search

Quantalytics / pulledpork

Automatically exported from code.google.com/p/pulledpork
GNU General Public License v2.0
0 stars 0 forks source link

Improve logging for flowbits logic #56

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
Pulledpork detects if a flowbit is checked via 'isset' by an enabled-rule.  PP 
then automatically enables any rules that set that flowbit to ensure that the 
check behaves correctly, even if some of those rules are disabled in 
disablesid.conf.

While this behavior is generally desirable, it can cause confusion if users 
expect their disablesid.conf directives to be followed.  Pulledpork should 
generate a log-message about the conflict between flowbit logic and 
disablesid.conf directives.  It should definitely generate this message at 
higher verbosity levels, and maybe at the default level as well.

Original issue reported on code.google.com by mikeloc...@gmail.com on 6 Jan 2011 at 5:44

GoogleCodeExporter commented 9 years ago

Original comment by Cummin...@gmail.com on 6 Jan 2011 at 5:45

GoogleCodeExporter commented 9 years ago 
Will review code to scope changes to implement.

Original comment by alan.p...@transitiva.com on 6 Jan 2011 at 5:50

GoogleCodeExporter commented 9 years ago 
Sorry man, I just committed the code (rev 199) that does this... but it could 
use some more info.. like what the calling rule is perhaps?

Setting Flowbit State....
  WARN - 1:9845 is re-enabled by a check of the http.m3u.download flowbit!
  Enabled 312 flowbits
  Enabled 50 flowbits
  Enabled 4 flowbits
  Enabled 2 flowbits

Original comment by Cummin...@gmail.com on 24 Jan 2011 at 7:13

GoogleCodeExporter commented 9 years ago

Original comment by Cummin...@gmail.com on 24 Jan 2011 at 7:19

GoogleCodeExporter commented 9 years ago 
It looks like the reason that the name of the calling-rule is omitted is 
because you'd have to regex it out at the time of use?

Just knowing that which rule was enabled due to what flowbit is much better. If 
someone wants to write the regex to extract the calling-name later that's not 
too difficult.

Original comment by mikeloc...@gmail.com on 24 Jan 2011 at 9:14

GoogleCodeExporter commented 9 years ago 
Those were my thoughts, or even use grep.. for those that may read
this in the future..

grep '^alert' /path/to/snort.rules | grep ':is(un)?set,<yourflowbithere>'

Thanks Mike!

Original comment by Cummin...@gmail.com on 24 Jan 2011 at 9:22