Snort mailing list archives
Re: preprocessors and thresholding broken with latest rules tarball?
From: Joel Esler <jesler () sourcefire com>
Date: Fri, 20 May 2011 11:45:20 -0400
Eoin, The rules have been in there ever since we added the preprocessor rule functionality into Snort. Joel On May 20, 2011, at 10:50 AM, Eoin Miller wrote:
On 5/20/2011 7:54 AM, carlopmart wrote:On 05/19/2011 11:15 PM, Eoin Miller wrote:So I guess there are two issues discovered here. Snort: ========================================= Still generates alerts despite threshold.conf settings for preprocessors if the preproc_rules/*.rules file is loaded up inside of the snort.rules. I don't know how or why this would start happening now. Or why there are now preprocessor rules located in two locations, compiled into the code (I assume?) and also in a seperate rules file. Would this cause double alerting or something? Why did this happen? PulledPork: ========================================= Does not allow you to specify the disabling of the files inside of the VRT tarball for the preproc's: - preproc_rules/decoder.rules - preproc_rules/preprocessor.rules - preproc_rules/sensitive-data.rules I have tried including sensitive-data.rules inside of the ignore= line of pulledpork.conf, but the file still gets included into the snort.rules output. -- EoinThis is the same problem that I have reported some weeks ago without response: http://groups.google.com/group/snortusers/browse_thread/thread/b7692ecee12bce77/19ae04f0ce59fc75?lnk=gst&q=Snort+decoder+alerts+are+fired+when+are+disabled+in+config+file#19ae04f0ce59fc75 (last message).I think I may have figured out the issue with pulledpork not allowing you to ignore the specific files if you just supply the name of them. As it looks through the @ignore array, it looks for values you have supplied that contain .preproc inside of them. Only these values will replace .preproc with .rules for files located in the preproc_rules/ subdirectory of the extracted tarball. ---SNIP--- elsif ( $_ =~ /\.preproc/ ) { print "\tIgnoring preprocessor rules: $_\n" if ( $Verbose && !$Quiet ); my $preprocfile = $_; $preprocfile =~ s/preproc/rules/; $tar->remove("preproc_rules/$preprocfile"); } ---SNIP--- So if you add the following to your ignore= list in your pulledpork.conf file, they *should* no longer be in your rules file (except there is a bug in this code, so keep reading): decoder.preproc,preprocessor.preproc,sensitive-data.preproc However, there is a bug in this above code that is borking everything up. If you just replace the string "preproc" with "rules" and one of your files you are trying to disable is "preprocessor.rules" and you are specifying the element "preprocessor.preproc" into the ignore array; then when you apply this search replace to the "preprocessor.preproc" then you end up with "rulesessor.rules" as the file name that pulledpork tries to remove. Since that file doesn't exist, then you end up still having all the preprocessor rules dumped into your snort.rules file. To fix this, update the below line inside of pulledpork.pl: From: $preprocfile =~ s/preproc/rules/; To: $preprocfile =~ s/\.preproc/\.rules/; This fixes the bug and allows you to keep using pulledpork.pl in a completely automated fashion. Still some weirdness going on here though. Can't figure out why this only startered happening to me after I got SO rules working or did VRT just start adding all of these into the tarball with their last release? Why does Snort's threshold.conf file get ignored if the preprocessor rule is in the rules file? -- Eoin ------------------------------------------------------------------------------ What Every C/C++ and Fortran developer Should Know! Read this article and learn how Intel has extended the reach of its next-generation tools to help Windows* and Linux* C/C++ and Fortran developers boost performance applications - including clusters. http://p.sf.net/sfu/intel-dev2devmay _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ What Every C/C++ and Fortran developer Should Know! Read this article and learn how Intel has extended the reach of its next-generation tools to help Windows* and Linux* C/C++ and Fortran developers boost performance applications - including clusters. http://p.sf.net/sfu/intel-dev2devmay _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- preprocessors and thresholding broken with latest rules tarball? Eoin Miller (May 19)
- Re: preprocessors and thresholding broken with latest rules tarball? carlopmart (May 20)
- Re: preprocessors and thresholding broken with latest rules tarball? Eoin Miller (May 20)
- Re: preprocessors and thresholding broken with latest rules tarball? JJC (May 20)
- Re: preprocessors and thresholding broken with latest rules tarball? Joel Esler (May 20)
- Re: preprocessors and thresholding broken with latest rules tarball? Eoin Miller (May 20)
- Re: preprocessors and thresholding broken with latest rules tarball? carlopmart (May 20)