Writing Snort Rules Correctly (via Joel Esler)

Joel Esler recently published an article entitled "Writing Snort Rules Correctly". I certainly suggest having a read through of this ,as it discusses a number of the finer points (including PCRE) when writing a snort rule using a previously published example rule. Joel dissects the rule, pointing out the good and bad while making note of better methods.

Just a short post, but I thought it worth posting to bring more attention to the aforementioned article by Joel Esler.

JJC

ET Rules and /\s?/

It was recently brought to my attention that many of the rules within the various Emerging Threats ruleset have a whitespace after value definitions such as flowbits:set and msg:"\s?". Unfortunately I did not notice this within the ET rulesets.

PulledPork was originally written to handle VRT rulesets from snort.org (none have this formatting flaw) and as such I had not accounted for it, as mentioned previously. The fix is a simple regex modification to the PulledPork code, you can get the patch here: http://pulledpork.googlecode.com/files/pp_304_whitespace.patch and apply it to pulledpork.pl.

For those that might ask the question "what if there are multiple whitespaces, ala \s*" this is NOT the case, I spoke with rotorhead from the ET team and all ET rules are normalized to atleast remove multiple whitespace chars.

This fix has already been checked into svn but I will not be re-releasing 0.3.4 to account for this.. but will likely be generating daily snapshots in the near future.

Cheers,
JJC

Time to own your rules - PulledPork 0.3.4 Released!

After what seems like forever since I have made a post about anything, I am pleased to announce the general availability of the latest version of PulledPork! This new version (v0.3.4) has a significant number of bugfixes for a variety of OS/distributions in addition to the numerous feature enhancements noted below.

I would like to thank all of the individuals that provided beta testing assistance and valuable feedback. I would also like to thank all of the users that have adopted PulledPork and sent in comments / feature requests. PulledPork certainly would not be where it is without your support and contributions!

Now that we are through the mushy stuff, on to the features!

VRT Rulesets! - Support metadata based VRT recommended rulesets - The short of it is that you can now specify a default pre-defined ruleset, yes.. this ruleset was designed by the VRT! The individual pre-defined rulesets that can be specified are fairly straightforward:

• Connectivity - You run a lot of real time applications (VOIP, financial transactions, etc), and don't want to run any rules that could affect the current performance of your sensor. The rules in this category make snort happy, additionally this category focuses on the high profile most likely to affect the largest number of people type of vulnerabilities.

• Balanced - You are normal, you run normal stuff and you want normal security protections. This is the best policy to start from if you are new, old, or just plain average. If you don't have any special requirements for super high speeds or super secure networks, start here.

• Security - You don't care about dropping your bosses email, everything in your environment is tightly regulated and you don't tolerate people stepping outside of your security policy. This policy hates on IM, P2P, vulnerabilities, malware, web apps that cause productivity loss, remote access, and just about anything not related to getting work done. If you run your network with an iron fist, start here!

Changelog - This feature allows you to specify that you want a changelog (any rule that has any change in it from your previous ruleset, i.e. disabled, enabled, modified etc..) maintained for any and all changes, in a specified log file.

Inline Drops - This feature allows you to specify what SIDs you want to be set to drop, for those running an inline setup!

Multiline Rules - Added full support for parsing of multiline rules.

Enhancements - Many minor enhancements made to the debugging output, speed enhancements, code cleanup, error handling etc...

There are quite a few runtime options and configuration options, please be sure to read through the README files thoroughly, also please be sure to use the latest pulledpork.conf that is included in the tarball! That's about it for now, please feel free to participate by asking questions on the mail list at http://groups.google.com/group/pulledpork-users/ or on freenode in #snort or #pulledpork

One final note, all of the release tarballs will now be named as pulledpork-X.X.X.tar.gz to help out with those maintaining packages and ports, thanks!

Download the tarball here pulledpork-0.3.4.tar.gz
MD5SUM = 034f90a2555c5f82e760b0ce68489ad2
SHA256 = 8b775e6476d653733f3d29ea9c962a76feaf148f3204a90fd47c646802448b80

Cheers,
JJC

Pulledpork v0.2.5 - Released

A new and updated version of pulledpork is out, this version adds functionality and also addresses a number of previously reported bugs, a few simple examples:

• Improved and cleaned up code for efficiency and speed
• Do not overwrite local.rules on run
• Do not attempt to copy . and .. as rules files
• Much more...

The primary feature that has been added allows for the capability to download rules from sites other than snort.org (VRT). Any url can be specified to download a rules tarball from, however md5 hash verification will only work when VRT or ET locations are specified. If a different location (i.e. a local redistribution point) is specified, please be sure to specify the -d (do not verify md5) option. Please see the README and pulledpork.conf files for more information on usage of new and existing options and features.

New option runtime flag:

• -u Where do you want me to pull the rules tarball from

(ET, Snort.org, see pulledpork config base_url option for value ideas)

A new tarball containing all of the new features will be published today at http://code.google.com/p/pulledpork/downloads/list

Snort 2.8.5 at snort.org... get it while it's hot!

Snort 2.8.5 is teh outed, get it or DIAF!

Snort 2.8.5 introduces:

- Ability to specify multiple configurations (snort.conf and everything
it includes), bound either by Vlan ID or IP Address. This allows you
to run one instance of Snort with multiple snort.conf files, rather
than having separate processes. See README.multipleconfigs for
details.

- Continued inspection of traffic while reloading a configuration.
Add --enable-reload option to your configure script prior to building.
See README.reload for details.

- Rate Based Attack Prevention for Connection Attempts, Concurrent
Connections, and improved rule/event filtering. See README.filters
for details.

- SSH preprocessor

- Performance improvements in various places

Please see the Release Notes and ChangeLog for more details.

http://www.snort.org/downloads

kthyx

JJC