Re: preprocessors and thresholding broken with latest rules tarball?

[JJC <cummingsj () gmail com>]

Eoin,

Thanks for the update and followup!  I'll have a look at the bug that you
just submitted and make the apt changes.

JJC

On Fri, May 20, 2011 at 8:50 AM, Eoin Miller <
eoin.miller () trojanedbinaries com> wrote:

> On 5/20/2011 7:54 AM, carlopmart wrote:
>
> > On 05/19/2011 11:15 PM, Eoin Miller wrote:
> >
> > > So I guess there are two issues discovered here.
> > >
> > > Snort:
> > > =========================================
> > > Still generates alerts despite threshold.conf settings for preprocessors
> > > if the preproc_rules/*.rules file is loaded up inside of the
> > > snort.rules. I don't know how or why this would start happening now. Or
> > > why there are now preprocessor rules located in two locations, compiled
> > > into the code (I assume?) and also in a seperate rules file. Would this
> > > cause double alerting or something? Why did this happen?
> > >
> > >
> > > PulledPork:
> > > =========================================
> > > Does not allow you to specify the disabling of the files inside of the
> > > VRT tarball for the preproc's:
> > >    - preproc_rules/decoder.rules
> > >    - preproc_rules/preprocessor.rules
> > >    - preproc_rules/sensitive-data.rules
> > >
> > > I have tried including sensitive-data.rules inside of the ignore= line
> > > of pulledpork.conf, but the file still gets included into the
> > > snort.rules output.
> > >
> > >
> > > -- Eoin
> > >
> > >  This is the same problem that I have reported some weeks ago without
> > response:
> >
> >
> > http://groups.google.com/group/snortusers/browse_thread/thread/b7692ecee12bce77/19ae04f0ce59fc75?lnk=gst&q=Snort+decoder+alerts+are+fired+when+are+disabled+in+config+file#19ae04f0ce59fc75
> > (last message).
> >
> >  I think I may have figured out the issue with pulledpork not allowing you
> to ignore the specific files if you just supply the name of them. As it
> looks through the @ignore array, it looks for values you have supplied that
> contain .preproc inside of them. Only these values will replace .preproc
> with .rules for files located in the preproc_rules/ subdirectory of the
> extracted tarball.
>
> ---SNIP---
>        elsif ( $_ =~ /\.preproc/ ) {
>            print "\tIgnoring preprocessor rules: $_\n"
>              if ( $Verbose && !$Quiet );
>            my $preprocfile = $_;
>            $preprocfile =~ s/preproc/rules/;
>            $tar->remove("preproc_rules/$preprocfile");
>        }
> ---SNIP---
>
> So if you add the following to your ignore= list in your pulledpork.conf
> file, they *should* no longer be in your rules file (except there is a bug
> in this code, so keep reading):
> decoder.preproc,preprocessor.preproc,sensitive-data.preproc
>
> However, there is a bug in this above code that is borking everything up.
> If you just replace the string "preproc" with "rules" and one of your files
> you are trying to disable is "preprocessor.rules" and you are specifying the
> element "preprocessor.preproc" into the ignore array; then when you apply
> this search replace to the "preprocessor.preproc" then you end up with
> "rulesessor.rules" as the file name that pulledpork tries to remove. Since
> that file doesn't exist, then you end up still having all the preprocessor
> rules dumped into your snort.rules file. To fix this, update the below line
> inside of pulledpork.pl:
>
> From:
>            $preprocfile =~ s/preproc/rules/;
>
> To:
>            $preprocfile =~ s/\.preproc/\.rules/;
>
>
> This fixes the bug and allows you to keep using pulledpork.pl in a
> completely automated fashion. Still some weirdness going on here though.
> Can't figure out why this only startered happening to me after I got SO
> rules working or did VRT just start adding all of these into the tarball
> with their last release? Why does Snort's threshold.conf file get ignored if
> the preprocessor rule is in the rules file?
>
> -- Eoin
------------------------------------------------------------------------------
What Every C/C++ and Fortran developer Should Know!
Read this article and learn how Intel has extended the reach of its 
next-generation tools to help Windows* and Linux* C/C++ and Fortran 
developers boost performance applications - including clusters. 
http://p.sf.net/sfu/intel-dev2devmay

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users