search

yookd / pulledpork

Automatically exported from code.google.com/p/pulledpork
GNU General Public License v2.0
0 stars 0 forks source link

PP fails to properly handle rules split over more than one line... #71

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
read_rules does not properly process rules that are split over more than one 
physical line.

In the case I struck it was in a 'local' rule file and the rule turned up in 
the sid_msg.map with the wrong message/sid because the sid was not on the same 
line as the msg...

I may well submit a patch since I need this fixed ;) 

while $row =~ /\\$/  --- OH blast! -- given the way that has been written it is 
not straight forward as there is no way of moving $row in the loop.

Is the file sucked into memory before processing for any special reason?

It seems to me that the easiest way to fix this is to read the file line by 
line building up $row as you go.

I'll modify my local copy to do it this way -- let me know if you want the 
patch...

R

What version of the product are you using? On what operating system?

5.0

Please provide any additional information below.

Original issue reported on code.google.com by russell....@gmail.com on 10 Mar 2011 at 11:42

GoogleCodeExporter commented 9 years ago 
This seems to work (see attachment).. you also need to remove the undef of 
@extra_rules later in the script...

Original comment by russell....@gmail.com on 11 Mar 2011 at 12:01

Attachments:

GoogleCodeExporter commented 9 years ago 
Can you provide an example sid please?

Original comment by Cummin...@gmail.com on 11 Mar 2011 at 6:12

GoogleCodeExporter commented 9 years ago 
example:

alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 3389 (msg:"LOCAL MOD Unusually fast 
Terminal Server Traffic";\
flags:SA,P12; threshold: type both, track by_dst, count 5, seconds 300; 
classtype: misc-activity;\
reference:url,doc.emergingthreats.net/2011177; 
reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_Term_Ser
ver; sid:92011177; rev:1;)

Hmmm... not sure why I put this in the local rule file rather than doing a 
modify ?
sigh...

Original comment by russell....@gmail.com on 11 Mar 2011 at 7:00

GoogleCodeExporter commented 9 years ago 
Ah, I see the flaw in the exising nulti-line rule code.. I'll fix that and 
update the repo shortly!

Original comment by Cummin...@gmail.com on 22 Mar 2011 at 9:48

GoogleCodeExporter commented 9 years ago 
Committed revision 223.

Original comment by Cummin...@gmail.com on 22 Mar 2011 at 10:23