|
|
Snort Forums Archive
Archive Home » Windows » Tiny Software Firewall and Snort Rules
Please note that the categories listed below represent an archived version of our forums pages. To view the current version and be able to post and reply to threads, please register and login here to go to the full forums pages.
[ Notice: Full Version of This Topic ]
Tiny Software Firewall and Snort Rules
Posted by CVSCorp on April 14, 2006 09:54:22
There is (was) a firewall produced by "Tiny Software" at http://www.tinysoftware.com, which uses an implementation of the Snort Ruleset, based on 2.0 sigs.
In TPF 6.0.140, this rule set, written in .xml is present. In TPF2005, the .xml version of the Snort 2.0 sigs were left out of the product, but users of the TPF2005 line of firewalls have learned that using a tool from Tiny Software called "SnortImp.Exe", makes it possible to import Snort 2.0 sigs into an .xml format, for use in TPF firewalls.
Would it be possible to support .xml formatted Snort rules for use in this firewall?
I can provide the Snort Import Tool written by Tiny Software and a Snort.txt file, which the .exe uses to re-compile Snort 2.0 sigs into an .xml format for use by the TPF line.
The .txt file used by the SnortImp.exe will not import Snort 2.6 rules because the .txt file does not support it, and was written only for the 2.0 ruleset.
Would "Snort.Org" consider supporting users of the Tiny Software Firewall, and it's implementation of Snort? |
|
Posted by AJohn on April 14, 2006 10:33:20
As a user of Tiny, I would like to second this request. |
|
Posted by AJohn on April 14, 2006 10:42:41
As a user of Tiny, I would like to second this request. |
|
Posted by AJohn on April 14, 2006 11:18:01
As a user of Tiny, I would like to second this request. |
|
Posted by AJohn on April 14, 2006 11:19:21
Admin. please delete those last two posts(and this one), When I hit the refresh button it re-posted... |
|
Posted by juul on April 14, 2006 11:26:31
Also a Tiny user, that would like to see this support |
|
Posted by dumbCrab on April 14, 2006 14:55:47
I would like to get this support too. |
|
Posted by wterrell on April 14, 2006 15:34:12
The support of Tiny users by snort would be a very valuable feature of this firewall. |
|
Posted by Charismagic on April 15, 2006 10:29:21
It would be great if Snort supported .xml formatted Snort rules for use in TPF and the implementation of Snort by the users of TPF.
In support, a big aye all the way! |
|
Posted by df on April 17, 2006 03:46:09
I use tiny firewall and i would love a support from Snort too. |
|
Posted by Tigajr on April 28, 2006 15:34:41
I wish I could see support from Snort. It would be very important. |
|
Posted by adityad2005 on May 26, 2006 19:05:53
does anyone know what is the status of this ? |
|
Posted by zerosum on May 27, 2006 15:55:28
ttt |
|
Posted by adityad2005 on June 03, 2006 12:09:10
i just made a IDS.XML from the snort sigs and will continue to do so as soon as new sigs are avilable
and added to them the bleedingsnort sigs
if anyone has webspace or ftp space i would be glad to put it for you all |
|
Posted by wterrell on June 04, 2006 08:41:43
I have web space.
wesley<< at >> wterrell.com |
|
Posted by adityad2005 on June 22, 2006 03:47:24
thaks wterrell i will mail you the file tonight in about 6 hours
just got back from the wilderness which had no net access...
|
|
Posted by SourceNET on June 29, 2006 17:39:36
Did you go back to the wilderness adityad2005? You seem to have left this promising plan the way CA have left Tiny Personal Firewall customers... up a creek without a paddle! |
|
Posted by CVSCorp on June 29, 2006 19:54:15
No, I did not leave. I sold my home and moved from Washington State to Colorado. I had to buy a new home and move in. I'm up now.
Understand, I don't have anything to do with Snort.Org or Snort Rules, other than some configuration hacks to TPF's original set of Snort Rules.
I asked everyone on the TPF forum to come here and write notices in hopes someone in Snort.Org would take pitty on TPF users and provide us with a rule set.
It appears no one at Snort.Org reads this thread or cares about a defunk firewall.
It was a good idea, but alass no one hears us. |
|
Posted by SourceNET on June 30, 2006 01:36:28
CVSCorp, my comments were directed at adityad2005 after they posted the following message:
"i just made a IDS.XML from the snort sigs and will continue to do so as soon as new sigs are avilable and added to them the bleedingsnort sigs. if anyone has webspace or ftp space i would be glad to put it for you all"
So, if users of TPF2005 cannot update IDS signatures, is the firewall useless? I mean what danger are we in if we use the firewall with the IDS module disabled? |
|
Posted by CVSCorp on June 30, 2006 05:38:22
SourceNET
Thanks for the clarification.
As far as danger, TPF was way ahead of it's time. I dare anyone to find a firewall today, that does what TPF still does. Even with outdated Snort Rules, the Snort Rules still available are not that different than the newest rule set.
As with any fireall, there are hackers and creaps that find new ways to circumvent any set of rules, or protections in place to gaurd systems and data. As hard as MS tries, and for the numbers of fixes, patches, and holes they plug, someone will always find a new one, or one yet undiscovered.
Your welcome to drop TPF and depend on MS's built-in firewall if you like. The only one I can think of that even comes close, is Zone Lab, and it does not have "any form of snort rules", even outdated ones.
I run three layers of protection. One at the incoming router (router-vpn firewall), MS's built-in firewall (for what protection it offers), and TPF as a final guard in case something gets through. I don't count my "spyware, popup blockers or virus protections" in this scheme. You should always run those.
In the end, all of this, including virus protection, spyware, pop-up blockers and firewalls need to run from a router/firewall type appliance and not the users system.
Has anyone from Snort.Org seen, read or replyed to this thread? |
|
Posted by SourceNET on June 30, 2006 05:56:48
I agree CVSCorp, TPF is probably still the most advanced firewall available. However, would TPF with IDS module disabled leave TPF less effective than a close competitor such as ZoneAlarm Pro? I've been using TPF 6.5 for a while and without any IDS sigs as I only recently learnt about SNORT. Thinking I should update, I then discovered that TPF was built to be compatible with v2.0 of SNORT sigs only. Now I'm wondering whether no or out of date IDS sigs makes TPF vulnerable. I always thought the core firewall module was sufficient... |
|
Posted by CVSCorp on June 30, 2006 08:29:44
You are more vunrable without IDS running. TPF6.5.126 comes without the rule set, but it can be enabled. Find the directory "C:\Program Files\Tiny Firewall Pro\PolicyTable\10\srv" and drop in the file "IDS.XML" available for download in several places on this site from other TPF users. Then reboot your system and you wil have an active IDS with snort 2.0 rules.
If you install TPF6.0 somewhere, and then divide up your IDS rules between IPS and IDS, then go to the directory listed above and copy the IDS.XML file off somewhere, uninstall TPF6.0 and then install TPF 6.5.126 and place your IDS.XML in the same directory and reboot, you can use the latest (or last) version of TPF with last snort 2.0 ruleset given by TPF.
I would post my IDS.XML but this forum "Quick Reply" window does not allow attachments. |
|
Posted by SourceNET on June 30, 2006 09:02:48
That's super CVSCorp. I now have SNORT 2.0 rules enabled in the IDS module of TPF 6.5
I hope there will be a way for us to gain access to the latest SNORT rule set in the near future. Tiny Personal firewall deserves that support and so do its loyal users.
Thanks again. |
|
Posted by wterrell on June 30, 2006 09:43:04
adityad2005, if you will supply the latest Snort rules in a IDS.xml I will post them on my
webspace and have them available to all. Thanks. wesley<>wterrell.com
CVSCorp, I also live in Colorado. My house is situated at 9500 ft in elavation in the Rocky
Mountains. It is the most pleasant place in the world. I have bears in my yard frequently along
with elk, deer etc. The summer temperature high is 75 degrees. |
|
Posted by CVSCorp on June 30, 2006 13:07:13
To All:
Please go to http://www.cvscorp.com/page3.html and you can download my Snort 2.0 RuleSet for TPF 2005. It also works for TPF6.0/5
I will post anyone's Snort RuleSet for TPF.
Instructions are posted there as well.
wterrell: I live in Palmer Lake, CO, about 7220ft. and have bears, deer, elk, squirrel and fox. Maybe we could visit sometime? |
|
Posted by zerosum on June 30, 2006 19:58:21
Thanks CVSCorp! |
|
Posted by zerosum on June 30, 2006 19:58:49
Thanks CVSCorp! |
|
Posted by CVSCorp on July 11, 2006 12:43:20
For all TPF Users:
I have been in contact with Mike Guiterman, the community manager for Snort.Org. with respect to possible support for Snort Rules for use in TPF Firewalls.
Here are his comments:
By way of introductions, I知 the new community manager for Snort.org. You bring up an interesting request, I値l follow up with the snort team to look at the possibility of providing this support. I値l update you and the forum as we evaluate the interest. Thanks for your interest in Snort
Here are my comments:
Thanks.
Also know that the firewall formally known as "Tiny Software Firewall" and it's code was sold last year to Computer Associates, lock, stock and barrel. The TPF firewall, in it's former state, is still being sold through "Element5", but is no longer supported by it's previous owner, nor is it supported by CA.
We "TPF" users do not understand this lack of support, and are now "supporting ourselves" with requests like this. TPF firewalls can still be downloaded for trial, and the previous versions, ending at 6.0.140, all used TPF's implementation of Snort 2.0
TPF 6.5 (called TPF2005) still uses Snort Rules, but they were not included before CA purchased the company. We "TPF Users" have found our own way to add them to TPF2005 using a "cut and paste" method, by taking the IDS.XML generated in TPF v6.0.140, and dropping it into TPF2005.
On another note, I and my company, http://www.CVSCorp.Com lead the effort here for Snort Version Update, but it would be nice to have official support. I have web space dedicated to this endeavor, if you do not want to post TPF versions of snort files on Snort.Org, but to add a link from your site to ours. Thanks for communicating with me.
To all TPF Users:
Hopefully, by showing your previous interest for Snort Support here in this forum, we may be able to update our IDS/IPS rules with the latest Snort 2.6 RuleSet.
I will continue to post your submissions for TPF Snort 2.0 IDS.XML files at the website mentioned above, as well as any supported Snort Rulesets from Snort. Org.
Thanks all for your support.
|
|
Posted by CVSCorp on July 11, 2006 12:45:58
For all TPF Users:
I have been in contact with Mike Guiterman, the community manager for Snort.Org. with respect to possible support for Snort Rules for use in TPF Firewalls.
Here are his comments:
By way of introductions, I知 the new community manager for Snort.org. You bring up an interesting request, I値l follow up with the snort team to look at the possibility of providing this support. I値l update you and the forum as we evaluate the interest. Thanks for your interest in Snort
Here are my comments:
Thanks.
Also know that the firewall formally known as "Tiny Software Firewall" and it's code was sold last year to Computer Associates, lock, stock and barrel. The TPF firewall, in it's former state, is still being sold through "Element5", but is no longer supported by it's previous owner, nor is it supported by CA.
We "TPF" users do not understand this lack of support, and are now "supporting ourselves" with requests like this. TPF firewalls can still be downloaded for trial, and the previous versions, ending at 6.0.140, all used TPF's implementation of Snort 2.0
TPF 6.5 (called TPF2005) still uses Snort Rules, but they were not included before CA purchased the company. We "TPF Users" have found our own way to add them to TPF2005 using a "cut and paste" method, by taking the IDS.XML generated in TPF v6.0.140, and dropping it into TPF2005.
On another note, I and my company, http://www.CVSCorp.Com lead the effort here for Snort Version Update, but it would be nice to have official support. I have web space dedicated to this endeavor, if you do not want to post TPF versions of snort files on Snort.Org, but to add a link from your site to ours. Thanks for communicating with me.
To all TPF Users:
Hopefully, by showing your previous interest for Snort Support here in this forum, we may be able to update our IDS/IPS rules with the latest Snort 2.6 RuleSet.
I will continue to post your submissions for TPF Snort 2.0 IDS.XML files at the website mentioned above, as well as any supported Snort Rulesets from Snort. Org.
Thanks all for your support.
|
|
Posted by CVSCorp on July 11, 2006 12:50:03
For all TPF Users:
I have been in contact with Mike Guiterman, the community manager for Snort.Org. with respect to possible support for Snort Rules for use in TPF Firewalls.
Here are his comments:
By way of introductions, I知 the new community manager for Snort.org. You bring up an interesting request, I値l follow up with the snort team to look at the possibility of providing this support. I値l update you and the forum as we evaluate the interest. Thanks for your interest in Snort
Here are my comments:
Thanks.
Also know that the firewall formally known as "Tiny Software Firewall" and it's code was sold last year to Computer Associates, lock, stock and barrel. The TPF firewall, in it's former state, is still being sold through "Element5", but is no longer supported by it's previous owner, nor is it supported by CA.
We "TPF" users do not understand this lack of support, and are now "supporting ourselves" with requests like this. TPF firewalls can still be downloaded for trial, and the previous versions, ending at 6.0.140, all used TPF's implementation of Snort 2.0
TPF 6.5 (called TPF2005) still uses Snort Rules, but they were not included before CA purchased the company. We "TPF Users" have found our own way to add them to TPF2005 using a "cut and paste" method, by taking the IDS.XML generated in TPF v6.0.140, and dropping it into TPF2005.
On another note, I and my company, http://www.CVSCorp.Com lead the effort here for Snort Version Update, but it would be nice to have official support. I have web space dedicated to this endeavor, if you do not want to post TPF versions of snort files on Snort.Org, but to add a link from your site to ours. Thanks for communicating with me.
To all TPF Users:
Hopefully, by showing your previous interest for Snort Support here in this forum, we may be able to update our IDS/IPS rules with the latest Snort 2.6 RuleSet.
I will continue to post your submissions for TPF Snort 2.0 IDS.XML files at the website mentioned above, as well as any supported Snort Rulesets from Snort. Org.
Thanks all for your support.
|
|
Posted by Jeruvy on July 17, 2006 06:33:02
CVSCorp,
That link is a 404. Perhaps it is finding a better home?
I too have been a long time user of snort rules in TPF, and was manually importing select rules in the past. I used the snortimp tool also but I'm not sure where you can find that tool.
I would like to try this out, but need a valid link.
Thanks in advance.
|
|
Posted by CVSCorp on July 17, 2006 13:10:52
http://www.cvscorp.com/Snort.html
You can go to http://www.cvscorp.com and the menu will lead you to the snort rules and tools. |
|
Posted by kumi on August 23, 2006 13:28:41
Well I for one just discovered TPF 2005, and it's simply first-class. I'd also like to urge the Snort developers to consider adding TPF .xml support. Thank you! |
|
Posted by CVSCorp on November 02, 2006 04:28:19
As of this date, Computer Associates, owner of TPF, has taken down the Tiny Software Website, and now links the old URL to CA's new version of Firewalls using TPF technologies.
This new version of CA's implementation TPF technology for SOHO use, has been stripped of the IDS/IPS as well as most of the functions found in TPF's Activity Monitor.
CA states that these features will be found in CA-HIPS, which will not be available until Dec 2006, and CA will most likely increase the cost significantly to former users of TPF, to regain these features.
Most distressing, is CA's requirement of a "Yearly Subscription", to keep the CA version of Firewalls up to date, and most likely, activated.
If anyone using TPF, clicks on, or has the "Update" box checked in the Administration Center, you will now be led to a CA website offering an upgrade to CA's lowest class of firewall, for $29.99 plus a yearly subscription. I will leave it to you (Former TPF users) to decide if you want to upgrade (downgrade) your firewall with an inferior product.
I, for one, will not upgrade to CA's version of TPF firewalls.
Additionally, I have not heard anything from Snort. Org with respect to supporting older TPF products using IDS/IPS Snort Rules. I suspect CA has asked Snort not to offer further support for TPF's version of the Snort rule implementation. We tried, but I guess CA wants to kill TPF once and for all.
In conclusion, TPF was a great product, and has reached the end of it's life cycle. As with any great product, it seems someone will eventually purchase it, strip it, and abandon it by the road side.
TPF has now met the fate of similar products, like Falcon 4.0, Forbin Projects' Qmodem, Central Point's Copy II PC, and many others I can no longer remember.
I want to personally thank Roman Kasan, the crew of Tiny Software, and all of you "TPF Users" for your insight, code design, hard work, and vision of what a well thought out firewall should be.
I will continue to make available, my website support and TPF files available for your download, until I see the need for them subside.
Good luck to all. |
|
Posted by Wakanaka on March 01, 2007 03:25:21
can anyone help me to get snortimp.exe to import snortrules in Tiny? Can`t reach website of CVSCorp.
Mailto:Wakanaka@gmx.net |
|
Posted by CVSCorp on March 02, 2007 02:45:36
Unfortunately, The CVSCorp.Com site had to be taken down. I won't go into legalities, but it seems the TPF line of products, and future support, is now up to individual users, in an off-line capacity, should you continue to use TPF.
I would personally like to hear about any effort or process which allows for the importation of current Snort Rulesets into TPF 6.5.126 (Tiny Firewall Pro 2005).
I will offer personal support if you post a message on this forum with your need or question. |
|
Posted by kahve on March 07, 2007 10:23:27
i am still using tiny firewall, i read your post which was wiritten in wilders forum. i havent heart snort rules set before. could u send me it in email??? thx
best regards... |
|
Posted by CVSCorp on March 07, 2007 11:46:32
----- Original Message -----
From: "Mike Guiterman" |
|
Posted by CVSCorp on March 07, 2007 11:47:36
----- Original Message -----
From: "Mike Guiterman" |
|
Posted by CVSCorp on March 07, 2007 11:55:10
kahve
I am not sure what you are asking for?
You should go to www.Snort.Org and read what snort rules are, and then come back here and read through my threads. You already have the files (ids.xml) you need. You just need to install it, per my instructions above, and then configure them.
The process is much too involved to explain again, especially if you don't have the knowledge necessary to configure this firewall.
There are no files I could email to you to make it work.
Sorry
|
|
Posted by CVSCorp on March 07, 2007 12:01:16
Unfortunately, the "snortimp.dll", which contains the translation
matrix, can not be altered without permission from Computer Associates, or without having the source code, neither of which we have. The translation matrix does not include newer parameters included in newer snort 2.0/2.6 rulesets, for which snortimp.exe does not understand. We have tried.
Our last resort was support from Snort.Org itself. We don't want to get into copyright violations with CA, or reverse compile their code, since output of prior .xml rulesets exist. It would be optimal for snort rulesets to be directly translated to .xml format by snort.org, to avoid these issues.
TPF is a very good firewall and lacking current snort rulesets, leaves us
(both TPF users and the world at large) with the plain jane, subscription based firewalls offered to the general public, which offer minimal protection at best. TPF was the only non-subscription firewall, which offered IDS/IPS based on snort rulesets, and file protection based on checksums, and comprehensive rules for applications and registry entries. Only Windows Vista now offers this level of protection, with a nagging UAW, which folks turn OFF.
It would be ashamed to see TPF go the way of the dinosaur just for lack of snort rulesets. One other point. Malware protection, and the Malware protection market in general, came about because of a few disgruntled adolescent individuals had nothing better to do with their coding skills, than to hack and destroy honest peoples work and equipment. To protect a computer, honest folk are being forced to spend their hard earned buck on protection software, that would not exist, and would not be necessary, had it not been for these hackers and adolescent individuals. There is now a feeling prevalent in the
world today, that the Malware Market in general, secretly pays and fosters these hackers and adolescent individuals to continue their efforts, because without them, Malware software would be obsolete. I personally believe this is true. It's a self feeding scenario. Hackers make malware, which we have to protect ourselves from, and Malware makers are only to happy to take our dollar for the software that does so.
There are only a handful of companies, like Snort.Org and TPF, who offer a basic level of their products without asking for subscriptions. I personally will not pay for Malware protection in any form. I will shut my machine off permentantly before I do that.
CVSCorp |
|
Posted by kahve on March 08, 2007 12:17:00
i am still using tiny but this is first time me to hear the snort ruleset. could u post it to me??? i wanna try it.
thx... |
|
Posted by bytetherapy on July 31, 2007 15:44:08
Help! I'm stuck. I have TPF 5.1 and love it, especially the integration of snort rules with firewall policy.
However, microsoft's SP1 for W3K seems to be mutually exclusive with tiny.
I know that TPF6 works with the service pack, but I can find it. Element5 doesnt have it ("element5.com?").
Has anyone gotten TPF 5.x to work with W3K SP1
Does anyone know where I can upgrade my TPF?
Can I buy 6.x from someone?
It's a shame TPF went the way of the Amiga. Thank yo in advance for any assistance you might offer. |
|
Posted by Wakanaka on December 13, 2007 20:43:52
Dear CVSCorp,
lost your emailadress. Would be nice if u can contact me for further questions about TPF. |
|
|
|
