pulledpork3 icon indicating copy to clipboard operation
pulledpork3 copied to clipboard
verified publisher icon shirkdog

Wrong syntax in policy rule file

Open Amixtika opened this issue 1 year ago • 1 comments

When using the policy mode, the rules is created with invalid syntax, the following code change will resolve this issue:

            `fh.write(f'{rule["action"]} (gid:{rule["gid"]}; sid:{rule["sid"]}; enable;)\n')`

Note the added ; add the end of the line, this way SNORT loads the policy file correctly.

The instructions in the generated rules file is also incorrect, these can be updated with the following change:

# Prepare rules for output
    log.info(f'Writing rules to:  {conf.rule_path}')
    header = ('#-------------------------------------------------------------------\n'
              f'#  Rules file created by {SCRIPT_NAME}  at {conf.start_time}\n'
              '#  \n'
              '#  To Use this file: in your snort.lua, you need the following settings:\n'
              '#  ips =\n'
              '#  {{\n'
              '#  rules = [\n'
              f'#      include = "{conf.rule_path}",\n'
              '#  ],\n')
    if conf.rule_mode == 'policy':
        header += ('#  states = [\n' 
                   f'#      include "{conf.policy_path}",\n'
                   '#  ],\n'
                   '#      ...\n'
                   '#  }}\n#\n'
                   '#  detection=\n'
                   '#  {{\n'
                   '#      global_default_rule_state = false,\n')
    header += '#      ...\n'
    header += '#  }}\n#\n'

Amixtika avatar Jun 25 '24 07:06 Amixtika

Pull request is the right way to post / propose your code changes.

Pull requests documentation

amishmm avatar Jun 25 '24 11:06 amishmm