Monday, December 10, 2012

We have pulled pork; the rest is just barbecue sauce.

Hello AS users,

Today I would like to announce a new autosnort build and introduce support and integration of pulled pork.

For those who do not know, pulled pork is a perl script written by JJ Cummings of Sourcefire. The script is the recommended method for open-source snort users to manage, download, and configure rules for snort deployments.

What does pulled pork integration mean for you and autosnort? Its even easier to get started.

- The old rule tarball method is still available (e.g. point the script to a VRT tarball to unpack), but now, in addition to the tarball method, you may choose to use pulled pork to build an initial ruleset based off of the Sourcefire base ruleset "Security over Connectivity".

- If you provide autosnort with an oink code (registered user or VRT subscription) you are then given a choice to try to download the latest rules tarball, or a the rules tarball from the previous version of snort.

The reason I do this instead of automatically downloading the latest rule tarball from is to work around the 30-day wait period registered users have to wait when a new version of snort comes out.

To summarize a blog post in which I had described this problem in detail, when a new version of snort comes out, a rule tarball that has compatible SO rules is immediately made available for VRT rule subscription holders. Registered users have to wait 30 days from the release to gain access to a VRT tarball with compatible SO rules. If you choose to download/process rules from the tarball for the previous version of snort, autosnort will only process text rules to ensure compatibility with the latest version of snort -- this is to prevent the dreaded "my SO rules don't work" phase for registered users.

Some may wonder "It's taken an awful long time to integrate just this functionality. Have you been slacking off?" Well, no more than I usually do, but there is a very good reason for the delay in this release -- I've taken a long look at the rest of the script and decided to re-write large portions of the script.

A significant problem most users had with autosnort was that if you fat-fingered  at any point during the script, autosnort would happily plow forward, giving you a broken install upon reboot. I finally decided to go through the script and write some fault tolerance into the script -- key portions of the script are now sort of  "encapsulated" into while/true loops -- meaning that you MUST give the script a valid answer for it to progress.

For example, as a part of the rule management routine in autosnort, I decided to keep the old VRT rule tarball import (e.g. untar it and drop everying into /usr/local/snort)

Before, if a user gave the script an invalid directory path and/or nonexistent file, the script would go forward without a care in the world.

This time around however the script does the following:
-checks to see if the file exists. if the file doesn't exist, you are told to try again
-if it exists, tries to untar it. if the file cannot be untarred (e.g. not a .tar.gz) it informs the user and the user is given the chance to try again

For the pulled pork phase we do the same kind of error checking:
-if pulled pork fails to download rules for any reason, we inform the user and loop back to the choice between using pulled pork for rule management, or importing a VRT rule tarball through the old method.

Pulled pork integration is going to gradually be released for all supported operating systems (e.g. Debian, Ubuntu, BT5 and CentOS. The pilot release is going to be on CentOS, with releases to other OSes trickling in behind it.

As always, the code has been posted to github under the CentOS directory

Interesting, but useless statistics:
-file size of the shell script has nearly doubled from the old autosnort centOS script
-now: 42.3KB
-diff: 17.8

-lines of code (includes comments and blank lines for readability)
-original: 553
-now: 879
-diff: 326

No comments:

Post a Comment