Friday, August 7, 2009

Syntax Checking your Snort Rules

Our friend over in blighty has been at it again. This time, Leon has come up with dumbpig, a tool written in Perl that will check your Snort rules and tell you what, if anything, is wrong with them and what you should do about it. Here's a sample of dumbpig output:
torchwood% ./dumbpig.pl -h

DumbPig version 0.5 - leon.ward@sourcefire.com 
Because I hate looking for the same dumb problems with snort rule-sets

     __,,    ( Dumb-pig says     )  
 ~(  oo ---( "ur rulz r not so )
   ''''    ( gud akshuly" *    )   
  
Config
----------------------
* Sensivity level - 3/3
* Blocklist outputi : Disabled
* Processing File - 0
* Check commented out rules : Disabled
* Pause : Disbled
* ForceFail : Disabled
* Censor : Disabled
* Quite mode : Disabled 
----------------------
Error : Please specify a rules file
Usage dumbPig  
  -u or --update  Check for updates
  -r or --rulefile   
  -s or --sensitivity  <1-4> Sensitivity level, Higher the number, the higher the pass-grade
  -b or --blocklist  Enable blocklist output (see Marty's Blog post for details)
  -p or --pause  Pause for ENTER after each FAIL
  -w or --write  Filename to wite CLEAN rules to
  -q or --quiet  Suppress FAIL, only provide summary
  -d or --disabled Check rules that are disabled i.e commented out #alert # alert etc
  -v or --verbose  Verbose output for debugging
  -c or --censor  Censor rules in the output, in case you dunt trust everyone
  -f or --forcefail Force good rules to FAIL. Allows output of all rules
Checking an actual VRT rules file:
torchwood% ./dumbpig.pl -s 4 -r netbios.rules -d

DumbPig version 0.5 - leon.ward@sourcefire.com 
Because I hate looking for the same dumb problems with snort rule-sets

     __,,    ( Dumb-pig says     )  
 ~(  oo ---( "ur rulz r not so )
   ''''    ( gud akshuly" *    )   
  
Config
----------------------
* Sensivity level - 4/3
* Blacklist outputi : Disabled
* Processing File - netbios.rules
* Check commented out rules : Enabled
* Pause : Disbled
* ForceFail : Disabled
* Censor : Disabled
* Quite mode : Disabled 
----------------------
--------------------------------------
Total: 0 fails over 679 lines in netbios.rules
- Contact leon.ward@sourcefire.com
Looks like we can write pretty good Snort rules. Let's try someone else's efforts (and we'll censor the output to save embarrassment):
torchwood% ./dumbpig.pl -s 4 -r other.rules -d -c

DumbPig version 0.5 - leon.ward@sourcefire.com 
Because I hate looking for the same dumb problems with snort rule-sets

     __,,    ( Dumb-pig says     )  
 ~(  oo ---( "ur rulz r not so )
   ''''    ( gud akshuly" *    )   
  
Config
----------------------
* Sensivity level - 4/3
* Blocklist outputi : Disabled
* Processing File - other.rules
* Check commented out rules : Enabled
* Pause : Disbled
* ForceFail : Disabled
* Censor : Enabled
* Quite mode : Disabled 
----------------------
Issue 1 
2 Problem(s) found with rule on line 127 of other.rules

alert tcp $EXTERNAL_NET any -> $HOME_NET any  ( \ 
 msg: "XXXXXXXX"; \ 
 fragbits: !M; \ 
 fragoffset: >0; \ 
 classtype: bad-unknown; \ 
 sid: XXXXX; \ 
 rev:5; \ 
)
- TCP/UDP rule with no deep packet checks? This rule looks more suited to a firewall or blocklist
- TCP, without flow. Considder adding flow to provide better state tracking on this TCP based rule
=============================================================================

..big snip here...

--------------------------------------
Total: 11 fails over 628 lines in other.rules
- Contact leon.ward@sourcefire.com
Not so great rule writing akshully. So, if you write your own Snort rules and you want to be sure you are doing it right, we recommend you use dumbpig and don't forget to send Leon a thank you note (and probably beer, he likes that).

2 comments:

  1. Leon did a demo of Dumbpig on the last Snort webinar. Slides and recording are available at: http://www.snort.org/docs

    ReplyDelete
  2. Yes, I do like my beer.

    ReplyDelete

Post a Comment

Note: Only a member of this blog may post a comment.