Snort mailing list archives
Re: Please fix or disable emerging-tor.rules
From: wkitty42--- via Snort-sigs <snort-sigs () lists snort org>
Date: Tue, 31 Jul 2018 11:18:30 -0400
On 07/31/2018 03:41 AM, Bernhard M. Wiedemann wrote:
Hi, I encountered severe false positives with the https://rules.emergingthreats.net/blockrules/emerging-tor.rules as described in https://lists.emergingthreats.net/pipermail/emerging-sigs/2018-July/028863.html
you'll likely have better luck if you post this to EmergingThreats on their mailing list(s)... i've cross-posted this reply there and i see that your referenced post, above, was also posted there... yes, i believe that ET splitting the TOR rules into two files, one for exit nodes and one for routers, is the best way to go...
FWIW: i ran into your problem back in 2014... at that time i worked out a small set of scripts to disable "TOR router not exit" entries... when i was working on that script, i asked then for ET to please split the two into separate files to make it easier to include one without the other... we're still patiently waiting for that to be done... the script running on our production boxen is dated 2014 Sep 1...
the output of the script is an include file for oinkmaster that is all "disablesid" entries for the "TOR router not exit" entries listed in the sid-msg.map which is regenerated every time the rules are updated...
the two scripts are below... you might need to add some chown and chmod for the tor_routers.conf output file so your snort and oinkmaster can read it...
yes, oinkmaster.conf needs to already have an include for the tor_routers.conf file...
yes, it takes a double run of oinkmaster to do this... 1. pull the rules and extract them to /tmp 2. run oinkmaster pointing to rules in /tmp 3. run make-sidmap.pl script to update sidmsg.map 4. run findtorrouters script with updated sidmsg.map 5. run oinkmaster again with updated tor_routers.conf 6. restart snort ----->8 snip findtorrouters 8<----- egrep -hi "tor .* \(not exit\)" *redacted*/snort/rules/sid-msg.map | \ cut -d " " -f 1 | *redacted*/usr/bin/addtorrouter > \ *redacted*/etc/tor_routers.conf <eof> ----->8 snip 8<----- ----->8 snip addtorrouters 8<----- #!/bin/bash CMDRESULT=0 showusage () { echo "USAGE: $(basename $0) sidnumber" > /dev/stderr echo " sidnumber is the SID number of the snort rule to be" > /dev/stderr echo " prefixed with disablesid." > /dev/stderr echo "" > /dev/stderr echo " eg: addtorrouter 12345678" > /dev/stderr echo "" > /dev/stderr echo " output:" > /dev/stderr echo " disablesid 12345678 # 20180731 allow tor routers" > /dev/stderr } getDateTime () { NOWD=$(date "+%F") NOWT=$(date "+%T") NOWC=$(date "+%Y%m%d") } terminate () { exit $CMDRESULT } #if [ $# -lt 1 ] #then # showusage # CMDRESULT=$E_NOARGS # terminate #else getDateTime while read ; do echo "disablesid $REPLY # $NOWC allow tor routers" ; done #fi <eof> ----->8 snip 8<----- -- NOTE: No off-list assistance is given without prior approval. *Please keep mailing list traffic on the list unless* *a signed and pre-paid contract is in effect with us.* _______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- Please fix or disable emerging-tor.rules Bernhard M. Wiedemann (Jul 31)
- Re: Please fix or disable emerging-tor.rules Joel Esler (jesler) via Snort-sigs (Jul 31)
- Re: Please fix or disable emerging-tor.rules wkitty42--- via Snort-sigs (Jul 31)