yookd / pulledpork

Automatically exported from code.google.com/p/pulledpork
GNU General Public License v2.0
0 stars 0 forks source link

Unable to ignore ET Pro rulesets #169

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago
Made the switch from et open to et pro.  Using PP7.0, command line is here:

/opt/bin/pulledpork.pl -v -l -P -c /opt/etc/snort/pp.conf

ignore=emerging-policy.rules doesn't work

Prepping rules from etpro.rules.tar.gz for work....
        extracting contents of /tmp/etpro.rules.tar.gz...
        Ignoring plaintext rules: emerging-policy.rules
        Extracted: /tha_rules/ET-policy.rules

grep 2012889  ~/snort/rules/rules.rules
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"ET POLICY Http Client Body 
contains pw= in cleartext"; flow:established,to_server; content:"pw="; nocase; 
http_client_body; classtype:policy-violation; sid:2012889; rev:2;)

ignore=ET-policy.rules doesn't work:

Prepping rules from etpro.rules.tar.gz for work....
        extracting contents of /tmp/etpro.rules.tar.gz...
        Ignoring plaintext rules: ET-policy.rules
        Extracted: /tha_rules/ET-policy.rules

grep 2012889  ~/snort/rules/rules.rules
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"ET POLICY Http Client Body 
contains pw= in cleartext"; flow:established,to_server; content:"pw="; nocase; 
http_client_body; classtype:policy-violation; sid:2012889; rev:2;)

ignore=et-policy doesn't work:

Prepping rules from etpro.rules.tar.gz for work....
        extracting contents of /tmp/etpro.rules.tar.gz...
        Ignoring plaintext rules: et-policy.rules
        Extracted: /tha_rules/ET-policy.rules

grep 2012889  ~/snort/rules/rules.rules
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"ET POLICY Http Client Body 
contains pw= in cleartext"; flow:established,to_server; content:"pw="; nocase; 
http_client_body; classtype:policy-violation; sid:2012889; rev:2;)

ignore=policy.rules does:

Prepping rules from etpro.rules.tar.gz for work....
        extracting contents of /tmp/etpro.rules.tar.gz...
        Ignoring plaintext rules: policy.rules

grep 2012889  ~/snort/rules/rules.rules

This however nukes the VRT-policy.rules:

Prepping rules from snortrules-snapshot-2970.tar.gz for work....
        extracting contents of /tmp/snortrules-snapshot-2970.tar.gz...
        Ignoring plaintext rules: policy.rules

How does one manage to do this with PP?  Thank you.

Original issue reported on code.google.com by digital...@gmail.com on 17 Feb 2015 at 5:46

GoogleCodeExporter commented 9 years ago
So....as I continue to look at this, I see the below:

[17:24:16 idsdev:/tmp$] tar tvf emerging.rules.tar.gz | head -n 5
drwxr-xr-x root/root         0 2015-02-18 05:09 rules/
-rw-r--r-- root/root      8895 2015-02-18 05:09 
rules/emerging-snmp.rules
-rw-r--r-- root/root      2243 2015-02-18 05:09 
rules/emerging-icmp.rules
-rw-r--r-- root/root     28088 2015-02-18 05:09 
rules/emerging-user_agents.rules
-rw-r--r-- root/root      1934 2015-02-18 05:09 
rules/emerging-rbn.rules
[17:27:59 idsdev:/tmp$] tar tvf etpro.rules.tar.gz | head -n 5
drwxr-xr-x root/root         0 2015-02-13 21:06 rules/
-rw-r--r-- root/root    414746 2015-02-13 21:06 rules/exploit.rules
-rw-r--r-- root/root      7767 2015-02-13 21:06 rules/tftp.rules
-rw-r--r-- root/root     18958 2015-02-13 21:06 rules/misc.rules
-rw-r--r-- root/root     30016 2015-02-13 21:06 rules/ETPRO-License.txt

I think this explains it.....open rules are prepended with "emerging-", 
and the etpro rules are not.  PP is expecting to see "emerging-" and 
isn't getting it...pp CAN'T ignore emerging-policy.rules because it 
doesn't exist.  And specifying just policy.rules ignores both VRT and 
ETPro policy.rules.  I would recommend two things:

1)  change the way etpro rules are delivered to prepend "etpro-" to 
each .rules file
2)  add the additional stanza in pp to understand that a) rules with 
emerging- are open source emerging threats, b) rules with etpro- are ET 
Pro rules, and c) rules with nothing are considered VRT/Community 
Cisco/Sourcfire rules.

A possible other option would be to have PP preform the ignore after 
extraction when all the rules are in /tmp/tha_rules/.  At that point we 
really could specify ET-policy.rules or VRT-policy.rules in the ignore= 
line and have it match since those file exists.  The caveat would be 
that we might have to specify both ET-policy.rules and VRT-policy.rules 
instead of just policy.rules to ignore both sets.

Original comment by digital...@gmail.com on 19 Feb 2015 at 11:54

GoogleCodeExporter commented 9 years ago
Any movement on this at all?  I am unable to put the rules that I've purchased 
into play until this is resolved.  Thank you.

Original comment by digital...@gmail.com on 4 Mar 2015 at 7:33

GoogleCodeExporter commented 9 years ago
I'll handle this one.

Original comment by shirk...@gmail.com on 10 Mar 2015 at 10:06