Our friend over in blighty has been at it again. This time, Leon has come up with dumbpig, a tool written in Perl that will check your Snort rules and tell you what, if anything, is wrong with them and what you should do about it. Here's a sample of dumbpig output:
torchwood% ./dumbpig.pl -h
DumbPig version 0.5 - leon.ward@sourcefire.com
Because I hate looking for the same dumb problems with snort rule-sets
__,, ( Dumb-pig says )
~( oo ---( "ur rulz r not so )
'''' ( gud akshuly" * )
Config
----------------------
* Sensivity level - 3/3
* Blocklist outputi : Disabled
* Processing File - 0
* Check commented out rules : Disabled
* Pause : Disbled
* ForceFail : Disabled
* Censor : Disabled
* Quite mode : Disabled
----------------------
Error : Please specify a rules file
Usage dumbPig
-u or --update Check for updates
-r or --rulefile
-s or --sensitivity <1-4> Sensitivity level, Higher the number, the higher the pass-grade
-b or --blocklist Enable blocklist output (see Marty's Blog post for details)
-p or --pause Pause for ENTER after each FAIL
-w or --write Filename to wite CLEAN rules to
-q or --quiet Suppress FAIL, only provide summary
-d or --disabled Check rules that are disabled i.e commented out #alert # alert etc
-v or --verbose Verbose output for debugging
-c or --censor Censor rules in the output, in case you dunt trust everyone
-f or --forcefail Force good rules to FAIL. Allows output of all rules
Checking an actual VRT rules file:
torchwood% ./dumbpig.pl -s 4 -r netbios.rules -d
DumbPig version 0.5 - leon.ward@sourcefire.com
Because I hate looking for the same dumb problems with snort rule-sets
__,, ( Dumb-pig says )
~( oo ---( "ur rulz r not so )
'''' ( gud akshuly" * )
Config
----------------------
* Sensivity level - 4/3
* Blacklist outputi : Disabled
* Processing File - netbios.rules
* Check commented out rules : Enabled
* Pause : Disbled
* ForceFail : Disabled
* Censor : Disabled
* Quite mode : Disabled
----------------------
--------------------------------------
Total: 0 fails over 679 lines in netbios.rules
- Contact leon.ward@sourcefire.com
Looks like we can write pretty good Snort rules. Let's try someone else's efforts (and we'll censor the output to save embarrassment):
torchwood% ./dumbpig.pl -s 4 -r other.rules -d -c
DumbPig version 0.5 - leon.ward@sourcefire.com
Because I hate looking for the same dumb problems with snort rule-sets
__,, ( Dumb-pig says )
~( oo ---( "ur rulz r not so )
'''' ( gud akshuly" * )
Config
----------------------
* Sensivity level - 4/3
* Blocklist outputi : Disabled
* Processing File - other.rules
* Check commented out rules : Enabled
* Pause : Disbled
* ForceFail : Disabled
* Censor : Enabled
* Quite mode : Disabled
----------------------
Issue 1
2 Problem(s) found with rule on line 127 of other.rules
alert tcp $EXTERNAL_NET any -> $HOME_NET any ( \
msg: "XXXXXXXX"; \
fragbits: !M; \
fragoffset: >0; \
classtype: bad-unknown; \
sid: XXXXX; \
rev:5; \
)
- TCP/UDP rule with no deep packet checks? This rule looks more suited to a firewall or blocklist
- TCP, without flow. Considder adding flow to provide better state tracking on this TCP based rule
=============================================================================
..big snip here...
--------------------------------------
Total: 11 fails over 628 lines in other.rules
- Contact leon.ward@sourcefire.com
Not so great rule writing akshully. So, if you write your own Snort rules and you want to be sure you are doing it right, we recommend you use dumbpig and don't forget to send Leon a thank you note (and probably beer, he likes that).