pulledpork
pulledpork copied to clipboard
Published
20 hours ago •
shirkdog
shirkdog
Unable to ignore ET Pro rulesets
Made the switch from et open to et pro. Using PP7.0, command line is here:
/opt/bin/pulledpork.pl -v -l -P -c /opt/etc/snort/pp.conf
ignore=emerging-policy.rules doesn't work
Prepping rules from etpro.rules.tar.gz for work....
extracting contents of /tmp/etpro.rules.tar.gz...
Ignoring plaintext rules: emerging-policy.rules
Extracted: /tha_rules/ET-policy.rules
grep 2012889 ~/snort/rules/rules.rules
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"ET POLICY Http Client Body
contains pw= in cleartext"; flow:established,to_server; content:"pw="; nocase;
http_client_body; classtype:policy-violation; sid:2012889; rev:2;)
ignore=ET-policy.rules doesn't work:
Prepping rules from etpro.rules.tar.gz for work....
extracting contents of /tmp/etpro.rules.tar.gz...
Ignoring plaintext rules: ET-policy.rules
Extracted: /tha_rules/ET-policy.rules
grep 2012889 ~/snort/rules/rules.rules
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"ET POLICY Http Client Body
contains pw= in cleartext"; flow:established,to_server; content:"pw="; nocase;
http_client_body; classtype:policy-violation; sid:2012889; rev:2;)
ignore=et-policy doesn't work:
Prepping rules from etpro.rules.tar.gz for work....
extracting contents of /tmp/etpro.rules.tar.gz...
Ignoring plaintext rules: et-policy.rules
Extracted: /tha_rules/ET-policy.rules
grep 2012889 ~/snort/rules/rules.rules
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"ET POLICY Http Client Body
contains pw= in cleartext"; flow:established,to_server; content:"pw="; nocase;
http_client_body; classtype:policy-violation; sid:2012889; rev:2;)
ignore=policy.rules does:
Prepping rules from etpro.rules.tar.gz for work....
extracting contents of /tmp/etpro.rules.tar.gz...
Ignoring plaintext rules: policy.rules
grep 2012889 ~/snort/rules/rules.rules
This however nukes the VRT-policy.rules:
Prepping rules from snortrules-snapshot-2970.tar.gz for work....
extracting contents of /tmp/snortrules-snapshot-2970.tar.gz...
Ignoring plaintext rules: policy.rules
How does one manage to do this with PP? Thank you.
Original issue reported on code.google.com by [email protected] on 17 Feb 2015 at 5:46
So....as I continue to look at this, I see the below:
[17:24:16 idsdev:/tmp$] tar tvf emerging.rules.tar.gz | head -n 5
drwxr-xr-x root/root 0 2015-02-18 05:09 rules/
-rw-r--r-- root/root 8895 2015-02-18 05:09
rules/emerging-snmp.rules
-rw-r--r-- root/root 2243 2015-02-18 05:09
rules/emerging-icmp.rules
-rw-r--r-- root/root 28088 2015-02-18 05:09
rules/emerging-user_agents.rules
-rw-r--r-- root/root 1934 2015-02-18 05:09
rules/emerging-rbn.rules
[17:27:59 idsdev:/tmp$] tar tvf etpro.rules.tar.gz | head -n 5
drwxr-xr-x root/root 0 2015-02-13 21:06 rules/
-rw-r--r-- root/root 414746 2015-02-13 21:06 rules/exploit.rules
-rw-r--r-- root/root 7767 2015-02-13 21:06 rules/tftp.rules
-rw-r--r-- root/root 18958 2015-02-13 21:06 rules/misc.rules
-rw-r--r-- root/root 30016 2015-02-13 21:06 rules/ETPRO-License.txt
I think this explains it.....open rules are prepended with "emerging-",
and the etpro rules are not. PP is expecting to see "emerging-" and
isn't getting it...pp CAN'T ignore emerging-policy.rules because it
doesn't exist. And specifying just policy.rules ignores both VRT and
ETPro policy.rules. I would recommend two things:
1) change the way etpro rules are delivered to prepend "etpro-" to
each .rules file
2) add the additional stanza in pp to understand that a) rules with
emerging- are open source emerging threats, b) rules with etpro- are ET
Pro rules, and c) rules with nothing are considered VRT/Community
Cisco/Sourcfire rules.
A possible other option would be to have PP preform the ignore after
extraction when all the rules are in /tmp/tha_rules/. At that point we
really could specify ET-policy.rules or VRT-policy.rules in the ignore=
line and have it match since those file exists. The caveat would be
that we might have to specify both ET-policy.rules and VRT-policy.rules
instead of just policy.rules to ignore both sets.
Original comment by [email protected] on 19 Feb 2015 at 11:54
Any movement on this at all? I am unable to put the rules that I've purchased
into play until this is resolved. Thank you.
Original comment by [email protected] on 4 Mar 2015 at 7:33
I'll handle this one.
Original comment by [email protected] on 10 Mar 2015 at 10:06
- Changed state: Accepted
I now have the ability to test all rulesets, it appears ignoring is not currently working for anything. This will be the use-case for how things should be working.
