Re: Please fix or disable emerging-tor.rules

[wkitty42--- via Snort-sigs <snort-sigs () lists snort org>]

On 07/31/2018 03:41 AM, Bernhard M. Wiedemann wrote:
> Hi,
>
> I encountered severe false positives with the
> https://rules.emergingthreats.net/blockrules/emerging-tor.rules
> as described in
> https://lists.emergingthreats.net/pipermail/emerging-sigs/2018-July/028863.html


you'll likely have better luck if you post this to EmergingThreats on their 
mailing list(s)... i've cross-posted this reply there and i see that your 
referenced post, above, was also posted there... yes, i believe that ET 
splitting the TOR rules into two files, one for exit nodes and one for routers, 
is the best way to go...


FWIW: i ran into your problem back in 2014... at that time i worked out a small 
set of scripts to disable "TOR router not exit" entries... when i was working on 
that script, i asked then for ET to please split the two into separate files to 
make it easier to include one without the other... we're still patiently waiting 
for that to be done... the script running on our production boxen is dated 2014 
Sep 1...

the output of the script is an include file for oinkmaster that is all 
"disablesid" entries for the "TOR router not exit" entries listed in the 
sid-msg.map which is regenerated every time the rules are updated...

the two scripts are below... you might need to add some chown and chmod for the 
tor_routers.conf output file so your snort and oinkmaster can read it...

yes, oinkmaster.conf needs to already have an include for the tor_routers.conf 
file...
yes, it takes a double run of oinkmaster to do this...

  1. pull the rules and extract them to /tmp
  2. run oinkmaster pointing to rules in /tmp
  3. run make-sidmap.pl script to update sidmsg.map
  4. run findtorrouters script with updated sidmsg.map
  5. run oinkmaster again with updated tor_routers.conf
  6. restart snort


----->8 snip findtorrouters 8<-----
egrep -hi "tor .* \(not exit\)" *redacted*/snort/rules/sid-msg.map | \
  cut -d " " -f 1 | *redacted*/usr/bin/addtorrouter > \
  *redacted*/etc/tor_routers.conf
<eof>
----->8 snip 8<-----



----->8 snip addtorrouters 8<-----
#!/bin/bash
CMDRESULT=0

showusage () {
  echo "USAGE: $(basename $0) sidnumber" > /dev/stderr
  echo "  sidnumber is the SID number of the snort rule to be" > /dev/stderr
  echo "  prefixed with disablesid." > /dev/stderr
  echo "" > /dev/stderr
  echo "  eg: addtorrouter 12345678" > /dev/stderr
  echo "" > /dev/stderr
  echo "  output:" > /dev/stderr
  echo "    disablesid 12345678 # 20180731 allow tor routers" > /dev/stderr
}

getDateTime () {
  NOWD=$(date "+%F")
  NOWT=$(date "+%T")
  NOWC=$(date "+%Y%m%d")
}

terminate () {
  exit $CMDRESULT
}

#if [ $# -lt 1 ]
#then
#  showusage
#  CMDRESULT=$E_NOARGS
#  terminate
#else
  getDateTime
  while read ;
  do echo "disablesid $REPLY # $NOWC allow tor routers" ;
  done
#fi
<eof>
----->8 snip 8<-----



--
 NOTE: No off-list assistance is given without prior approval.
       *Please keep mailing list traffic on the list unless*
       *a signed and pre-paid contract is in effect with us.*
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" 
https://snort.org/downloads/#rule-downloads";>emerging threats</a>!