Thanks you all the people that make it to the NYC Snort User Group last night for the great conversations and topics we covered. Special thanks to thank Phil Jew from Sourcefire for the excellent presentation on Snort 3.0 alpha development.

 
On another note, we talked about deploying a Snort + BASE on a VMWare virtual appliance. Here’s the link to VMWare to get the virtual appliance, even though Snort is fairly outdated (2.4):

 

http://www.vmware.com/vmtn/appliances/directory/185

 

If you conduct a Google search other virtual appliances are available around.

 

We also talk about topics for the next NYC Snort user group and we wanted to put some ideas out there:

 

1. Best practices on Snort deployment in the enterprise;
2. Snort Graphical front-ends and network forensic consoles;
3. Introduction to Snort rules’ syntax and rule writing;
4. Snort.conf configuration 101 and settings for attacks that use evasion techniques;
5. Other open source tools and projects that use Snort

 Best way to vote on this or another possible future topic is to email the new york snort mailling list.  If you have not subscribed do so at :

https://lists.snort.org/mailman/listinfo/ny-sug 

The next meeting of the NYC SUG is scheduled for Thursday April 26, 6:00 PM at Ciphertechs, Inc. in Manhattan.

Philip Jew from Sourcefire’s security engineering team will be presenting on the future of Snort and will be available to answer questions. As many of you know Marty has been hard at work on Snort 3.0 and has posted the first sub-system code for alpha testing. This is a great opportunity to see what the future holds for everyone’s favorite pig.

Thanks to Ciphertechs for hosting the meeting. Details are below:

Time: 6:00 pm – 8:00 pm

Location: 55 Broadway
11th Floor
New York, New York

55 Broadway is a secure building so please RSVP at: http://snort.org/registrations/rsvp.html

Via Brian Caswell …

The fastest full detail output for Snort “unified logs”, which were meant to unify packet and event logs into a single binary file format. Along the way, someone (cough, Marty, cough) forgot the definition of “unified”. There are two seperate file formats, unified logs and unified alerts. The great part about “unified” files is that they they are host-byte-order dependant!

If you want to read unified files, you have a few options.

• Barnyard, an unmaintained unified file reader.
• Mudpit, an unmaintained unified file reader.
• Cerebus, an unmaintained, binary only text based event reader.
• SnortUnified.pm, a sort-of OOP perl API for unified files (Don’t attempt to read multiple files at once!)

Or… unified.rb, a tiny ruby API for reading unified files.

http://www.shmoo.com/~bmc/software/ruby/unified.rb

DaemonLogger 0.9 has been released. The newest version has several new features including:
1) Support for dropping privileges at startup has been added.
2) DaemonLogger supports reading packets from pcap files instead of the network now. Those pcap files can be filtered for output back to the disk using BPF filters or they can be retransmitted on wire using the soft tap mode.
3) Support for chrooting at startup has been added.

daemonlogger-0.9.tar.gz

Articles on using daemonlogger:

TaoSecurity

Geek00l

Report from Marty Roesch @ Sourcefire:

The first alpha test for the Snort 3.0 code base is up and available in my user area on snort.org. For you intrepid souls who would like to have a look and test it out, please feel free to download the code and get going.

http://www.snort.org/users/roesch/Site/Snort 3.0.html

You can download the code directly from

http://www.snort.org/users/roesch/code/snort-03.0.0.a1.4.tar.gz

Snort 3.0 is a new code base with a new architecture. This first alpha release is intended to test out the new Data Source subsystem which includes the data acquisition mechanism, the decoder (and protocol printers) and the flow manager. The first alpha also includes the new command interface for Snort which is a CLI backed by the Lua embeddable programming language.

*Please* read the README, it only takes a few minutes and itll get you up and running quickly.

The code is nowhere near feature complete. It doesnt have a detection engine yet, it doesnt have an output system, it doesnt do a whole lot but sniff packets and display them its various output modes. All that other functionality will be following in other releases but for now what Im really looking for people to do is start exercising the protocol decoders in real-world environments. There are a lot of new and rewritten decoders in this code base so in addition to the classic protocols like IPv4, Ethernet and TCP Im particularly interested in getting people to attack the IPv6, MPLS, GRE and PPPoE decoders as well as the TCP and IP options decoders. If you cause the program to crash while its sniffing packets Id really like to know about it.

Please have a look and let me know what bugs you find, big and small. Remember to look at the BUGS file for information on filing complete bug reports. Please send bug reports directly to me as opposed to the bugs address at snort.org, Im the point person on this alpha series for now.

Ill be putting up architectural diagrams and discussions as I move the code forward in my user area on snort.org, stay tuned.

Thanks and happy snorting!

The fifth Snort Report — Snort Rules — has been posted. In this article Richard talks about what Snort rules really mean. He discusses how to get rules from Sourcefire and Bleeding Edge.

Snort v2.6.1.4 has been released. The software and source code is available at: http://snort.org/dl/

Snort v2.6.1.4 includes detection functionality for a BSD IPv6 fragmentation overflow, and addresses a number of potential security-related issues in Snort as reported by customers, uncovered by internal investigations, and through third-party code audits.

Sourcefire, the security firm that oversees the open source intrusion-detection system software, Snort, is making available another open source tool for network traffic logging.

The tool, called Daemonlogger, is a packet sniffer that can passively capture network traffic logs and write them to disk in PCAP format. Sourcefire said Daemonlogger is being licensed under the GNU General Public License Version 2, under which anyone may access, modify and redistribute the Daemonlogger source code so that users can share enhancements and new features with other network professionals.Martin Roesch, CTO of Sourcefire and the originator of Snort IDS, said open source Daemonlogger is intended to be a “handy and easy-to-use tool.� Sourcefire indicated Daemonlogger is offered as an alternative to proprietary products for logging and storing network traffic that are needed to meet with a growing number of regulatory requirements.

SANS is returning to the Big Apple with a choice selection of our most popular hands-on technical security courses! Join us for SANS New York City 2007, April 29-May 4