So I decided to load the latest test version (1.1) of the roo Honeywall from the Honeynet Project. The image was made public on 11/30/06 and there are numerous improvements. One example being the package respositories are now setup correctly, previously when you would update the honeywall it would get packages from other repos causing all kinds of problems. Slightly after that it was noticeable that maybe you shouldn’t have updated (even though it recommends it as one of the first steps in the docs). I think this will definitely help a lot of the non-technical honeywall users and as a result create a large deployment base for all high interaction honeynets.

On the down side however.. they’ve taken away something that had a huge potential IMO. The snort rule management interface (shown below), in the previous version allowed you to use the Walleye interface to manage rules and even upload custom rules. As you can see we easily imported the SCADA IDS Signatures and were able to manage them via the Walleye interface.

This has been completely removed and replaced with a interface (shown below) that can download snort rules with a oinkmaster register code through Sourcefire’s VRT or possibly another site (like bleedingedge). The new menu allows you to configure a auto-update schedule and select if you would like snort restarted after new rules are downloaded.

Some of you might as what is a Oinkcode, it strictly points back to Sourcefire changing the license on snort rules. Sourcefire doesn’t package their ruleset with the newer versions of snort and everyone must obtain a oinkmaster code. The /hw/docs/README.snortrules has an explanation about the licensing and how to use the latest “rule management”, but didn’t mention where the old rule management went.

I sent an email over to Lance and crew from the Honeynet Project and it seems that the snort rule management took a lot of their development time.. For now I’ll just have to manually upload the rules and insert them into the mysql database myself.
However cheers to a more stable and easy to use release becoming official soon!