search

Quantalytics / pulledpork

Automatically exported from code.google.com/p/pulledpork
GNU General Public License v2.0
0 stars 0 forks source link

pulledpork.conf ignoring preprocessor.preproc #125

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
What steps will reproduce the problem?
1. subscribe to VRT rules
2. ignore=preprocessor.preproc
3. update rules, preprocessor.rules will get loaded 

What is the expected output? What do you see instead?
preprocessor.rules should not get processed, it does

What version of the product are you using? On what operating system?
0.6.1

Please provide any additional information below.

Seems like a bad regex expression.

Turns out this is happening (found it on a forum somewhere):

I think I may have figured out the issue with pulledpork not allowing
you to ignore the specific files if you just supply the name of them. As
it looks through the @ignore array, it looks for values you have
supplied that contain .preproc inside of them. Only these values will
replace .preproc with .rules for files located in the preproc_rules/
subdirectory of the extracted tarball.
---SNIP---
elsif ( $_ =~ /\.preproc/ ) {
print "\tIgnoring preprocessor rules: $_\n"
if ( $Verbose && !$Quiet );
my $preprocfile = $_;
$preprocfile =~ s/preproc/rules/;
$tar->remove("preproc_rules/$preprocfile");
}
---SNIP---
So if you add the following to your ignore= list in your pulledpork.conf
file, they *should* no longer be in your rules file (except there is a
bug in this code, so keep reading):
decoder.preproc,preprocessor.preproc,sensitive-data.preproc
However, there is a bug in this above code that is borking everything
up. If you just replace the string "preproc" with "rules" and one of
your files you are trying to disable is "preprocessor.rules" and you are
specifying the element "preprocessor.preproc" into the ignore array;
then when you apply this search replace to the "preprocessor.preproc"
then you end up with "rulesessor.rules" as the file name that pulledpork
tries to remove. Since that file doesn't exist, then you end up still
having all the preprocessor rules dumped into your snort.rules file. To
fix this, update the below line inside of pulledpork.pl:
From:
$preprocfile =~ s/preproc/rules/;
To:
$preprocfile =~ s/\.preproc/\.rules/;
This fixes the bug and allows you to keep using pulledpork.pl in a
completely automated fashion. Still some weirdness going on here though.
Can't figure out why this only startered happening to me after I got SO
rules working or did VRT just start adding all of these into the tarball
with their last release? Why does Snort's threshold.conf file get
ignored if the preprocessor rule is in the rules file?
-- Eoin

Original issue reported on code.google.com by r...@greener.ca on 29 Jan 2013 at 12:17

GoogleCodeExporter commented 9 years ago 
not sure when this was fixed but I was just looking at it and the code is in 
there so...

Original comment by Cummin...@gmail.com on 5 Jun 2013 at 8:43