An alchemists view from the bar

Network Security Alchemy

DumbPig

with 6 comments

Welcome to Dumbpig’s pen.

DumbPigIt looks like a couple of you people out there are actually using Dumbpig (thanks for the feedback and bug reports), so I thought It deserves some better documentation and usage guides.

Dumbpig is an automated bad-grammar[sik] detector for snort rules. It parses each rule in a file and reports on badly formatted entries, incorrect usage, and alerts to possible performance issues. It should be considered as work in progress and all users should only work with the latest code available.

I wrote this tool to solve some real world problems that I ran into with attempting to debug detection challenges in rules that I wasn’t authorized to read. It provides the following functionality.

  • Detection of invalid keywords
  • Recommendation of missing keywords that would form a better rule
  • Censorship of sensitive content, pcre, etc matches to allow debugging of rules
  • Converts snort rules that just look for IP addresses into blacklist format for use with marty’s blacklist patch
  • Lets you know if you are missing important keywords that allow import into a Sourcefire Defense Center

Requirements:

  • Perl
  • LWP::Simple
  • Parse::Snort
  • Any UNIX-like OS should be fine, Written on OSX, tested under Debian GNU/Linux. Windows should probably work, but don’t complain if it doesn’t.

Installation

leon@lenny:~$ wget rm-rf.co.uk/downloads/dumbpig
leon@lenny:~$ chmod u+x ./dumbpig
  • Install the required perl libraries
leon@lenny:~$ sudo cpan "Parse::Snort"

leon@lenny:~$ sudo cpan "LWP::Simple"

Usage

lward@lenny:~$ ./dumbpig -u       # Check for updates
No update found
lward@lenny:~$ ./dumbpig          # Run without args for usage details

DumbPig version 0.5 - leon.ward@sourcefire.com
Because I hate looking for the same dumb problems with snort rule-sets

   __,,    ( Dumb-pig says     )  
 ~(  oo ---( "ur rulz r not so )
   ''''    ( gud akshuly" *    )   

Config
----------------------
* Sensivity level - 3/3
* Blacklist outputi : Disabled
* Processing File - 0
* Check commented out rules : Disabled
* Pause : Disbled
* ForceFail : Disabled
* Censor : Disabled
* Quite mode : Disabled
----------------------
Error : Please specify a rules file
Usage dumbPig <args>
-u or --update        Check for updates
-r or --rulefile      <rulefile>
-s or --sensitivity   <1-4> Sensitivity level, Higher the number, the higher the pass-grade
-b or --blacklist     Enable blacklist output (see Marty's Blog post for details)
-p or --pause         Pause for ENTER after each FAIL
-w or --write         Filename to wite CLEAN rules to
-q or --quiet         Suppress FAIL, only provide summary
-d or --disabled      Check rules that are disabled i.e commented out #alert # alert etc
-v or --verbose       Verbose output for debugging
-c or --censor        Censor rules in the output, in case you dont trust everyone
-f or --forcefail     Force good rules to FAIL. Allows output of all rules
lward@lenny:~$

Example

1) Find a few problems with a rulefile dumb.rules

2) Censor the content of dumb.rules

leon@lenny:~$./dumbpig -r dumb.rules
Issue 1
3 Problem(s) found with rule on line 1 of dumb.rules

 alert ip any any -> any 53  ( \
 msg: "I found a scary DNS name woooo"; \
 content: "woot"; \
 sid: 1; \
 )
- IP rule with port number (or var that could be set to a port number).
  This is BAD and invalid syntax.
  It is likely that this rule head is not functioning as you expect it to.  
  The IP protocol doesn't have port numbers.
  If you want to inspect both UDP and TCP traffic on specific ports use two rules,
  its faster and valid syntax.
- No revision number! Please add a rev: keyword
- No classification specified - Please add a classtype to add correct priority rating
alert ip any any -> any 53 (msg: "I found a scary DNS name woooo"; content: "woot"; sid: 1;)

=============================================================================
Issue 2
2 Problem(s) found with rule on line 2 of dumb.rules

 alert ip 1.1.1.1 any -> $HOME_NET any  ( \
 msg: "Communication with nasty host found"; \
 sid: 2; \
 rev:1; \
 )
- No classification specified - Please add a classtype to add correct priority rating
- IP rule without a content match. Put this in a firewall!

leon@lenny~:$./dumbpig -r dumb.rules -f -c

Issue 1

4 Problem(s) found with rule on line 1 of dumb.rules

alert ip any any -> any 53  ( \
msg: "XXXXXXXX"; \
content: "XXXXXXXX"; \
sid: 1; \
)

- IP rule with port number (or var that could be set to a port number).
  This is BAD and invalid syntax
  It is likely that this rule head is not functioning as you expect it to.
  The IP protocol doesn't have port numbers.
  its faster and valid syntax.
- No revision number! Please add a rev: keyword
- No classification specified - Please add a classtype to add correct priority rating

=============================================================================

Issue 2

If you want to inspect both UDP and TCP traffic on specific ports use two rules,
3 Problem(s) found with rule on line 2 of dumb.rules

alert ip CENSORRD_IP any -> $HOME_NET any  ( \
msg: "XXXXXXXX"; \
sid: 2; \
rev:1; \
)

- No classification specified - Please add a classtype to add correct priority rating

- IP rule without a content match. Put this in a firewall!

=============================================================================

--------------------------------------
Total: 2 fails over 2 lines in dumb.rules

- Contact leon.ward@sourcefire.com

Any problems, suggestions etc, let me know.

Happy Snortin'

-Leon

Written by leonward

June 24, 2009 at 1:26 pm

6 Responses

Subscribe to comments with RSS.

  1. […] I hope Dumbpig could become a useful tool for the community, Documentation and code are available on the Dumbpig page. […]

  2. […] a comment » I spent a few minutes updating DumbPig to work with Marty’s latest blacklist patch, with some great results. It looks like Marty has […]

    • Hey, Parse::Snort developer chiming in here — Leon (or anyone else who uses Parse::Snort) is there anything you’d like to see in the module? Or improvements/bugfixes? Submit a bug at the CPAN bugtracker, and I’ll see what I can do.

      Richard Harman

      August 21, 2009 at 8:22 pm

  3. it’s so good tool.
    i will post about your tool in my korean snort rules site.

    http://snortrules.wordpress.com

    my site is korean snort rules community.
    your tool may help korean snort user.

    kimms17

    August 20, 2009 at 1:09 am

  4. […] I saw the snort rules from sipvicious, and saw some flaws in them. Leon Ward from Sourcefire also recently announced dumbpig.pl. So combining the VoIP-snort.rules from sipvicious and dumbpig.pl from Leon, gave me some nice […]


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 783 other followers

%d bloggers like this: