Sunday, December 2, 2012

What's on my table right now, and how you can help if you want

I've already been asked a couple of times how people can help or contribute to autosnort, so this blog post is a rehash of what I sent to a user in an e-mail today. If you feel the need to contribute, or want to help out, here are the main things I'm working on currently, in order of priority:

1) integration - I want to tear out the portion of the script that asks for the VRT tarball. Its far too easy to mess it up, and if it gets messed up you end up with a snort install that won't work because it has no rules to trigger against and either have to re-run the entire script, or manually untar the rules, copy them and copy the right SO rules for your distro.

- Want to use pulled pork as a solution for *initial rule setup*
- Give the user an initial ruleset, the scope of the project does not creep into configuration management, stays limited to initial snort installation and setup
- Will not support utilizing pulled pork with ET rules or Bleeding snort rules - considering this to be configuration management and outside of the scope of autosnort.
- Want to keep the VRT tarball check and insert a failsafe check that checks if the VRT rules tarball exists where the user says it is and if it doesn't, tells the user to try again instead of pushing forward.

2) Giving users a choice of where to log events and giving them their second choice: log to syslog

- configure snort.conf to log to syslog, disable barnyard installation
- user would then configure syslog config to forward IDS events to their SIEM
- the 'lightweight' alternative to MySQL, Barnyard and a web front-end

3) Giving users a choice of web front-ends to install and giving them their third choice: the BASE web frontend

- BASE has been around for a really long time
- Not very pretty, but very well documented

4) another web front-end choice: Aanval

- Aanval is another web front-end that looks very promising
- Can work with snort, suricata and syslog messages

5) snorby

- installation process is very, very painful
- likely to be very difficult to get set up right across multiple distros
- is highly a functional web front-end and looks amazing; the effort is worth it.

6) See if autosnort can be made compatible with earlier OS releases -- CentOS/Redhat 5.x, Ubuntu 10 and 11.04 LTS releases, BT5 r2, etc.

7) Expanding OS support upon request

This doesn't include bug fixes. If bugs are found, they jump to the top of the stack and have to be dealt with first.

So if you feel the need to help out there's tons that needs to be done. Pick any one of the 7 on the to-do list above.

The scripts are all on github, same as always and freely available for you to download.

In terms of beta testing, etc here are some of my recommendations:

1. Use virtual machines. Set up installations for Operating Systems you want to Beta for or develop against. Upon initial install, Take a snapshot of the OS so you can revert back to it. This will make testing new features and fixes much easier on you.

-ensure your VMs have at least 512mb of ram (1gb recommended) about 14gb of hdd (can be less if you're pressed for space) and at a minimum of two virtual NICs -- one for snort to bind to and the other for network access.

2. Good tools for the trade
-On windows, I use notepad ++ for writing the scripts, WinSCP for SCP transfers and MRemoteNG for managing multiple putty sessions to multiple autosnort boxes
-If you use linux for writing the scripts, gedit does an amazing job for writing, the command line scp command will do you just as well, and look at terminator for a tabbed terminal interface that can be split any way you'd like
-If on a mac textwrangler comes recommended as an editor, Fugu or the cli tools for SCP transfers, and iterm2 for tabbed terminal sessions that can be split any way you'd like.

3. Get a registered user account on
-Makes it easier to get your snort rule tarballs, specially if pulled pork integration takes off.

If you want to donate money to the cause, please  just donate your money elsewhere -- I'm not try to say that I don't need your money, but there are worthier causes than mine. Donate your money to charity, use it to buy yourself something nice, or use it to buy something for someone you love. This project is just my way of trying to make network security a little bit easier and I am in no way looking to gain anything monetarily from it.

Don't feel obligated to do any of this, and if you realize midway in that you're in too deep, ask questions. If I don't know it, I'll try to point you in the right direction. Some people in the IT community would like to think that they were born with a keyboard in their hands and are too good to answer "noob" questions. Everyone starts out as a "noob" and you only become better by asking questions.

...That being said, don't be afraid to research, in fact, make sure that you research before you ask questions, as the question may have already been answered. This is called asking questions the smart way (note: while the material of that article may seem a bit scathing, the information contained within is very, very valuable).

Thank you for your continued support,


No comments:

Post a Comment