Friday, August 7, 2009

Syntax Checking your Snort Rules

Our friend over in blighty has been at it again. This time, Leon has come up with dumbpig, a tool written in Perl that will check your Snort rules and tell you what, if anything, is wrong with them and what you should do about it.

Here's a sample of dumbpig output:

torchwood% ./dumbpig.pl -h

DumbPig version 0.5 - [email protected]
Because I hate looking for the same dumb problems with snort rule-sets

__,, ( Dumb-pig says )
~( oo ---( "ur rulz r not so )
'''' ( gud akshuly" * )

Config
----------------------
* Sensivity level - 3/3
* Blacklist outputi : Disabled
* Processing File - 0
* Check commented out rules : Disabled
* Pause : Disbled
* ForceFail : Disabled
* Censor : Disabled
* Quite mode : Disabled
----------------------
Error : Please specify a rules file
Usage dumbPig
-u or --update Check for updates
-r or --rulefile
-s or --sensitivity <1-4> Sensitivity level, Higher the number, the higher the pass-grade
-b or --blacklist Enable blacklist output (see Marty's Blog post for details)
-p or --pause Pause for ENTER after each FAIL
-w or --write Filename to wite CLEAN rules to
-q or --quiet Suppress FAIL, only provide summary
-d or --disabled Check rules that are disabled i.e commented out #alert # alert etc
-v or --verbose Verbose output for debugging
-c or --censor Censor rules in the output, in case you dunt trust everyone
-f or --forcefail Force good rules to FAIL. Allows output of all rules

Checking an actual VRT rules file:

torchwood% ./dumbpig.pl -s 4 -r netbios.rules -d

DumbPig version 0.5 - [email protected]
Because I hate looking for the same dumb problems with snort rule-sets

__,, ( Dumb-pig says )
~( oo ---( "ur rulz r not so )
'''' ( gud akshuly" * )

Config
----------------------
* Sensivity level - 4/3
* Blacklist outputi : Disabled
* Processing File - netbios.rules
* Check commented out rules : Enabled
* Pause : Disbled
* ForceFail : Disabled
* Censor : Disabled
* Quite mode : Disabled
----------------------
--------------------------------------
Total: 0 fails over 679 lines in netbios.rules
- Contact [email protected]

Looks like we can write pretty good Snort rules. Let's try someone else's efforts (and we'll censor the output to save embarrassment):

torchwood% ./dumbpig.pl -s 4 -r other.rules -d -c

DumbPig version 0.5 - [email protected]
Because I hate looking for the same dumb problems with snort rule-sets

__,, ( Dumb-pig says )
~( oo ---( "ur rulz r not so )
'''' ( gud akshuly" * )

Config
----------------------
* Sensivity level - 4/3
* Blacklist outputi : Disabled
* Processing File - other.rules
* Check commented out rules : Enabled
* Pause : Disbled
* ForceFail : Disabled
* Censor : Enabled
* Quite mode : Disabled
----------------------
Issue 1
2 Problem(s) found with rule on line 127 of other.rules

alert tcp $EXTERNAL_NET any -> $HOME_NET any ( \
msg: "XXXXXXXX"; \
fragbits: !M; \
fragoffset: >0; \
classtype: bad-unknown; \
sid: XXXXX; \
rev:5; \
)
- TCP/UDP rule with no deep packet checks? This rule looks more suited to a firewall or blacklist
- TCP, without flow. Considder adding flow to provide better state tracking on this TCP based rule
=============================================================================

..big snip here...

--------------------------------------
Total: 11 fails over 628 lines in other.rules
- Contact [email protected]

Not so great rule writing akshully.

So, if you write your own Snort rules and you want to be sure you are doing it right, we recommend you use dumbpig and don't forget to send Leon a thank you note (and probably beer, he likes that).

2 comments:

  1. Leon did a demo of Dumbpig on the last Snort webinar. Slides and recording are available at: http://www.snort.org/docs

    ReplyDelete

Post a Comment