yookd / pulledpork

Automatically exported from code.google.com/p/pulledpork
GNU General Public License v2.0
0 stars 0 forks source link

drop function should not "enable" rules #147

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago
What steps will reproduce the problem?
example one

* emerging open-nogp rules contains category ET-emerging-mobile_malware, within 
that category sid 2012251 is disabled by default sid 2012251 (It's a generic 
Google Android Device HTTP Request match and probably shouldn't be dropped in 
most environment.).
* dropsid.conf contains ET-emerging-mobile_malware
* run PP will uncomment all rules in category ET-emerging-mobile_malware and 
change rule action to drop

example two

* state_order=enable,disable,drop
* enablesid.conf contains category "foo
* disablesid.conf contains an individual sid N matching category "foo" and pcre 
"bar"
* dropsid.conf contains pcre "bar"
* run PP will uncomment sid N and change rule action to drop

What is the expected output? What do you see instead?
The drop function should not enable/uncomment sid's which are 
disabled/commented.

What version of the product are you using? On what operating system?
pulledpork-0.7.0 on Gentoo Linux

Please provide any additional information below.
Instructing PP to "drop" a rule should not modify the comment delimiter (#) but 
only change the rule action to drop. Attached patch changes this behavior, 
however it only does so on sids which are enabled/uncommented. Does it make 
sense to modify rule action on disabled/commented sids?

Instructing PP to "enable" a rule should only modify the leading comment 
delimiter (#). Perhaps there should be another sid action "alert" which changes 
the rule action to alert after you changed, for instance, a category or pcre to 
block and you wish to change a few of those sids back to alert (I haven't run 
into a situation which needed this yet, could add more flexibility in rule 
modifications, or maybe this isn't even valid use case)

A sid with rule actions of 'alert' or 'drop' are both enabled and are loaded 
into snort. When running inline there are situations when you need/want rules 
in either state.

Thanks ;)

Original issue reported on code.google.com by Epinephr...@gmail.com on 10 Nov 2013 at 5:35

Attachments: