DumbPig

with 6 comments

Welcome to Dumbpig’s pen.

It looks like a couple of you people out there are actually using Dumbpig (thanks for the feedback and bug reports), so I thought It deserves some better documentation and usage guides.

Dumbpig is an automated bad-grammar[sik] detector for snort rules. It parses each rule in a file and reports on badly formatted entries, incorrect usage, and alerts to possible performance issues. It should be considered as work in progress and all users should only work with the latest code available.

I wrote this tool to solve some real world problems that I ran into with attempting to debug detection challenges in rules that I wasn’t authorized to read. It provides the following functionality.

• Detection of invalid keywords
• Recommendation of missing keywords that would form a better rule
• Censorship of sensitive content, pcre, etc matches to allow debugging of rules
• Converts snort rules that just look for IP addresses into blacklist format for use with marty’s blacklist patch
• Lets you know if you are missing important keywords that allow import into a Sourcefire Defense Center

Requirements:

• Perl
• LWP::Simple
• Parse::Snort
• Any UNIX-like OS should be fine, Written on OSX, tested under Debian GNU/Linux. Windows should probably work, but don’t complain if it doesn’t.

Installation

• Download the latest stable release of Dumbpig
• Check out the latest development version from Dumbpig’s googlecode page.

leon@lenny:~$ wget rm-rf.co.uk/downloads/dumbpig
leon@lenny:~$ chmod u+x ./dumbpig

• Install the required perl libraries

leon@lenny:~$ sudo cpan "Parse::Snort"

leon@lenny:~$ sudo cpan "LWP::Simple"
Usage
lward@lenny:~$ ./dumbpig -u       # Check for updates
No update found
lward@lenny:~$ ./dumbpig          # Run without args for usage details

DumbPig version 0.5 - leon.ward@sourcefire.com
Because I hate looking for the same dumb problems with snort rule-sets

   __,,    ( Dumb-pig says     )  
 ~(  oo ---( "ur rulz r not so )
   ''''    ( gud akshuly" *    )   

Config
----------------------
* Sensivity level - 3/3
* Blacklist outputi : Disabled
* Processing File - 0
* Check commented out rules : Disabled
* Pause : Disbled
* ForceFail : Disabled
* Censor : Disabled
* Quite mode : Disabled
----------------------
Error : Please specify a rules file
Usage dumbPig <args>
-u or --update        Check for updates
-r or --rulefile      <rulefile>
-s or --sensitivity   <1-4> Sensitivity level, Higher the number, the higher the pass-grade
-b or --blacklist     Enable blacklist output (see Marty's Blog post for details)
-p or --pause         Pause for ENTER after each FAIL
-w or --write         Filename to wite CLEAN rules to
-q or --quiet         Suppress FAIL, only provide summary
-d or --disabled      Check rules that are disabled i.e commented out #alert # alert etc
-v or --verbose       Verbose output for debugging
-c or --censor        Censor rules in the output, in case you dont trust everyone
-f or --forcefail     Force good rules to FAIL. Allows output of all rules
lward@lenny:~$
Example
1) Find a few problems with a rulefile dumb.rules
2) Censor the content of dumb.rules
leon@lenny:~$./dumbpig -r dumb.rules
Issue 1
3 Problem(s) found with rule on line 1 of dumb.rules

 alert ip any any -> any 53  ( \
 msg: "I found a scary DNS name woooo"; \
 content: "woot"; \
 sid: 1; \
 )
- IP rule with port number (or var that could be set to a port number).
  This is BAD and invalid syntax.
  It is likely that this rule head is not functioning as you expect it to.  
  The IP protocol doesn't have port numbers.
  If you want to inspect both UDP and TCP traffic on specific ports use two rules,
  its faster and valid syntax.
- No revision number! Please add a rev: keyword
- No classification specified - Please add a classtype to add correct priority rating
alert ip any any -> any 53 (msg: "I found a scary DNS name woooo"; content: "woot"; sid: 1;)

=============================================================================
Issue 2
2 Problem(s) found with rule on line 2 of dumb.rules

 alert ip 1.1.1.1 any -> $HOME_NET any  ( \
 msg: "Communication with nasty host found"; \
 sid: 2; \
 rev:1; \
 )
- No classification specified - Please add a classtype to add correct priority rating
- IP rule without a content match. Put this in a firewall!

leon@lenny~:$./dumbpig -r dumb.rules -f -c
Issue 1
4 Problem(s) found with rule on line 1 of dumb.rules
alert ip any any -> any 53  ( \

msg: "XXXXXXXX"; \

content: "XXXXXXXX"; \

sid: 1; \

)
- IP rule with port number (or var that could be set to a port number).
  This is BAD and invalid syntax
  It is likely that this rule head is not functioning as you expect it to.
  The IP protocol doesn't have port numbers.
  its faster and valid syntax.
- No revision number! Please add a rev: keyword
- No classification specified - Please add a classtype to add correct priority rating

=============================================================================

Issue 2

If you want to inspect both UDP and TCP traffic on specific ports use two rules,
3 Problem(s) found with rule on line 2 of dumb.rules
alert ip CENSORRD_IP any -> $HOME_NET any  ( \

msg: "XXXXXXXX"; \

sid: 2; \

rev:1; \

)
- No classification specified - Please add a classtype to add correct priority rating
- IP rule without a content match. Put this in a firewall!
=============================================================================

--------------------------------------
Total: 2 fails over 2 lines in dumb.rules

- Contact leon.ward@sourcefire.com
Any problems, suggestions etc, let me know.
Happy Snortin'
-Leon
			

Written by leonward

June 24, 2009 at 1:26 pm