GoogleCodeExporter
commented
8 years ago So....as I continue to look at this, I see the below:
[17:24:16 idsdev:/tmp$] tar tvf emerging.rules.tar.gz | head -n 5
drwxr-xr-x root/root 0 2015-02-18 05:09 rules/
-rw-r--r-- root/root 8895 2015-02-18 05:09
rules/emerging-snmp.rules
-rw-r--r-- root/root 2243 2015-02-18 05:09
rules/emerging-icmp.rules
-rw-r--r-- root/root 28088 2015-02-18 05:09
rules/emerging-user_agents.rules
-rw-r--r-- root/root 1934 2015-02-18 05:09
rules/emerging-rbn.rules
[17:27:59 idsdev:/tmp$] tar tvf etpro.rules.tar.gz | head -n 5
drwxr-xr-x root/root 0 2015-02-13 21:06 rules/
-rw-r--r-- root/root 414746 2015-02-13 21:06 rules/exploit.rules
-rw-r--r-- root/root 7767 2015-02-13 21:06 rules/tftp.rules
-rw-r--r-- root/root 18958 2015-02-13 21:06 rules/misc.rules
-rw-r--r-- root/root 30016 2015-02-13 21:06 rules/ETPRO-License.txt
I think this explains it.....open rules are prepended with "emerging-",
and the etpro rules are not. PP is expecting to see "emerging-" and
isn't getting it...pp CAN'T ignore emerging-policy.rules because it
doesn't exist. And specifying just policy.rules ignores both VRT and
ETPro policy.rules. I would recommend two things:
1) change the way etpro rules are delivered to prepend "etpro-" to
each .rules file
2) add the additional stanza in pp to understand that a) rules with
emerging- are open source emerging threats, b) rules with etpro- are ET
Pro rules, and c) rules with nothing are considered VRT/Community
Cisco/Sourcfire rules.
A possible other option would be to have PP preform the ignore after
extraction when all the rules are in /tmp/tha_rules/. At that point we
really could specify ET-policy.rules or VRT-policy.rules in the ignore=
line and have it match since those file exists. The caveat would be
that we might have to specify both ET-policy.rules and VRT-policy.rules
instead of just policy.rules to ignore both sets.Original comment by digital...@gmail.com on 19 Feb 2015 at 11:54
Original issue reported on code.google.com by
digital...@gmail.comon 17 Feb 2015 at 5:46