search

shift / pulledpork

Automatically exported from code.google.com/p/pulledpork
GNU General Public License v2.0
0 stars 0 forks source link

PP 0.6.0Dev overwrites rule files when using ETPro + VRT #66

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
What steps will reproduce the problem?
1. Use ETPro+VRT rulesets at the same time
2.
3.

What is the expected output? What do you see instead?
The ETPro ruleset's files are named the same as the VRT files (no emerging- 
prefix).  The end result is that, whenever the rules are extracted, whatever 
ruleset is listed second in the config overwrites the files from the first (for 
the files whose names match).

When using the free version of ET, this isn't an issue as the files are all 
named emerging-category.rules.

What version of the product are you using? On what operating system?
0.6.0 Dev on FreeBSD 8.1

Please provide any additional information below.
I see three ways of fixing this:
1. Allow the ability to specify a ruleset prefix in the rule_url config line.  
This would then give the user the ability to ignore based on ruleset+category 
(while fixing this at the same time).  In this example, the rule would be 
extracted as /tmp/tha_rules/<prefix>-category.rules.
2. Extract each rule tarball to a separate directory and process as usual.
3. After each tarball is extracted, process the rules therein to a temporary 
file, appending the rules.  Once all tarballs have been extracted, move this 
file to the final location as defined by rule_path.

My preference is #1 as this has the ability to give the user the most 
flexibility/control.  You could set the VRT ruleset prefix to vrt, then exclude 
vrt:dns, while still including the dns rules from the ET ruleset.

Original issue reported on code.google.com by ryanpsteinmetz on 22 Feb 2011 at 6:44

GoogleCodeExporter commented 9 years ago 
I'm looking into the feasability of this now, definitely an excellent idea!

Original comment by Cummin...@gmail.com on 11 Mar 2011 at 6:13

GoogleCodeExporter commented 9 years ago 
I hacked something together to workaround the issue by simply adding some logic 
into rule_extract().  It isn't very customizable, but at least works around the 
issue.  It doesn't seem to impact the categories or enable/disablesid stuff.

my $prefix = "";
$prefix = "etpro:" if ($rule_file =~ /etpro/);
...
$tar->extract_file( $filename,
                $temp_path . "/tha_rules/" . $prefix . $singlefile );

In the interim, it could be a decent stopgap.

-r

Original comment by ryanpsteinmetz on 11 Mar 2011 at 6:51

GoogleCodeExporter commented 9 years ago 
Committed revision 225

Original comment by Cummin...@gmail.com on 28 Mar 2011 at 7:51