Re: Etpro pulled pork question

[James Lay <jlay () slave-tothe-box net>]

On Wed, 2015-02-18 at 10:56 -0700, James Lay wrote:

> On 2015-02-17 02:20 PM, James Lay wrote:
> > On 2015-02-17 12:45 PM, Shirkdog wrote:
> > > Thanks, I was about to say bug it and we will take a look.
> > >
> > > ---
> > > Michael Shirk
>
> <<<< redacted, long story short etpro rules and pulled pork issue with 
> ignore >>>
>
> > And the last tidbit of this is for using the open-gpl emerging
> > threats ruleset:
> >
> > Prepping rules from emerging.rules.tar.gz for work....
> >         extracting contents of /tmp/emerging.rules.tar.gz...
> >         Ignoring plaintext rules: emerging-policy.rules
> >         Extracted: /tha_rules/ET-emerging-snmp.rules
> >
> > I noticed that these are extracted as ET-emerging-<ruleset
> > name>.rules whereas etpro is extracted as ET-<ruleset name>.rules.
> > I'm going to bet that has something to do with it.
> >
> > James
>
> So....as I continue to look at this, I see the below:
>
> [17:24:16 idsdev:/tmp$] tar tvf emerging.rules.tar.gz | head -n 5
> drwxr-xr-x root/root         0 2015-02-18 05:09 rules/
> -rw-r--r-- root/root      8895 2015-02-18 05:09 
> rules/emerging-snmp.rules
> -rw-r--r-- root/root      2243 2015-02-18 05:09 
> rules/emerging-icmp.rules
> -rw-r--r-- root/root     28088 2015-02-18 05:09 
> rules/emerging-user_agents.rules
> -rw-r--r-- root/root      1934 2015-02-18 05:09 
> rules/emerging-rbn.rules
> [17:27:59 idsdev:/tmp$] tar tvf etpro.rules.tar.gz | head -n 5
> drwxr-xr-x root/root         0 2015-02-13 21:06 rules/
> -rw-r--r-- root/root    414746 2015-02-13 21:06 rules/exploit.rules
> -rw-r--r-- root/root      7767 2015-02-13 21:06 rules/tftp.rules
> -rw-r--r-- root/root     18958 2015-02-13 21:06 rules/misc.rules
> -rw-r--r-- root/root     30016 2015-02-13 21:06 rules/ETPRO-License.txt
>
> I think this explains it.....open rules are prepended with "emerging-", 
> and the etpro rules are not.  PP is expecting to see "emerging-" and 
> isn't getting it...pp CAN'T ignore emerging-policy.rules because it 
> doesn't exist.  And specifying just policy.rules ignores both VRT and 
> ETPro policy.rules.  I would recommend two things:
>
> 1)  change the way etpro rules are delivered to prepend "etpro-" to 
> each .rules file
> 2)  add the additional stanza in pp to understand that a) rules with 
> emerging- are open source emerging threats, b) rules with etpro- are ET 
> Pro rules, and c) rules with nothing are considered VRT/Community 
> Cisco/Sourcfire rules.
>
> A possible other option would be to have PP preform the ignore after 
> extraction when all the rules are in /tmp/tha_rules/.  At that point we 
> really could specify ET-policy.rules or VRT-policy.rules in the ignore= 
> line and have it match since those file exists.  The caveat would be 
> that we might have to specify both ET-policy.rules and VRT-policy.rules 
> instead of just policy.rules to ignore both sets.
>
> I guess we could call this a "rules collision attack" :).
>
> Thanks all.
>
> James
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs () lists emergingthreats net
> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreats.net


Requesting any movement on this and sending to Snort Users list as well.
Thread should say it all.  Thank you.

James

------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the 
conversation now. http://goparallel.sourceforge.net/

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!