pulledpork
pulledpork copied to clipboard
shirkdog
Re-enable disabled emerging threats rules if VRT rules policy is changed
The current method of disabling all emerging threats alerts in the ET rules files doesn't allow the rules to be re-enabled if the user decides they do not want to use the previously selected rules policy. It would be very useful and make it much more convenient for those that use both VRT rules and ET rules to be able to preserve any tuning they have done of ET rules if they decide to go with a VRT policy after establishing their ET rules. Since ET rules do not participate in the VRT rules policy, at the very least I would suggest disabling the ET rules by disabling (commenting out) the includes in the snort.conf file so as not to alter any edits a user has made to their ET rules or perhaps even just not change the ET rules at all and allow the user to make any changes to the ET rules as they see fit.
I asked our lead developer (Neal Murphy) for our firewall distro (Smoothwall Express 3.1) to try modifying the pulledpork.pl script to add the ability for users to switch between different VRT policies (connectivity, balanced and security) or back to a "nopolicy" state and to re-enable the ET rules when switching back to a "nopolicy" state.
I have a working pulledpork.pl script available for anyone to try out if they are interested. I would be happy to make it available in whatever way is appropriate. I don't want to step on any toes by doing this.
Work it up as a pull request and send it over, I will take a look and merge it in. Going forward, the current "release" will be stable, but anything like this will be reviewed and brought in for others to test.
I'll do that. Thanks!
On Tue, Apr 11, 2017 at 11:27 AM, Shirkdog [email protected] wrote:
Work it up as a pull request and send it over, I will take a look and merge it in. Going forward, the current "release" will be stable, but anything like this will be reviewed and brought in for others to test.
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/shirkdog/pulledpork/issues/257#issuecomment-293318633, or mute the thread https://github.com/notifications/unsubscribe-auth/AA4uuIK1eRr1onAypz2w1f0L0OXTAwAIks5ru6n4gaJpZM4M0p49 .
@shirkdog I sent an email to your daemon-security address with a patch attached for the changes. If you need a pull request instead, let me know and we can try to set up a SourceForge repo to pull from.
I just discovered an error with those changes to pulledpork.pl for handling VRT policy changes. Apparently when downloading the VRT rules a fatal error occurs in the script when using those changes. I apologize for that. I will find a fix and resubmit to you.
On Wed, Apr 12, 2017 at 12:37 PM, Shirkdog [email protected] wrote:
I received it, and will take a look and review.
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/shirkdog/pulledpork/issues/257#issuecomment-293653122, or mute the thread https://github.com/notifications/unsubscribe-auth/AA4uuLlaNXpv2PdGtcqYQDlnBtXYHGMgks5rvQvrgaJpZM4M0p49 .
Upon further testing, the original changes I provided for the re-enabling of the ET rules when changing back to a "No policy" state for the VRT and VRT Community rules and allowing switching between the different security policy states does work correctly and does not cause issues with downloading the VRT rule sets. The issues with downloading of the VRT rule sets seems to be related to other changes that were made to the pulledpork.pl script that we made for our snort installation.
The patch I provided for evaluating these changes does seem to work correctly, if you are still interested in evaluating those changes.
I am trying to get Suricata working on our firewall and am attempting to
use pulledpork to manage rules for it. I am able to download the emerging
threats rules and process them but cannot seem to successfully download the
VRT SourceFire rules. i have enabled the url for the VRT rules
rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|
and I have set the snort version to suricata-3.2.1 snort_version=suricata-3.2.1
in pulledpork.conf. When pulledpork attempts to download the VRT rules it generates an error message. This error message indicates that pulledpork.pl is attempting to put "suricata-3.2.1" where the snort version goes in the rules download url. http://www.snort.org/reg-rules/snortrules-snapshot-suricata-3.2.1.tar.gz.
What is the correct way to tell pulledpork to download the VRT rules for Suricata?
On Wed, Apr 12, 2017 at 12:37 PM, Shirkdog [email protected] wrote:
I received it, and will take a look and review.
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/shirkdog/pulledpork/issues/257#issuecomment-293653122, or mute the thread https://github.com/notifications/unsubscribe-auth/AA4uuLlaNXpv2PdGtcqYQDlnBtXYHGMgks5rvQvrgaJpZM4M0p49 .
The Suricata documentation says it can use the ET and VRT rules. Is that no longer true?
On Wednesday, May 17, 2017, The Talos Group at Cisco < [email protected]> wrote:
There are no Talos rules for Suricata.
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/shirkdog/pulledpork/issues/257#issuecomment-302262924, or mute the thread https://github.com/notifications/unsubscribe-auth/AA4uuGfV06r73MvGib8ZjMMI_aDP-H6qks5r64j7gaJpZM4M0p49 .
I don't know how entirely accurate that is. I know it can use some of them.
-- Sent from my iPhone
On May 18, 2017, at 00:00, Stan Prescott [email protected] wrote:
The Suricata documentation says it can use the ET and VRT rules. Is that no longer true?
On Wednesday, May 17, 2017, The Talos Group at Cisco < [email protected]> wrote:
There are no Talos rules for Suricata.
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/shirkdog/pulledpork/issues/257#issuecomment-302262924, or mute the thread https://github.com/notifications/unsubscribe-auth/AA4uuGfV06r73MvGib8ZjMMI_aDP-H6qks5r64j7gaJpZM4M0p49 .
— You are receiving this because you commented. Reply to this email directly, view it on GitHub, or mute the thread.
I have this patch and will have to take a look at this in the next release. policy-enable-disable.patch.gz