IPFW, and afpacket. For libpcap, version 1.0 or higher is now required. The DAQ library can be updated independently from Snort and is a separate module that Snort links. See README.daq for details on using Snort and the new DAQ./li>
  • Updates to HTTP Inspect to extract and log IP addresses from X-Forward-For and True-Client-IP header fields when Snort generates events on HTTP traffic.
  • A new rule option 'byte_extract' that allows extracted values to be used in subsequent rule options for isdataat, byte_test, byte_jump, and content distance/within/depth/offset.
  • Updates to SMTP preprocessor to support MIME attachment decoding across multiple packets.
  • Ability to "test" drop rules using Inline Test Mode. Snort will indicate a packet would have been dropped in the unified2 or console event log if policy mode was set to inline.
  • Two new rule options to support base64 decoding of certain pieces of data and inspection of the base64 data via subsequent rule options.
  • Updates to the Snort packet decoders for IPv6 for improvements to anomaly detection.
  • Added a new pattern matcher that supports Intel's Quick Assist Technology for improved performance on supported hardware platforms. Visit http://www.intel.com to find out more about Intel Quick Assist. The following document describes Snort's integration with the Quick Assist Technology: http://download.intel.com/embedded/applications/networksecurity/324029.pdf.
  • Reference applications for reading unified2 output that handle all unified2 record formats used by Snort.
Snort 2.9.0 is now available at http://www.snort.org/snort-downloads. Please see the Release Notes and ChangeLog for more details.
Posted by JJC 1 comments
Labels: ,

Wednesday, September 8, 2010

The Pig Doktah is Born! - A Snort Performance Monitor Interpretation Tool

After receiving a variety of feedback via email, irc, twitter and even some comments on this blog, I have decided to start an updated and maintained project to parse, display, and ultimately make configuration / tuning suggestions based on the snort performance monitor output.  As you may have guessed by now, this tool is called the Pig Doktah and can be found at http://thepigdoktah.googlecode.com.  The current version reads snort performance monitor output and stores in a hash for quick access, sorting etc...

I am still quite interested in what specific metrics people are most interested, so please don't hesitate to hit me up via comment on this blog, irc (freenode - #snort), email, or twitter.

During the development, and for the foreseeable future, I will have the latest version of the code sending output to this location on an hourly basis: http://rootedyour.com/enhanced/pminfo.htm

Sample output:
-= Tha Pig Doktah 0.1 Dev =-
Copyright (C) 2010 JJ Cummings

Report Info:
    Processed: /var/tmp/snortstat
    First Entry: Wed Sep  1 11:34:05 2010
    Last Entry: Wed Sep  8 09:00:17 2010
    Time Span: 6 days, 21 hours, 26 minutes and 12 seconds

Wirespeed:
    High: 10.613 Mbits/Sec | Sat Sep  4 07:59:48 2010
    Low: 0.006 Mbits/Sec | Sat Sep  4 07:12:47 2010
    Avg: 1.953 Mbits/Sec
  
% Packet Loss:
    High: 10.504% | Sat Sep  4 03:00:00 2010
    Low: 0.000% | Wed Sep  8 08:41:27 2010
    Avg: 1.002%

Additional Info:
    Avg Pkt Size: 803.413 bytes
    Avg Syns/Sec: 0.181
    Avg SynAcks/Sec: 0.124
    Avg Alerts/Sec: 0.001
    Avg Current Cached Sessions: 6671.668

Raw Values:
     alerts avg = 0.001
     alerts high = 0.032
     alerts high_date = Wed Sep  1 12:32:57 2010
     alerts low = 0.000
     alerts low_date = Wed Sep  8 09:00:17 2010
     attrib_hosts_current avg = 0.000
     attrib_hosts_current high = 0.000
     attrib_hosts_current high_date = Wed Sep  8 09:00:17 2010
     attrib_hosts_current low = 0.000
     attrib_hosts_current low_date = Wed Sep  8 09:00:17 2010
     attrib_reloads avg = 0.000
     attrib_reloads high = 0
     attrib_reloads high_date = Wed Sep  8 09:00:17 2010
     attrib_reloads low = 0
     attrib_reloads low_date = Wed Sep  8 09:00:17 2010
     bytes_applayer avg = 0.252
     bytes_applayer high = 1.352
     bytes_applayer high_date = Sat Sep  4 07:59:48 2010
     bytes_applayer low = 0.006
     bytes_applayer low_date = Tue Sep  7 09:13:56 2010
     bytes_ipfrag avg = 0.000
     bytes_ipfrag high = 0
     bytes_ipfrag high_date = Wed Sep  8 09:00:17 2010
     bytes_ipfrag low = 0
     bytes_ipfrag low_date = Wed Sep  8 09:00:17 2010
     bytes_ipreass avg = 2279.291
     bytes_ipreass high = 3660
     bytes_ipreass high_date = Thu Sep  2 13:47:36 2010
     bytes_ipreass low = 368
     bytes_ipreass low_date = Thu Sep  2 10:22:15 2010
     bytes_tcprebuilt avg = 892.669
     bytes_tcprebuilt high = 1458
     bytes_tcprebuilt high_date = Sun Sep  5 15:19:06 2010
     bytes_tcprebuilt low = 136
     bytes_tcprebuilt low_date = Sat Sep  4 00:58:27 2010
     cpu1_idle avg = 95.767
     cpu1_idle high = 99.977
     cpu1_idle high_date = Sat Sep  4 00:58:27 2010
     cpu1_idle low = 69.943
     cpu1_idle low_date = Tue Sep  7 06:20:11 2010
     cpu1_sys avg = 0.051
     cpu1_sys high = 0.287
     cpu1_sys high_date = Sat Sep  4 07:59:48 2010
     cpu1_sys low = 0.000
     cpu1_sys low_date = Wed Sep  8 08:07:19 2010
     cpu1_user avg = 4.183
     cpu1_user high = 29.860
     cpu1_user high_date = Tue Sep  7 06:20:11 2010
     cpu1_user low = 0.023
     cpu1_user low_date = Sat Sep  4 00:58:27 2010
     cpu_count avg = 1.000
     cpu_count high = 1
     cpu_count high_date = Wed Sep  8 09:00:17 2010
     cpu_count low = 1
     cpu_count low_date = Wed Sep  8 09:00:17 2010
     drops avg = 1.002
     drops high = 10.504
     drops high_date = Sat Sep  4 03:00:00 2010
     drops low = 0.000
     drops low_date = Wed Sep  8 08:41:27 2010
     filtered_tcp avg = 3790.598
     filtered_tcp high = 45608
     filtered_tcp high_date = Tue Sep  7 09:24:12 2010
     filtered_tcp low = 85
     filtered_tcp low_date = Wed Sep  1 11:50:25 2010
     filtered_udp avg = 3790.598
     filtered_udp high = 45608
     filtered_udp high_date = Tue Sep  7 09:24:12 2010
     filtered_udp low = 85
     filtered_udp low_date = Wed Sep  1 11:50:25 2010
     frag_auto avg = 0.000
     frag_auto high = 0.000
     frag_auto high_date = Wed Sep  8 09:00:17 2010
     frag_auto low = 0.000
     frag_auto low_date = Wed Sep  8 09:00:17 2010
     frag_complete avg = 0.000
     frag_complete high = 0.000
     frag_complete high_date = Wed Sep  8 09:00:17 2010
     frag_complete low = 0.000
     frag_complete low_date = Wed Sep  8 09:00:17 2010
     frag_current avg = 0.000
     frag_current high = 0
     frag_current high_date = Wed Sep  8 09:00:17 2010
     frag_current low = 0
     frag_current low_date = Wed Sep  8 09:00:17 2010
     frag_delete avg = 0.000
     frag_delete high = 0.000
     frag_delete high_date = Wed Sep  8 09:00:17 2010
     frag_delete low = 0.000
     frag_delete low_date = Wed Sep  8 09:00:17 2010
     frag_faults avg = 0.000
     frag_faults high = 0
     frag_faults high_date = Wed Sep  8 09:00:17 2010
     frag_faults low = 0
     frag_faults low_date = Wed Sep  8 09:00:17 2010
     frag_flushes avg = 0.000
     frag_flushes high = 0.000
     frag_flushes high_date = Wed Sep  8 09:00:17 2010
     frag_flushes low = 0.000
     frag_flushes low_date = Wed Sep  8 09:00:17 2010
     frag_insert avg = 0.000
     frag_insert high = 0.000
     frag_insert high_date = Wed Sep  8 09:00:17 2010
     frag_insert low = 0.000
     frag_insert low_date = Wed Sep  8 09:00:17 2010
     frag_max avg = 0.000
     frag_max high = 0
     frag_max high_date = Wed Sep  8 09:00:17 2010
     frag_max low = 0
     frag_max low_date = Wed Sep  8 09:00:17 2010
     frag_new avg = 0.000
     frag_new high = 0.000
     frag_new high_date = Wed Sep  8 09:00:17 2010
     frag_new low = 0.000
     frag_new low_date = Wed Sep  8 09:00:17 2010
     frag_timeout avg = 0.000
     frag_timeout high = 0
     frag_timeout high_date = Wed Sep  8 09:00:17 2010
     frag_timeout low = 0
     frag_timeout low_date = Wed Sep  8 09:00:17 2010
     kpkts_applayer avg = 121425.178
     kpkts_applayer high = 444882
     kpkts_applayer high_date = Thu Sep  2 22:42:20 2010
     kpkts_applayer low = 5738
     kpkts_applayer low_date = Wed Sep  1 18:55:09 2010
     kpkts_ipfrag avg = 0.000
     kpkts_ipfrag high = 0.000
     kpkts_ipfrag high_date = Wed Sep  8 09:00:17 2010
     kpkts_ipfrag low = 0.000
     kpkts_ipfrag low_date = Wed Sep  8 09:00:17 2010
     kpkts_ipreass avg = 0.022
     kpkts_ipreass high = 0.366
     kpkts_ipreass high_date = Tue Sep  7 06:20:11 2010
     kpkts_ipreass low = 0.000
     kpkts_ipreass low_date = Wed Sep  8 08:31:29 2010
     kpkts_iptcprebuilt avg = 0.273
     kpkts_iptcprebuilt high = 1.646
     kpkts_iptcprebuilt high_date = Thu Sep  2 22:42:20 2010
     kpkts_iptcprebuilt low = 0.006
     kpkts_iptcprebuilt low_date = Tue Sep  7 09:13:56 2010
     kpkts_wire avg = 0.252
     kpkts_wire high = 1.352
     kpkts_wire high_date = Sat Sep  4 07:59:48 2010
     kpkts_wire low = 0.006
     kpkts_wire low_date = Tue Sep  7 09:13:56 2010
     mbits_applayer avg = 803.413
     mbits_applayer high = 1009
     mbits_applayer high_date = Sat Sep  4 08:09:48 2010
     mbits_applayer low = 120
     mbits_applayer low_date = Mon Sep  6 05:52:07 2010
     mbits_ipfrag avg = 2.434
     mbits_ipfrag high = 17.685
     mbits_ipfrag high_date = Tue Sep  7 06:20:11 2010
     mbits_ipfrag low = 0.007
     mbits_ipfrag low_date = Mon Sep  6 17:12:03 2010
     mbits_ipreass avg = 0.000
     mbits_ipreass high = 0.000
     mbits_ipreass high_date = Wed Sep  8 09:00:17 2010
     mbits_ipreass low = 0.000
     mbits_ipreass low_date = Wed Sep  8 09:00:17 2010
     mbits_tcprebuilt avg = 0.482
     mbits_tcprebuilt high = 8.324
     mbits_tcprebuilt high_date = Tue Sep  7 06:20:11 2010
     mbits_tcprebuilt low = 0.000
     mbits_tcprebuilt low_date = Tue Sep  7 01:11:34 2010
     mbps_snort avg = 0.000
     mbps_snort high = 0
     mbps_snort high_date = Wed Sep  8 09:00:17 2010
     mbps_snort low = 0
     mbps_snort low_date = Wed Sep  8 09:00:17 2010
     mbps_wire avg = 1.953
     mbps_wire high = 10.613
     mbps_wire high_date = Sat Sep  4 07:59:48 2010
     mbps_wire low = 0.006
     mbps_wire low_date = Sat Sep  4 07:12:47 2010
     patmatch avg = 320.575
     patmatch high = 556.312
     patmatch high_date = Sun Sep  5 19:37:37 2010
     patmatch low = 2.946
     patmatch low_date = Wed Sep  8 07:11:52 2010
     pktbytes avg = 803.413
     pktbytes high = 1009
     pktbytes high_date = Sat Sep  4 08:09:48 2010
     pktbytes low = 120
     pktbytes low_date = Mon Sep  6 05:52:07 2010
     pkts_blocked avg = 0.229
     pkts_blocked high = 14.322
     pkts_blocked high_date = Sun Sep  5 20:50:12 2010
     pkts_blocked low = 0.109
     pkts_blocked low_date = Sat Sep  4 01:34:34 2010
     pkts_dropped avg = 0.000
     pkts_dropped high = 0
     pkts_dropped high_date = Wed Sep  8 09:00:17 2010
     pkts_dropped low = 0
     pkts_dropped low_date = Wed Sep  8 09:00:17 2010
     pkts_dropped_percentage avg = 0.172
     pkts_dropped_percentage high = 9.096
     pkts_dropped_percentage high_date = Sun Sep  5 20:50:12 2010
     pkts_dropped_percentage low = 0.003
     pkts_dropped_percentage low_date = Wed Sep  1 11:50:25 2010
     pkts_total avg = 2106.252
     pkts_total high = 38320
     pkts_total high_date = Thu Sep  2 22:42:20 2010
     pkts_total low = 0
     pkts_total low_date = Wed Sep  8 08:41:27 2010
     sessions_close avg = 0.000
     sessions_close high = 0.000
     sessions_close high_date = Wed Sep  8 09:00:17 2010
     sessions_close low = 0.000
     sessions_close low_date = Wed Sep  8 09:00:17 2010
     sessions_closed avg = 1024.846
     sessions_closed high = 2980
     sessions_closed high_date = Mon Sep  6 12:37:55 2010
     sessions_closed low = 2
     sessions_closed low_date = Wed Sep  1 11:34:05 2010
     sessions_cur avg = 6671.668
     sessions_cur high = 8173
     sessions_cur high_date = Sun Sep  5 21:10:31 2010
     sessions_cur low = 51
     sessions_cur low_date = Wed Sep  1 11:34:05 2010
     sessions_del avg = 0.177
     sessions_del high = 3.055
     sessions_del high_date = Mon Sep  6 05:52:07 2010
     sessions_del low = 0.000
     sessions_del low_date = Sun Sep  5 19:53:29 2010
     sessions_dropped avg = 0.001
     sessions_dropped high = 0.006
     sessions_dropped high_date = Wed Sep  1 11:50:25 2010
     sessions_dropped low = 0.000
     sessions_dropped low_date = Wed Sep  8 09:00:17 2010
     sessions_est avg = 0.376
     sessions_est high = 11.686
     sessions_est high_date = Sun Sep  5 20:50:12 2010
     sessions_est low = 0.003
     sessions_est low_date = Wed Sep  1 11:50:25 2010
     sessions_init avg = 0.001
     sessions_init high = 0.174
     sessions_init high_date = Tue Sep  7 18:18:34 2010
     sessions_init low = 0.000
     sessions_init low_date = Wed Sep  8 08:46:27 2010
     sessions_max avg = 0.000
     sessions_max high = 0.000
     sessions_max high_date = Wed Sep  8 09:00:17 2010
     sessions_max low = 0.000
     sessions_max low_date = Wed Sep  8 09:00:17 2010
     sessions_midstream avg = 6703.818
     sessions_midstream high = 8175
     sessions_midstream high_date = Sun Sep  5 21:03:29 2010
     sessions_midstream low = 51
     sessions_midstream low_date = Wed Sep  1 11:34:05 2010
     sessions_new avg = 0.165
     sessions_new high = 3.062
     sessions_new high_date = Mon Sep  6 05:52:07 2010
     sessions_new low = 0.016
     sessions_new low_date = Fri Sep  3 20:12:36 2010
     sessions_pruned avg = 579.871
     sessions_pruned high = 953
     sessions_pruned high_date = Sun Sep  5 08:30:47 2010
     sessions_pruned low = 3
     sessions_pruned low_date = Wed Sep  1 11:50:25 2010
     sessions_timedout avg = 5066.950
     sessions_timedout high = 7586
     sessions_timedout high_date = Sun Sep  5 21:22:42 2010
     sessions_timedout low = 31
     sessions_timedout low_date = Wed Sep  1 11:34:05 2010
     sessions_udp_cachedSsns_sec avg = 0.000
     sessions_udp_cachedSsns_sec high = 0
     sessions_udp_cachedSsns_sec high_date = Wed Sep  8 09:00:17 2010
     sessions_udp_cachedSsns_sec low = 0
     sessions_udp_cachedSsns_sec low_date = Wed Sep  8 09:00:17 2010
     sessions_udp_cached_current avg = 0.000
     sessions_udp_cached_current high = 0.000
     sessions_udp_cached_current high_date = Wed Sep  8 09:00:17 2010
     sessions_udp_cached_current low = 0.000
     sessions_udp_cached_current low_date = Wed Sep  8 09:00:17 2010
     sessions_udp_cached_max avg = 0.000
     sessions_udp_cached_max high = 0
     sessions_udp_cached_max high_date = Wed Sep  8 09:00:17 2010
     sessions_udp_cached_max low = 0
     sessions_udp_cached_max low_date = Wed Sep  8 09:00:17 2010
     sessions_udp_cached_sec avg = 0.000
     sessions_udp_cached_sec high = 0
     sessions_udp_cached_sec high_date = Wed Sep  8 09:00:17 2010
     sessions_udp_cached_sec low = 0
     sessions_udp_cached_sec low_date = Wed Sep  8 09:00:17 2010
     stream_fault avg = 13.182
     stream_fault high = 59
     stream_fault high_date = Wed Sep  8 05:04:52 2010
     stream_fault low = 0
     stream_fault low_date = Wed Sep  8 00:51:37 2010
     stream_flush avg = 21.526
     stream_flush high = 365.535
     stream_flush high_date = Tue Sep  7 06:20:11 2010
     stream_flush low = 0.013
     stream_flush low_date = Thu Sep  2 05:44:59 2010
     stream_timeout avg = 239.842
     stream_timeout high = 3578
     stream_timeout high_date = Sun Sep  5 20:50:12 2010
     stream_timeout low = 1
     stream_timeout low_date = Wed Sep  1 11:50:25 2010
     synacks avg = 0.124
     synacks high = 2.771
     synacks high_date = Mon Sep  6 12:42:56 2010
     synacks low = 0.006
     synacks low_date = Sat Sep  4 00:58:27 2010
     syns avg = 0.181
     syns high = 6.072
     syns high_date = Mon Sep  6 05:52:07 2010
     syns low = 0.019
     syns low_date = Fri Sep  3 20:12:36 2010















Posted by
JJC


0
comments














Labels:
,
,













          

        

          

        

Wednesday, September 1, 2010


          

        







Snort Performance Stats Tool Info






I have noticed that there are not a ton of tools out there (definitely not many currently maintained) that can be used to parse the information from the snort performance monitor.  As such, I am considering writing one and wanted to see what the interest would be.  If there is indeed interest, then I would also like to know what format(s) and types of information would be most useful to the community.  Of course I know what will be useful to myself, and will likely be writing about that in the near future.  For now, here is some sample output from a quick perl parser that I wrote today.




$ ./pminfo.pl /var/tmp/snortstat 



-= Tha Pig Doktah 0.1 Dev =-

Copyright (C) 2010 JJ Cummings



Report Info:

    Processed: /var/tmp/snortstat

    First Entry: Wed Sep  1 11:34:05 2010

    Last Entry: Wed Sep  1 22:27:47 2010

    Time Span: 0 days, 10 hours, 53 minutes and 42 seconds



Wirespeed:

    High: 6.683 Mbits/Sec | Wed Sep  1 12:54:00 2010

    Low: 0.007 Mbits/Sec | Wed Sep  1 18:14:18 2010

    Avg: 0.276 Mbits/Sec

   

% Packet Loss:

    High: 3.817% | Wed Sep  1 20:13:39 2010

    Low: 0.000% | Wed Sep  1 22:22:47 2010

    Avg: 0.095%



Additional Info:

    Avg Pkt Size: 363 bytes

    Avg Syns/Sec: 0.153

    Avg SynAcks/Sec: 0.105

    Avg Alerts/Sec: 0.001

    Avg Current Cached Sessions: 2326





Obviously this is was only as a quick test and does not include all of the important pieces of data.  Please feel free to hit me up in #snort (on freenode),  twitter, email(if'n you knows it), or post a comment here.



Cheers,

JJC














Posted by
JJC


2
comments














Labels:
,













          

        

          

        

Thursday, July 1, 2010


          

        







PulledPork 0.4.2 501 error when downloading rules






This issue most typically stems from a missing Perl Module that is required to communicate via SSL using LWP::Simple.  This required Perl Module is Crypt::SSLeay and is not included in the LWP::Simple redistributed package from the Ubuntu 8.x repositories, and will typically fail to install via CPAN on many Ubuntu server installations.  As such you simply need to do the following (on Ubuntu, since this is the only place I have seen it broken):



sudo apt-get install libcrypt-ssleay-perl



Of course if you are not running Ubuntu then you will need to use CPAN or find whatever repackaged garbage that your distro is using to distribute this ;-).



One other cause could be that your root certificates are outdated, so if you have the aforementioned PM installed and are still receiving a 501.. this is likely the cause... google how to update your root certificates for your distro!  Again, for the sake of completeness, this is how you do it on Ubuntu:



sudo apt-get install ca-certificates

sudo update-ca-certificates



I have also added this to the PP FAQ.



Cheers,

JJC














Posted by
JJC


0
comments














Labels:
,
,
,
,













        

      









Subscribe to:
Comments (Atom)