Ignore Categories Directive doesn't affect so_rules

[GoogleCodeExporter]

What steps will reproduce the problem?
1. Add a category (for example, 'dos') to the "ignore" list in pulledpork.conf
2. Run pulled-pork.
3. Check the resulting so_rules.rules file.

What is the expected output? What do you see instead?
I expected to find no rules associated with the relevant category, instead they 
were present.

What version of the product are you using? On what operating system?
Relatively recent CVS on RHEL 5.4.

Please provide any additional information below.
I further checked the source to confirm that rules and preproc_rules are 
getting handled in the @ignores section of the rules_extract function, but 
so_rules are not getting handled.  This bug looks to be present in trunk as 
well.

Original issue reported on code.google.com by mikeloc...@gmail.com on 5 Jan 2011 at 10:01

[GoogleCodeExporter]

Looking into this, I'll attempt to duplicate and post an update shortly

Original comment by Cummin...@gmail.com on 5 Jan 2011 at 10:27

[GoogleCodeExporter]

Committed Revision 192 - Needs testing though!

Original comment by Cummin...@gmail.com on 6 Jan 2011 at 7:53

[GoogleCodeExporter]

It's more lines of code, but what about this:

    foreach (@ignores) {
        if ($_ =~ /\.rules/) {
            print "\tIgnoring rules/$_\n" if ($Verbose && !$Quiet);
            $tar->remove("rules/$_");
        } elsif ($_ =~ /\.preproc/) {
            # Unlike .rules or .so, .preproc isn't a real suffix in
            # the tarball.  Extract the base-filename with a split.
            my @ignore_prefix = split( /\./, $_ );
            my $ignore_prefix = @ignore_prefix[0];
            print "\tIgnoring preproc_rules/$ignore_prefix.rules\n" if ($Verbose && !$Quiet);
            $tar->remove("preproc_rules/$ignore_prefix.rules");
        } elsif ($_ =~ /\.so/) {
            print "\tIgnoring so_rules/precompiled/$Distro/$arch/$Snort/$_\n" if ($Verbose && !$Quiet);
            $tar->remove("so_rules/precompiled/$Distro/$arch/$Snort/$_");
        } else {
            # If no suffix is specified, ignore the category everywhere.
            print "\tIgnoring category: $_\n" if ($Verbose && !$Quiet);
            $tar->remove("rules/$_.rules");
            $tar->remove("preproc_rules/$_.rules");
            $tar->remove("so_rules/precompiled/$Distro/$arch/$Snort/$_.so");
        }

Rather than treating .so files specially, it
  1) Makes the current syntax do what most people expect it to do now, ignore
     everything including .so files.
  2) If you add a .rules suffix, we ignore only the gid 1 rulefile.
  3) If you add a .preproc suffix, we ignore only the preprocessor rulefile.
  4) If you add a .so suffix, we ignore only the shared-object file.

The config-file comment could be:

# Specify rule categories to ignore from the tarball in a comma separated list
# with no spaces.  There are four ways to do this:
# 1) Specify the category name with no suffix at all to ignore the category
#    regardless of what rule-type it is, ie: netbios
# 2) Specify the category name with a '.rules' suffix to ignore only gid 1
#    rulefiles located in the /rules directory of the tarball, ie: policy.rules
# 3) Specify the category name with a '.preproc' suffix to ignore only
#    preprocessor rules located in the /preproc_rules directory of the tarball,
#    ie: sensitive-data.preproc
# 4) Specify the category name with a '.so' suffix to ignore only shared-object
#    rules located in the /so_rules directory of the tarball, ie: netbios.so
# The example below ignores dos rules wherever they may appear, sensitive-
# data preprocessor rules, p2p so-rules (while including gid 1 p2p rules),
# and netbios gid-1 rules (while including netbios so-rules):
# ignore = dos,sensitive-data.preproc,p2p.so,netbios.rules
# These defaults are reasonable for the VRT ruleset with Snort 2.9.0.x.
ignore=deleted,experimental,local
# IMPORTANT, if you are NOT yet using 2.8.6 then you MUST comment out the
# previous ignore line and uncomment the following!
# ignore=deleted,experimental,local,decoder,preprocessor,sensitive-data

Original comment by mikeloc...@gmail.com on 7 Jan 2011 at 12:41

[GoogleCodeExporter]

Kinda what I was talking about on irc, but a bit better, I'll go ahead and 
implement.

Original comment by Cummin...@gmail.com on 7 Jan 2011 at 1:25

[GoogleCodeExporter]

Committed revision 195.

Original comment by Cummin...@gmail.com on 7 Jan 2011 at 3:42

• Changed state: Fixed