Thursday, April 1, 2010

New Mac OSX Module for Snort

Today, the VRT is excited to announce a revolutionary new module for the Snort Intrusion Detection System.  The extraordinary capability of Snort to be molded through rules, so_rules, preprocessors and the fact that the entire code base is open gives us unprecedented capability to bring to our customers what they truly need.  That is why the VRT has been working hard for the past two months to deliver this new functionality.  We hope you enjoy it as much as we will enjoy not working on it anymore.

So, what is this new module?  Well first, let me set the scene.  For those businesses that have OSX as their primary systems, they live in a security Nirvana.  Without exploits, viruses or rootkits to worry about, their security guys are much like the Maytag repairman.  Lots of time with their feet up, checking their brackets, developing the ultimate waste-paper basketball techniques and generally living life as only they can.  But we know and you know that they have to have systems going to make it look like they are working. So, in addition to the empty boxes that just have blinking LEDs on them, they also have firewalls, AV, IDS and other systems that they can look at intently when their bosses come over.

Now those of you with Windows systems are probably jealous that the Mac guys are getting yet another shiny toy.  But don't worry, since Snort is Open Source, you can always just stand up a box and call that network your "Mac" network.  You're golden.

Now, there are three variants of the new Mac OSX module.  The first is the Snort SETI plugin.  This will allow you to take all of those CPU cycles that you're spending not detecting attacks on Mac OSX systems and put it to use finding aliens.  We can't be wasting cycles in this day and age.  Also that we don't let these CPUs contribute to global warming, not cool (get it?).  Finally, the faster we find these aliens, the sooner we'll have our Elvis back.

The second module is a Systems Simulation and Exploitation Center.  This module will allow any of the systems running Snort to act as one of several pre-configured operating systems and applications.  Then, using a special client, you can execute a variety of "attacks" on the system.  The intended use of this is not to attract a mate, although I think we can all agree that there is nothing sexier than popping a shell.  But instead is to be used on patch days.

Invariably the following conversation occurs:

"Hey, um, systems guy, there is a huge patch out.  We have to stay late tonight, incur some downtime and patch the servers."

Systems guy stares at security guy.  Both of them are bathed in the noon-day flourescent light of the server room.  A single bead of sweat travels down the face of security guy.  Systems guy hasn't moved  His eyebrow twitches, and the corner of his mouth pulls up in what he thinks is a smile.

"Prove it".

Security guy fakes being concerned briefly, argues with the systems guy and finally storms out.  He spends the next hour in the office watching Glee re-runs and then storms out.  He drags the systems guy into the "lab" and then fires up the his special, VRT supplied client app.  He types furiously while ancient arcane symbols float around the screen.  Briefly the systems guy thinks he sees a picture of his mother, but it happens too fast for him to be sure.

Finally, triumphantly, security guy points to the screen.  A beautiful, fully interactive shell sits ready.  With a little extra configuration, you can make it look just like his desktop.  This is the beauty of the SSEC system.  When patch day comes, no one will stand in your way, because you are the supreme blackhat.

The final module is a favorite of the VRT and we'll be honest, it has little value for you, but it will make us super-duper happy.  The terminal will display a happy series of events, every now and then flashing "APT BLOCKED!!!!" in big red letters.  Your boss will nod his head sagely, after all, he did sign the PO, and then tell you to take the rest of the day off.

Meanwhile, that sensor, along with every other sensor running our special "APT BLOCKED!!!" module would constantly be fuzzing an application of our choice.  Indeed, each time you saw "APT BLOCKED!!!" it is actually an indication that we had successfully crashed the application and had sent the information on the crash back to the VRT lair.  How could your soul NOT be warmed by the knowledge that we reside, happy in our den, because you have given over your sensor to the fuzzing gods.

Well there you have it folks.  We know you Mac folks don't need security systems, so let's not waste those CPU cycles!  Feel free to download the beta here
Add to Technorati Favorites Digg! This

4 comments:

guly said...

I live in a security Nirvana.
Amazing.

Matt Olney said...

Me too! Different kind of Nirvana though :)

PsyPhii said...

Must be an april fools joke

Matt Olney said...

@PsyPhii Nuh uh! I swear! I spent WEEKS coming up with enough fake alerts for the "APT BLOCKED!!!" module. I was particularly proud of "Known Burkina Faso Based Cyber Terrorist Organization Remote Microsoft Bob SQL Injection Overflow attack"