Snort Additional Downloads: Add-Ons & Other Cool Projects


If you know of or work on a Snort related project that you'd like to see listed here contact me at jesler@cisco.com


Sourcefire Projects
Daemonlogger Razorback OfficeCat
PESig Pulled_Pork SnoGE
ThePigDoktah Dumbpig
3rd Party Projects
Barnyard2 BASE EasyIDS
Oinkmaster OSSIM Network Security Toolkit
Security Onion LiveCD Snorby SQueRT
Sguil PacketFence Zeroshell
iBlock Snez PmGraph
PmGraph for Performance Monitor bProbe

Sourcefire Projects

Daemonlogger

daemonlogger_full_sm

Daemonlogger™ is a packet logger and soft tap developed by Martin Roesch. The libpcap-based program has two runtime modes:

  1. 1. It sniffs packets and spools them straight to the disk and can daemonize itself for background packet logging. By default the file rolls over when 2 GB of data is logged.
  2. 2. It sniffs packets and rewrites them to a second interface, essentially acting as a soft tap. It can also do this in daemon mode.

These two runtime modes are mutually exclusive, if the program is placed in tap mode (using the -I switch) then logging to disk is disabled.

Make SURE you read the included COPYING file so that you understand how this file is licensed by Sourcefire, even though it's under the GPL v2 there are some clarifications that we have made regarding the licensing of this program.

Daemonlogger is available for download here: Sourceforge download site


Razorback

Project Razorback™ is an undertaking by the Sourcefire VRT. Razorback is a framework for an intelligence driven security solution. It consists of a Dispatcher at the core of the system, surrounded by Nuggets of varying types.

Razorback is available for download here: Sourceforge download site


DumbPig

Dumbpig is an automated bad-grammar[sik] detector for snort rules. It parses each rule in a file and reports on badly formatted entries, incorrect usage, and alerts to possible performance issues. It should be considered as work in progress and all users should only work with the latest code available.

The project is run by Leon Ward of Sourcefire.


Officecat Logo

OfficeCat™ is a command line utility developed by Sourcefire Vulnerability Research Team ™ (VRT) that can be used to process Microsoft Office Documents to determine the presence of potential exploit conditions in the file. OfficeCat is available for Windows and Linux.

Download (OfficeCat.zip) - 03 Nov, 2010 md5:cf0c77ace1ac536cbd1d01fae736b3e3

Download (officecat-wine.tgz) - 03 Nov, 2010 md5:02889e03e59f8b504a8a18bc44fe90dd


PE Sig

PE Sig is a tool written in Ruby that generates ClamAV® signatures for portable executable files. For more information on PE Sig check out Brian Caswell's write up on the VRT Blog

Download (pe-sig.tgz) - 03 Nov, 2010 md5:f2f035c704a6d41893c3a7c0d89cc2cc


Pulled_Pork

Pulled_Pork is tool written in perl for managing Snort rule sets. Pulled_Pork features include:

  • Automatic rule downloads using your Oinkcode
  • MD5 verification prior to downloading new rulesets
  • Full handling of Shared Object (SO) rules
  • Generation of so_rule stub files
  • Modification of ruleset state (disabling rules, etc)

The project is run by JJ Cummings of Sourcefire.

SnoGE

SnoGE is a Snort unified reporting tool, it processes your unified files (that’s Snort’s output format), and represents them as place-marks on Google Earth. It can operate in a few modes, Real-time, refresh, and one-time.

The project is run by Leon Ward of Sourcefire.

ThePigDoktah

ThePigDoktah logo

Tool for parsing and generating usable information from Snort's performance metric output.

The project is run by JJ Cummings of Sourcefire.

3rd Party Projects & Downloads

Barnyard2

This is a fork of Barnyard. Barnyard2 provides the following enhancements to the original

  • Parsing of the new unified2 log files.
  • Maintains majority of the command syntax of barnyard.
  • Addressed all associated bug reports and feature requests arising since barnyard-0.2.0.
  • Completely rewritten code based on the GPLv2 Snort making it entirely GPLv2.
  • SnortSam functionality

BASE

BASE is the Basic Analysis and Security Engine. It is based on the code from the Analysis Console for Intrusion Databases (ACID) project. This application provides a web front-end to query and analyze the alerts coming from a SNORT IDS system.

EasyIDS

EasyIDS is an easy to install intrusion detection system configured for Snort. Based upon Patrick Harper's Snort installation guide and modeled after the trixbox installation cd, EasyIDS is designed for the network security beginner with minimal Linux experience.

Network Security Toolkit

NST is a bootable ISO live CD/DVD is based on Fedora. The toolkit was designed to provide easy access to best-of-breed Open Source Network Security Applications and should run on most x86 platforms.

OSSIM

OSSIM stands for Open Source Security Information Management. Its goal is to provide a comprehensive compilation of tools which, when working together, grant a network/security administrator with detailed view over each and every aspect of his networks/hosts/physical access devices/server/etc

packetfence

PacketFence is a fully supported, Free and Open Source network access control (NAC) system. PacketFence is actively maintained and has been deployed in numerous large-scale institutions over the past years. It can be used to effectively secure networks - from small to very large heterogeneous networks. PacketFence has been deployed in production environments where thousands of users are involved. Visit the PacketFence project here.

Security Onion

Security Onion is a Linux distro for IDS (Intrusion Detection) and NSM (Network Security Monitoring). It's based on Ubuntu and contains Snort, Suricata, Bro, Sguil, Squert, Snorby, ELSA, Xplico, NetworkMiner, and many other security tools. The easy-to-use Setup wizard allows you to build an army of distributed sensors for your enterprise in minutes! For more information, or to contact the author, check out Doug Burks's blog.

snorby

Snorby is a new, open source front-end for Snort. The basic fundamental concepts behind Snorby are simplicity and power. The project goal is to create a free, open source and highly competitive application for network monitoring for both private and enterprise use. To download Snorby visit the project site.

Sguil

Sguil (pronounced sgweel) is built by network security analysts for network security analysts. Sguil's main component is an intuitive GUI that provides access to realtime events, session data, and raw packet captures. Sguil facilitates the practice of Network Security Monitoring and event driven analysis. The Sguil client is written in tcl/tk and can be run on any operating system that supports tcl/tk (including Linux, *BSD, Solaris, MacOS, and Win32).

SQueRT

This tool is used to query and view IDS alert data stored in a Sguil database. The design philosophy is somewhat.. OK, loosely, analogous to reading a newspaper.

Zeroshell

Zeroshell is a Linux distribution for servers and embedded devices aimed at providing the main network services a LAN requires. It is available in the form of Live CD or Compact Flash image and you can configure and administer it using your web browse

iBlock

This tool is a small Linux Daemon that greps the Snort Alert file and blocks the offending hosts via iptables for a given amount of time. iBlock supports the whitelisting of IP addresses so those IPs will never be blocked.

Snez

SNEZ is a web interface to the popular open source IDS program SNORT® . The main design feature of SNEZ is the ability to filter (or dismiss) alerts without having to delete.

PmGraph

This tool is a small perl script that will graph the output of the performance monitoring file from Snort

PmGraph for Pattern Matching

This tool is a script that will graph the output of the Pattern Matching system from Snort

bProbe

bProbe is a Snort IDS that is configured to run in packet logger mode. It can be installed on a pc and inserted at a key juncture in a network to monitor and collect network activity data. The data collected is sent to a central "receiver" server (not included), which is any software capable of interpreting IDS data such as Snort or its variants.


bProbe uses Snort, Barnyard2, and Pulled_Pork, which are provided pre-configured on a Linux Centos 64-bit cd to save you time and maintenance.