Snort creator talks Razorback and ClamAV
"People were saying they'd been hacked so thoroughly that their response teams were assuming they'd been hacked 24 by 7", Marty Roesch, CTO of Sourcefire, says as he talks to The H about Razorback, a new project from the developers of the open source intrusion detection system. Roesch says that assumption saw customers develop their own "neo-real-time" tools which were not real-time but "fast enough" and able to, for example, decompose a PDF file's structure rather than just scan for signatures of malware; this is what he calls "Deep file inspection". Another example would be a Flash decomposing tool that could examine a swf file looking for NOP slides or similar trademarks of malicious intent.
For the concept to be more effective, it needed a framework rather than disparate tools and that is where Razorback comes in. Razorback is still in development by Sourcefire's VRT team but is in essence designed to be a dispatching framework for tools which perform deep file inspection. A dispatcher is given a file and works out what "nuggets" should be applied to analyse the file and applies each one as needed; the nuggets include an Office file examiner, a "PDF dissector", a virustotal tester, and hooks into ClamAV and Snort.
Where a file may be encapsulating another file type, the sub-file is passed back to the dispatcher to be processed by an appropriate nugget. Razorback doesn't block files at the moment, but instead provides detailed forensic reports on the file and maintains a forensic database of what it has seen. The database would allow users to take reports of malware or zero-days and search the database for signs of those attacks and, says Roesch, "They can go 'Oh we were hit by this two weeks ago'".
Development on the proof of concept, previously presented at last year's DEFCON, has now been completed and the developers are moving on to create a more useful packaged version of the concept; a blog posting lays out the VRT team's plans to produce an easy to install, secure, scriptable and scalable version of the idea. The GPLv2 licensed project is hosted on Sourcefire's VRT labs site.
Currently, Razorback is very much an alpha development project albeit one with an active and dedicated development team; Sourcefire's VRT team are busy working on the next version. Roesch wants to see people create appliances around Razorback in the future and wants to see how the community makes use of it as it develops. Roesch compares the process with creating Snort: "I wasn't a big IDS guy when I was writing Snort, but I became a big IDS guy while I wrote Snort. I learned about IDS operational models and deployment models and how to plug it into an enterprise effectively".
Roesch also talked about how Sourcefire is integrating its recent acquisition – Immunet. Immunet offers cloud-based analysis of file metadata and works alongside ClamAV. The Immunet agent has a footprint of only 8 MB in memory. ClamAV with Immunet for Windows is available now with versions for Mac OS X and Linux to follow. The cloud analysis uses four detection engines: a 1:1 blacklist, generics, time, and prevalence.
The prevalence analysis leverages the shared cloud nature of the system: if the file has passed the other engines and been neither black- nor white-listed, the prevalence engine looks at how many instances of it there are. If there appears to be only one instance on a particular device then Roesch says it's "probably, and I mean five nines probably, polymorphic malware or a zero day". Roesch feels that the cloud architecture can provide a whole new way of analysing and reacting to malware in a way that is far quicker than just regularly downloading updated definitions.