pevma
commented
7 years ago Hi,
Is that the only err produces. If there is more - could you please share it? Can you share the rules as well please - so i can try to reproduce. Thanks
Open waqas-latif opened 7 years ago
pevma
commented
7 years ago Hi,
Is that the only err produces. If there is more - could you please share it? Can you share the rules as well please - so i can try to reproduce. Thanks
waqas-latif
commented
7 years ago Following is the only rule I had in the blacklist.rules file.
alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain datajunction.org - Gauss "; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|datajunction|03|org|00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service dns; reference:url,gauss.crysys.hu/; reference:url,www.securelist.com/en/blog/208193767/Gauss_Nation_state_cyber_surveillance_meets_banking_Trojan; classtype:trojan-activity; sid:23802; rev:2;)
When I ran it, the DNS packet it built was malformed. I double checked by opening blacklist.pcap file in wireshark as well as in the build_packet method in PayloadGenerator where packets are produced, by calling wireshark() through scapy.
Thanks for your response.
dkindel
commented
7 years ago I ran into the same type of issue just now. It's likely caused by this code not handling the metadata keyword at all. I added the following code right before the else block with the "Unsupported keyword" print statement:
if k == "metadata": continue
That way, it just won't do anything with the metadata flag. I do get some output in the pcap file I specify but I'm not 100% sure if it's all accurate since I don't have anything proper to compare against. At least some of the packets get read by snort and flagged as alerts properly. For me, not fully knowing if it's 100% accurate is good enough. For others, maybe not so much.
pevma
commented
7 years ago @dkindel - thanks for looking it up!
@waqas-latif - can you please confirm that if you remove the metadata keyword/value from the rule you would not have a problem.
I cloned the git and started the r2a out of the box, but it gave me the error of constructor returning value on following command.
`Traceback (most recent call last): File "r2a.py", line 96, in main r = Rule(snort_rule) TypeError: init() should return None Parser failed - skipping rule
Loaded 0 rules succesfully!` I tried to fix the code but to no avail. It build rules now but produces malformed packets. Could you please fix the issue.
Best regards