New Feature

[cshaffer]

So I have installed BotHunter on my Untangle box. Looks like a slew of specially crafted snort rules IMHO. So in any case I am trying to test some snort rules on the BotHunter and on the Untangle box to make sure they work well together but BotHunter doesn't seem to see the alert. I have tested the alert in the Untangle and it works like a charm.

Right now I'm thinking it's a matter of the listening interface but I'm still investigating. I just wanted to update everyone on the status of my testing. Any suggestions are welcome. Here is the rule I'm testing with:

tcp $HOME_NET any -> any $HTTP_PORTS (msg:"E8[rb] BotHunter Test Rule:Visiting www.google.com"; flow:established,to_server; content:"www.google.com"; nocase; classtypeolicy-violation; sid:90909090; rev:1

[cshaffer]

Got it working for the most part. I just can't help but think that this would be more beneficial if Untangle had a community ruleset rather than adding another scanner to the bundle. Maybe it just just be another package that is optional for those of us that would like bleeding edge rules or bot type rules. Any thoughts?

[dcbour]

I just completed a script to import the emergingthreats.net rules into untangle and it's spitting out a few hits already (granted I've been pushing it). The details are under the feedback as well as submitting the script on the bug tracker for the emergingthreats.net feature request. It's a fairly simple bash script which could be easily modified to any snort rule source (provided they do layer 7 type rules vs layer 3). Namely the bleedingthreats.net could likely be added too if desired. For more info, drop me a line at dcbour at desktopsolutioncenter dot ca. For the record, it's still ALPHA though so use at your own risk. It hasn't been tested through any upgrades nor put into high volume yet to see the impact. Use at your own risk.