Comments (20)
I think that adding an include option adds undue complexity... This is how I
see it, and maybe I'm way off base here ;-). Adding a category
(filename).rules to the ignore list is the same as commenting out in
snort.conf.. whereas not adding it is the same as including the rules file in
the snort.conf. Adding an include option would allow for users to add
contradicting entries etc etc.
As to the second option, (the etc foo) that's certainly a doable item and one
that will be added in the future.. as such I will leave this open as a low
priority enhancement request.
JJC
Original comment by [email protected]
on 4 Nov 2010 at 9:48
- Changed state: Accepted
- Added labels: Priority-Low, Type-Enhancement
- Removed labels: Priority-Medium, Type-Defect
from pulledpork.
I'd like to add a +1 vote for an rule file include feature. I tried making the
jump from oinkmaster to PP this past weekend and the default include-all /
exclude-some filter methodology for rule management really didn't work for me.
I like to selectively enable filters in order to keep false-positives low,
alert volume manageable, and not create duplicate alerts for activities that I
know other security policy enforcement devices will handle. Enumerating a
comprehensive exclude list crossed my threshold for pain, and I ultimately
threw the oinkmaster setup back in place. I would not want to have to repeat
that enumeration process each time a new rules file was deployed, nor would I
want to deal with alerts generated before I had the opportunity to adjust the
exclude list.
Original comment by [email protected]
on 19 Nov 2010 at 9:05
from pulledpork.
Tony,
Can you provide an example use-case for me, I'm not exactly sure what you were
trying to do with PP that oinkmaster did in a better way.
If you only ever want certain categories enabled you can simply do the
following right now:
1. Adjust the order of state change operations to drop,disable,enable (or
similar, just so that disable is before enable).
2. Disable all rules using a pcre:.
3. Selectively enable the categories that you want.
This would be 1 modification line for the state order, one line for the pcre in the disablesid.conf and then a line per category that you want to enable in the enablsid.conf.
Original comment by [email protected]
on 6 Jan 2011 at 10:28
from pulledpork.
Unfortunately this is *not* equivalent because this will turn on rules that are
disabled by default. There are quite a lot of these as I am sure you are aware.
Or am I missing something (I'd be delighted to find I am deluded, again ;).
My reading of the code was that once you had used a pcre to disable all rules
then there was nothing to distinguish a rule that was shipped disabled and one
that was disabled by PP.
From memory PP disables a rule by putting a hash at the start so there is no
means of distinguishing it from a rule that was commented out to start with.
BTW I have now been using my patched PP in production for about a month and I
am very pleased with PP :)
Original comment by [email protected]
on 7 Jan 2011 at 1:10
from pulledpork.
Ok, I see where you are going here...
Original comment by [email protected]
on 7 Jan 2011 at 3:18
from pulledpork.
Yes, use case is exactly what Russell pointed out. To use PP as-is I would
either need to use Russell's patches (and I hate dealing with local
modifications through upgrades), or write some sort of wrapper that keeps track
of which rules are disabled by default and re-disables them after enabling a
category through PP.
Original comment by [email protected]
on 8 Jan 2011 at 8:20
from pulledpork.
[deleted comment]
from pulledpork.
I am looking at adding an "include" option.. this would be disabled by default
and in the "optional" section of the master config.. the obvious risks here are
that new rules categories would have to be manually added, or someone new to
snort uncomments the line and screws themselves etc etc....
Original comment by [email protected]
on 24 Jan 2011 at 6:21
from pulledpork.
I like the way things currently work (I think that using an include file adds
unnecessary complexity and circumvents pulledpork's rule-modification logic),
although to achieve the behavior Russell and I are looking for (disable
everything, then only enable what I want)... It seems like the easy fix would
be to differentiate between rules that are disabled upstream vs. rules that are
disabled in the pulledpork config. Perhaps instead of just adding a simple '#'
in front of the rules in the "disabled" pass it could be changed to '# disabled
upstream #' and '# disabled by pulledpork #'? I've been debating creating a
patch to do this, but I've been rather busy and was hoping there'd be something
available from the main distribution that would accomplish this. If that's not
possible I'll work on cobbling together a patch. (comment edited - my
previously-mentioned workaround doesn't work, so I'll create a patch... I still
prefer my idea over "include" option because if I understand the intent of that
method correctly it would circumvent the current enable/disable functionality
for rules files that were "included" - which I don't like)
Original comment by [email protected]
on 24 Jan 2011 at 6:47
from pulledpork.
I am not fussed how it is done. It is actually trivial to make PP leave
disabled rules disabled -- single character patch iirc. The enable code is
something like s/^#+// remove the '+' and this will remove the # inserted by
the disable but not ones in the original rule. This has the disadvantage
that any original rule with more that a single # will never get enabled (I'm
not sure if this is much of a problem in practice but certainly could lead to
unexpected behavior -- something to be avoided).
To do this properly you need a re-enable command as distinct from enable which
just removes what ever pattern disable puts in while enable behaves the same.
Which ever method is used putting it in some optional part so it does not
confuse users is a good idea. It is only professionals who fiddle with
rulesets to this extent and so keeping it out of ordinary users hair is all to
the good.
Another thought would be to have a command line flag the set expert mode that
exposed this functionality...
Original comment by [email protected]
on 24 Jan 2011 at 7:53
from pulledpork.
I can modify the internal data structure so that PP knows what the "default"
shipped method was, but now I'm confused again.. explain again what the
ultimate desired result is here.. I just re-read all of the postings and I can
now not re-wrap my head around the issue lol
Original comment by [email protected]
on 24 Jan 2011 at 8:16
from pulledpork.
ok, just re-read the original issue #35.. gonna merge these.. but is this what
you want to do.. as an example use-case
enable only certain rules categories but only in their default state?..
so maybe in disablesid have it disable everything.. and in enablesid you will
enable by category.. but have a flag that sets the rules (in that category)
back to their ORIGINAL state?
Original comment by [email protected]
on 24 Jan 2011 at 8:20
from pulledpork.
The risk here is a potential to increase runtime dramatically, as the rulestate
itself needs to be checked and recorded within the data structure.. as of now
the data is simply read and stuck into a data structure.. no actual testing /
checking of it.
Original comment by [email protected]
on 24 Jan 2011 at 8:26
from pulledpork.
I think that this will do what you need...
I am now reading the default state of the rules into a new area of the data
structure. if the -R (return state) flag is set.. then the categories
specified in the enablesid.conf will return to their original state.. ALL other
functions stay the same.. so if you specify a category in the disablesid.conf
it will disable all of those rules regardless of -R flag state, unless of
course you process the enablesid.conf last.. make sense, I hope so!
Original comment by [email protected]
on 24 Jan 2011 at 8:49
from pulledpork.
The runtime issue is one of the reasons I like working at the file level -- up
front. You only have to process the files you want.
I have just thought of another reason why the disable all then enable
categories won't work.
What Tony and I are trying to do is have just certain rule categories enabled
but we don't want the rules that were shipped disabled.
We also (well I do and i'm 99% Tony will too ;) want to be able to disable
individual rules that are giving FPs with in the category. This is impossible
using the disable/enable strategy.
EXample:
I have a sensor on our dmz inside the firewall that runs just some spyware
rules, p2p rules and local rules looking for machines contacting bot
controllers. From my sensor config:
rule_cateories =>
['emerging-p2p','p2p','spyware-put','emerging-malware','emerging-user_agents'],
rule_files => ['botnet.rules','local.rules']
The rule categories line specify which categories I want PP to handle.
For these rule sets I want the rules shipped disabled to stay disabled -- and I
also disable some other rules:
[rful011@secpupprd01 ~]$ wc -l ~sensors/Sensors/masters/dmzi/pp/disabled.conf
49 /home/sensors/Sensors/masters/dmzi/pp/disabled.conf
so I think that by far the simplest way of doing this is to handle the rule
files up front.
Russell
Original comment by [email protected]
on 24 Jan 2011 at 8:49
from pulledpork.
I think that what I just did will work for you.. here is the example...
you disable everything using the disablesid.conf range or pcre etc...
you enable only your categories that you want on that sensor..
rule_cateories =>
['emerging-p2p','p2p','spyware-put','emerging-malware','emerging-user_agents'],
rule_files => ['botnet.rules','local.rules']
when you run PP, you change the order of the functions to disable,enable,drop
(just as long as disable is before enable) and you add the new -R flag....
This will disable EVERYTHING but set the rules to the state that they were in
the ORIGINAL tarball.
Original comment by [email protected]
on 24 Jan 2011 at 9:10
from pulledpork.
eh, the rules specified in the enablesid.conf that is
Original comment by [email protected]
on 24 Jan 2011 at 9:11
from pulledpork.
Committed SVN rev 202
Original comment by [email protected]
on 24 Jan 2011 at 9:24
- Changed state: Fixed
from pulledpork.
Ummm... how do we then disable rules within those categories?
Russell
Original comment by [email protected]
on 24 Jan 2011 at 9:50
from pulledpork.
I'm going to play with this and see if it meets my needs... I'm still too early
in my deployment to have false-positives to tune out yet, but I'm thinking (to
Russell's point) that it might be possible to use the "ignore" option to filter
out the categories we don't want at all, then enable/disable from what's left
and add the -R option to disable the rules that came disabled from upstream...
hopefully it works that way, I'll let you know if that doesn't.
Original comment by [email protected]
on 24 Jan 2011 at 10:08
from pulledpork.
Related Issues (20)
- Unable to pull down emergingthreatspro rules list HOT 8
- Unable to download Suricata rules HOT 2
- Version 8 - Error: does not exist, please create this directory HOT 15
- Barnyard2 hangs on the sid file created with pulledpork using: sid_msg_version=2 HOT 3
- snort.rules not created HOT 4
- Windows path issue when running pulledpork
- Modifysid doesn't modify rules HOT 5
- 422 Unprocessable Entity HOT 6
- ERROR: can't set --dump-dynamic-rules /tmp/tha_rules/so_rules/ and no rules are being imported. HOT 10
- Unknown regexp modifier HOT 5
- Unable to process shared object rules for a previous version of snort3 HOT 2
- Snort3 - 422 Unprocessable Entity when trying to download rules HOT 3
- An error occurred: ERROR: /etc/snort//etc/snort/rules/app-detect.rules(0) Unable to open rules file "/etc/snort//etc/snort/rules/app-detect.rules": No such file or directory. HOT 1
- This is happening in Windows with latest release
- a lots of errors HOT 1
- Issuing reputation socket reload command - (Error) ?
- few of rules downloaded HOT 3
- IP Blocklists are not processed when -n flag is set
- Dolibarr v17.02 - Receipt Printer Issue HOT 2
- 422 Unprocessable Entity [ 422 ], Using the oinkcode provided by snort?
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from pulledpork.