Razorback: A Intelligence Driven Security Framework!

Sourcefire’s Razorback Framework features an open source, distributed detection system, robust API set and a fully extensible database and data management system. It has been specifically designed with the needs of high-level incident response and detection teams. Razorback enables you to perform advanced processing of data and detection of events by fetching data as it traverses the network and even fetch data from a server. It is able to perform advanced event correlation since this framework works in a distributed fashion. You can consider it as the open source Snort NIDS front-end.

Since Razorback has to work in a distributed fashion, you can call it a collection of elements working together, where each element performs a discrete task and are tied together via the Dispatcher. The core is written in C language. Components are referred to as “Nuggets” that provide a different functionality each. These are the Nugget types that are available by default:



1. Correlation – It interacts with the database directly and tracks intrusions through the network. It also initiates defense updates.
2. Defense Update – Performs dynamic updates of multiple network devices.
3. Workstation – Provides analyst authentication and means to manage nugget components with alerts and events and system logs.
4. Data Collection – It capture data directly from the network or a network device directly or even from log files.
5. Data Detection/Analysis – Provides alerting feedback mechanism to the Dispatcher and handles incoming data from Collection Nuggets. It further splits incoming data into logical sub-blocks.
6. Output – It receives alert notification from Dispatcher and sends output data to relevant system.
7. Intelligence – Generates data that could potentially be used later for trending or event correlation.


The Dispatcher is one of the main components of this framework. It is database driven and handles all communication between nuggets.


The Razorback framework also features a custom post-mortem debugger that traps applications as they crash and sends the file that triggered the crash to Dispatcher with its metadata. The Data Detection/Analysis further contains the following nuggets:


1. Zynamics PDF Dissector – Handles deobfuscation and normalization of objects and targets known JavaScript attacks.
2. JavaScript Analyzer (w/ Zynamics) – Searchs for shellcode in unescaped blocks and heap sprays and obfuscation methods implemented on JavaScripts.
3. Shellcode Analyzer (w/ libemu) – Provides detection and execution of shellcode. It looks for code blocks that unwrap shellcode. Detects Win32 api hooking and even provide alerts that include shellcode action.
4. Office Cat Nugget – Supports full Office file parsing and provide a vulnerability centric detection against known threats.
5. SWF Nugget – Decompresses and analyzes flash and detects known flash threats.
6. ClamAV Nugget – Provides antivirus features to the framework.


The Output nugget is composed of the following output nuggets:


1. Deep Alerting System – Provides full logging output of all alerts
2. Maltego Interface – Provides data transformations targeting the Razorback database


Infact nuggets are so easy to be programmed that you can do them in any of the following languages:


* C
* Ruby
* Python
* Perl
* Or any other language that can wrap C code.

Razorback v0.1.3 (razorback-0.1.3.tar.gz) here.