rule2alert icon indicating copy to clipboard operation
rule2alert copied to clipboard

Published 20 hours ago verified publisher icon pevma

error in Rule class constructor

Open waqas-latif opened this issue 8 years ago • 4 comments
trafficstars

I cloned the git and started the r2a out of the box, but it gave me the error of constructor returning value on following command.

sudo python r2a.py -m "192.168.1.170" -e "192.168.120.240" -f ~/rule2alert/rules/blacklist.rules -w blacklist.pcap

`Traceback (most recent call last): File "r2a.py", line 96, in main r = Rule(snort_rule) TypeError: init() should return None Parser failed - skipping rule

Loaded 0 rules succesfully!` I tried to fix the code but to no avail. It build rules now but produces malformed packets. Could you please fix the issue.

Best regards

waqas-latif avatar Nov 22 '16 21:11 waqas-latif

Hi,

Is that the only err produces. If there is more - could you please share it? Can you share the rules as well please - so i can try to reproduce. Thanks

pevma avatar Nov 23 '16 08:11 pevma

Following is the only rule I had in the blacklist.rules file.

alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain datajunction.org - Gauss "; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|datajunction|03|org|00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service dns; reference:url,gauss.crysys.hu/; reference:url,www.securelist.com/en/blog/208193767/Gauss_Nation_state_cyber_surveillance_meets_banking_Trojan; classtype:trojan-activity; sid:23802; rev:2;)

When I ran it, the DNS packet it built was malformed. I double checked by opening blacklist.pcap file in wireshark as well as in the build_packet method in PayloadGenerator where packets are produced, by calling wireshark() through scapy.

Thanks for your response.

waqas-latif avatar Nov 23 '16 11:11 waqas-latif

I ran into the same type of issue just now. It's likely caused by this code not handling the metadata keyword at all. I added the following code right before the else block with the "Unsupported keyword" print statement: if k == "metadata": continue That way, it just won't do anything with the metadata flag. I do get some output in the pcap file I specify but I'm not 100% sure if it's all accurate since I don't have anything proper to compare against. At least some of the packets get read by snort and flagged as alerts properly. For me, not fully knowing if it's 100% accurate is good enough. For others, maybe not so much.

dkindel avatar Dec 05 '16 20:12 dkindel

@dkindel - thanks for looking it up! @waqas-latif - can you please confirm that if you remove the metadata keyword/value from the rule you would not have a problem.

pevma avatar Dec 09 '16 15:12 pevma