[Snort-users] Etpro pulled pork question
jlay at ...13475...
Tue Mar 10 08:59:22 EDT 2015
On Wed, 2015-02-18 at 10:56 -0700, James Lay wrote:
> On 2015-02-17 02:20 PM, James Lay wrote:
> > On 2015-02-17 12:45 PM, Shirkdog wrote:
> >> Thanks, I was about to say bug it and we will take a look.
> >> ---
> >> Michael Shirk
> <<<< redacted, long story short etpro rules and pulled pork issue with
> ignore >>>
> > And the last tidbit of this is for using the open-gpl emerging
> > threats ruleset:
> > Prepping rules from emerging.rules.tar.gz for work....
> > extracting contents of /tmp/emerging.rules.tar.gz...
> > Ignoring plaintext rules: emerging-policy.rules
> > Extracted: /tha_rules/ET-emerging-snmp.rules
> > I noticed that these are extracted as ET-emerging-<ruleset
> > name>.rules whereas etpro is extracted as ET-<ruleset name>.rules.
> > I'm going to bet that has something to do with it.
> > James
> So....as I continue to look at this, I see the below:
> [17:24:16 idsdev:/tmp$] tar tvf emerging.rules.tar.gz | head -n 5
> drwxr-xr-x root/root 0 2015-02-18 05:09 rules/
> -rw-r--r-- root/root 8895 2015-02-18 05:09
> -rw-r--r-- root/root 2243 2015-02-18 05:09
> -rw-r--r-- root/root 28088 2015-02-18 05:09
> -rw-r--r-- root/root 1934 2015-02-18 05:09
> [17:27:59 idsdev:/tmp$] tar tvf etpro.rules.tar.gz | head -n 5
> drwxr-xr-x root/root 0 2015-02-13 21:06 rules/
> -rw-r--r-- root/root 414746 2015-02-13 21:06 rules/exploit.rules
> -rw-r--r-- root/root 7767 2015-02-13 21:06 rules/tftp.rules
> -rw-r--r-- root/root 18958 2015-02-13 21:06 rules/misc.rules
> -rw-r--r-- root/root 30016 2015-02-13 21:06 rules/ETPRO-License.txt
> I think this explains it.....open rules are prepended with "emerging-",
> and the etpro rules are not. PP is expecting to see "emerging-" and
> isn't getting it...pp CAN'T ignore emerging-policy.rules because it
> doesn't exist. And specifying just policy.rules ignores both VRT and
> ETPro policy.rules. I would recommend two things:
> 1) change the way etpro rules are delivered to prepend "etpro-" to
> each .rules file
> 2) add the additional stanza in pp to understand that a) rules with
> emerging- are open source emerging threats, b) rules with etpro- are ET
> Pro rules, and c) rules with nothing are considered VRT/Community
> Cisco/Sourcfire rules.
> A possible other option would be to have PP preform the ignore after
> extraction when all the rules are in /tmp/tha_rules/. At that point we
> really could specify ET-policy.rules or VRT-policy.rules in the ignore=
> line and have it match since those file exists. The caveat would be
> that we might have to specify both ET-policy.rules and VRT-policy.rules
> instead of just policy.rules to ignore both sets.
> I guess we could call this a "rules collision attack" :).
> Thanks all.
> Emerging-sigs mailing list
> Emerging-sigs at ...15591...
> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreats.net
Requesting any movement on this and sending to Snort Users list as well.
Thread should say it all. Thank you.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users