search

Quantalytics / pulledpork

Automatically exported from code.google.com/p/pulledpork
GNU General Public License v2.0
0 stars 0 forks source link

Rules enabled AFTER the modifysid code executes (0.6.1) #79

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
== Initial finding ==
Discovered when attempting to modify ET-2000419 and ET-2010869 (disabled by 
default in the ET ruleset).

== modifysid.conf ==
2000419,2010869, "\$EXTERNAL_NET" "!$FOO_BAR";

== Results ==
ET-2000419 and ET-2010869 are unchanged.

== Using ==
Version: 0.6.1
Operating system: Gentoo Linux amd64

== Additional info ==
From: JJC
To: PigFan <tony@tonypc.com>
Date: Tue, Jun 7, 2011 at 8:10 AM

Interesting deal, I found the issue... the rules are disabled by default in the 
ET ruleset, however they have flowbits that are being called by enabled rules.. 
so they are enabled AFTER the modifysid code executes, and for efficiency 
modifysid will only run on enabled rules.. a trivial fix but I'll have to do a 
little performance testing to see why.

Original issue reported on code.google.com by ito...@gmail.com on 7 Jun 2011 at 5:27

GoogleCodeExporter commented 9 years ago 
In todays commit this was fixed, thanks for the report!

Original comment by Cummin...@gmail.com on 8 Jun 2011 at 12:11