[Snort-users] Etpro pulled pork question

James Lay jlay at ...13475...
Tue Mar 10 08:59:22 EDT 2015


On Wed, 2015-02-18 at 10:56 -0700, James Lay wrote:

> On 2015-02-17 02:20 PM, James Lay wrote:
> > On 2015-02-17 12:45 PM, Shirkdog wrote:
> >> Thanks, I was about to say bug it and we will take a look.
> >>
> >> ---
> >> Michael Shirk
> 
> <<<< redacted, long story short etpro rules and pulled pork issue with 
> ignore >>>
> 
> > And the last tidbit of this is for using the open-gpl emerging
> > threats ruleset:
> >
> > Prepping rules from emerging.rules.tar.gz for work....
> >         extracting contents of /tmp/emerging.rules.tar.gz...
> >         Ignoring plaintext rules: emerging-policy.rules
> >         Extracted: /tha_rules/ET-emerging-snmp.rules
> >
> > I noticed that these are extracted as ET-emerging-<ruleset
> > name>.rules whereas etpro is extracted as ET-<ruleset name>.rules.
> > I'm going to bet that has something to do with it.
> >
> > James
> 
> So....as I continue to look at this, I see the below:
> 
> [17:24:16 idsdev:/tmp$] tar tvf emerging.rules.tar.gz | head -n 5
> drwxr-xr-x root/root         0 2015-02-18 05:09 rules/
> -rw-r--r-- root/root      8895 2015-02-18 05:09 
> rules/emerging-snmp.rules
> -rw-r--r-- root/root      2243 2015-02-18 05:09 
> rules/emerging-icmp.rules
> -rw-r--r-- root/root     28088 2015-02-18 05:09 
> rules/emerging-user_agents.rules
> -rw-r--r-- root/root      1934 2015-02-18 05:09 
> rules/emerging-rbn.rules
> [17:27:59 idsdev:/tmp$] tar tvf etpro.rules.tar.gz | head -n 5
> drwxr-xr-x root/root         0 2015-02-13 21:06 rules/
> -rw-r--r-- root/root    414746 2015-02-13 21:06 rules/exploit.rules
> -rw-r--r-- root/root      7767 2015-02-13 21:06 rules/tftp.rules
> -rw-r--r-- root/root     18958 2015-02-13 21:06 rules/misc.rules
> -rw-r--r-- root/root     30016 2015-02-13 21:06 rules/ETPRO-License.txt
> 
> I think this explains it.....open rules are prepended with "emerging-", 
> and the etpro rules are not.  PP is expecting to see "emerging-" and 
> isn't getting it...pp CAN'T ignore emerging-policy.rules because it 
> doesn't exist.  And specifying just policy.rules ignores both VRT and 
> ETPro policy.rules.  I would recommend two things:
> 
> 1)  change the way etpro rules are delivered to prepend "etpro-" to 
> each .rules file
> 2)  add the additional stanza in pp to understand that a) rules with 
> emerging- are open source emerging threats, b) rules with etpro- are ET 
> Pro rules, and c) rules with nothing are considered VRT/Community 
> Cisco/Sourcfire rules.
> 
> A possible other option would be to have PP preform the ignore after 
> extraction when all the rules are in /tmp/tha_rules/.  At that point we 
> really could specify ET-policy.rules or VRT-policy.rules in the ignore= 
> line and have it match since those file exists.  The caveat would be 
> that we might have to specify both ET-policy.rules and VRT-policy.rules 
> instead of just policy.rules to ignore both sets.
> 
> I guess we could call this a "rules collision attack" :).
> 
> Thanks all.
> 
> James
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at ...15591...
> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> 
> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreats.net


Requesting any movement on this and sending to Snort Users list as well.
Thread should say it all.  Thank you.

James
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150310/dc9b4728/attachment.html>


More information about the Snort-users mailing list