search

mateodx / pulledpork

Automatically exported from code.google.com/p/pulledpork
GNU General Public License v2.0
0 stars 0 forks source link

Rules don't move when broken out #135

Open GoogleCodeExporter opened 8 years ago

GoogleCodeExporter commented 8 years ago 
Here's a great example.  I have my rules broken out via command line with -k.  
Rule 16719 is currently in:

VRT-file-other.rules as rev:3

and

VRT-web-client.rules as rev:2

This rule was moved from web-client to file-other...pulled pork should probably 
be able to deal with this.

Original issue reported on code.google.com by digital...@gmail.com on 16 Aug 2013 at 2:35

GoogleCodeExporter commented 8 years ago 
Any thoughts on this?  I have over 200 duplicate rules in just the VRT set 
alone...

Original comment by digital...@gmail.com on 20 Aug 2013 at 12:56

GoogleCodeExporter commented 8 years ago 
I'm not sure that this is a good idea.. we don't touch them now due to the fact 
that users have custom rules files etc.  

The best idea here would be to track each extracted file (and it's contents).. 
more logging and disk overhead... but when a file is removed we remove the 
file.  This will be added to the low priority feature request section.  
Suggestion in the meantime is to use the unified rules file.  This way you 
don't have this issue.

Original comment by Cummin...@gmail.com on 20 Aug 2013 at 2:27

GoogleCodeExporter commented 8 years ago 
I have the same issue, even with the default merging of rules into a single 
file:

[/etc/snort/rules/pulledpork.rules:21067]
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP HNAP 
remote code execution attempt"; flow:established,to_server; content:"POST"; 
http_method; content:"/tmUnblock.cgi"; fast_pattern:only; http_uri; 
content:"Authorization: Basic YWRtaW46"; http_header; content:"tmp"; 
http_client_body; metadata:policy balanced-ips drop, policy security-ips drop, 
ruleset community, service http; 
reference:url,isc.sans.edu/diary/Linksys+Worm+%28%22TheMoon%22%29+Captured/17630
; classtype:attempted-admin; sid:29831; rev:1;)

[/etc/snort/rules/pulledpork.rules:53273]
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP HNAP 
remote code execution attempt"; flow:established,to_server; content:"POST"; 
http_method; content:"/tmUnblock.cgi"; fast_pattern:only; http_uri; 
content:"Authorization: Basic YWRtaW46"; http_header; content:"tmp"; 
http_client_body; metadata:policy balanced-ips drop, policy security-ips drop, 
ruleset community, service http; 
reference:url,isc.sans.edu/diary/Linksys+Worm+%28%22TheMoon%22%29+Captured/17630
; classtype:attempted-admin; sid:29831; rev:1;)

The duplicates have always been related to the Community set.

Jason "The Snake Roberts" Rochon

Original comment by jcroc...@uic.edu on 7 Nov 2014 at 9:00