Snort mailing list archives
Re: Etpro pulled pork question
From: James Lay <jlay () slave-tothe-box net>
Date: Tue, 10 Mar 2015 06:59:22 -0600
On Wed, 2015-02-18 at 10:56 -0700, James Lay wrote:
On 2015-02-17 02:20 PM, James Lay wrote:On 2015-02-17 12:45 PM, Shirkdog wrote:Thanks, I was about to say bug it and we will take a look. --- Michael Shirk<<<< redacted, long story short etpro rules and pulled pork issue with ignore >>>And the last tidbit of this is for using the open-gpl emerging threats ruleset: Prepping rules from emerging.rules.tar.gz for work.... extracting contents of /tmp/emerging.rules.tar.gz... Ignoring plaintext rules: emerging-policy.rules Extracted: /tha_rules/ET-emerging-snmp.rules I noticed that these are extracted as ET-emerging-<ruleset name>.rules whereas etpro is extracted as ET-<ruleset name>.rules. I'm going to bet that has something to do with it. JamesSo....as I continue to look at this, I see the below: [17:24:16 idsdev:/tmp$] tar tvf emerging.rules.tar.gz | head -n 5 drwxr-xr-x root/root 0 2015-02-18 05:09 rules/ -rw-r--r-- root/root 8895 2015-02-18 05:09 rules/emerging-snmp.rules -rw-r--r-- root/root 2243 2015-02-18 05:09 rules/emerging-icmp.rules -rw-r--r-- root/root 28088 2015-02-18 05:09 rules/emerging-user_agents.rules -rw-r--r-- root/root 1934 2015-02-18 05:09 rules/emerging-rbn.rules [17:27:59 idsdev:/tmp$] tar tvf etpro.rules.tar.gz | head -n 5 drwxr-xr-x root/root 0 2015-02-13 21:06 rules/ -rw-r--r-- root/root 414746 2015-02-13 21:06 rules/exploit.rules -rw-r--r-- root/root 7767 2015-02-13 21:06 rules/tftp.rules -rw-r--r-- root/root 18958 2015-02-13 21:06 rules/misc.rules -rw-r--r-- root/root 30016 2015-02-13 21:06 rules/ETPRO-License.txt I think this explains it.....open rules are prepended with "emerging-", and the etpro rules are not. PP is expecting to see "emerging-" and isn't getting it...pp CAN'T ignore emerging-policy.rules because it doesn't exist. And specifying just policy.rules ignores both VRT and ETPro policy.rules. I would recommend two things: 1) change the way etpro rules are delivered to prepend "etpro-" to each .rules file 2) add the additional stanza in pp to understand that a) rules with emerging- are open source emerging threats, b) rules with etpro- are ET Pro rules, and c) rules with nothing are considered VRT/Community Cisco/Sourcfire rules. A possible other option would be to have PP preform the ignore after extraction when all the rules are in /tmp/tha_rules/. At that point we really could specify ET-policy.rules or VRT-policy.rules in the ignore= line and have it match since those file exists. The caveat would be that we might have to specify both ET-policy.rules and VRT-policy.rules instead of just policy.rules to ignore both sets. I guess we could call this a "rules collision attack" :). Thanks all. James _______________________________________________ Emerging-sigs mailing list Emerging-sigs () lists emergingthreats net https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreats.net
Requesting any movement on this and sending to Snort Users list as well. Thread should say it all. Thank you. James
------------------------------------------------------------------------------ Dive into the World of Parallel Programming The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: Etpro pulled pork question James Lay (Mar 10)
- <Possible follow-ups>
- Re: Etpro pulled pork question James Lay (Mar 23)