Unable to load a base ruleset unless it's a fresh download

[Ricky Huang]

Hello,

Taking JJC's suggestion to enable rules based on policy (https://groups.google.com/d/msg/pulledpork-users/71f_yGLMoKo/SPylv3aIaAcJ), I run the following:

./pulledpork.pl -c pulledpork.conf.new -vv

PP finishes with the following stats:

Rule Stats...

        New:-------1

        Deleted:---1

        Enabled Rules:----17377

        Dropped Rules:----0

        Disabled Rules:---16006

        Total Rules:------33383

Great, grep'ping the snort.rules verifies that:

# grep -v '^#' snort.rules | grep -v '^$' | wc

   17395  572838 8063161

(Count the lines that do not begin with # nor a blank line)

Now if I run PP with the following policy:

./pulledpork.pl -c pulledpork.conf.new -vv -I security

The output is:

No Rule Changes

No IP Blacklist Changes

Done

I thought "security" setting would have at least altered some things in the rule set!

Now checking the snort.rules show indeed nothing have changed:

# grep -v '^#' snort.rules | grep -v '^$' | wc

   17395  572838 8063161

The only way for me to get the security policy to load is to delete snortrules-snapshot-2940.tar.gz*, opensource.gz*, and emerging.rules.tar.gz* from /tmp, which forces PP to redownload the rules and it will then apply the policy.

./pulledpork.pl -c pulledpork.conf.new -vv -I security

[…]

Rule Stats...

        New:-------16599

        Deleted:---0

        Enabled Rules:----8131

        Dropped Rules:----0

        Disabled Rules:---25252

        Total Rules:------33383

# grep -v '^#' snort.rules | grep -v '^$' | wc

    8132  303239 4270622

Furthermore, I noticed two things:

1)  There are less enabled rules in "security" mode than not specifying an "-I"?

2)  The security based rules are still all alerts... I'd expect there would be some drop for "security" (?)  (grep'ping through the snort.rules shows no drops)

Thank you!

[JJC]

What is the verbose output?

> --
> You received this message because you are subscribed to the Google Groups
> "pulledpork users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to pulledpork-use...@googlegroups.com.
> To post to this group, send email to pulledpo...@googlegroups.com.
> Visit this group at http://groups.google.com/group/pulledpork-users?hl=en.
> For more options, visit https://groups.google.com/groups/opt_out.
>
>

[Ricky Huang]

I re-ran it this morning to get you the verbose output so the count is slightly off, but the idea is the same:

Rule Stats...

New:-------33408

Deleted:---0

Enabled Rules:----8130

Dropped Rules:----0

Disabled Rules:---25278

Total Rules:------33408

Again, grep'ping through the rulesets, not commented + not blank line + not "alert":

# grep '^alert' snort.rules  | wc

    8130  303181 4269906

They are all "alerts" type rules...

Thanks.

[JJC]

So what is not aligning, looks like it is to me?

[Ricky Huang]

Thanks for looking at it!

By not specifying the "-I security" option, there are 17k enabled rules, but when I enabled "-I security", there are only 8k left enabled.

1)  I would think there are more rules in security mode

2)  All of the enabled rules (with or without "-I") are alerts only, is that the correct behavior?  I would expect when "security" is on, there would be "drop" for IPS.

3)  Assuming #2 is the correct behavior, is this where I have to use dropsid.conf to change those alerts to drops? (Reading README.DROPSID, I am unable to find example of dropping an entire policy.)

Thanks again!

[JJC]

Inline

On Fri, Mar 15, 2013 at 11:42 AM, Ricky Huang <rhuan...@gmail.com> wrote:
> Thanks for looking at it!
>
> By not specifying the "-I security" option, there are 17k enabled rules, but
> when I enabled "-I security", there are only 8k left enabled.
>
> 1) I would think there are more rules in security mode

When running rulesets in addition to VRT, like ET, then all rules that
do not have the correct metadata associated with the security policy
are disabled (so ALL ET rules).

> 2) All of the enabled rules (with or without "-I") are alerts only, is that
> the correct behavior? I would expect when "security" is on, there would be
> "drop" for IPS.

No, the default behavior is to set them to alert only, most people are
still running passively, and setting these to drop would silently
disable them if said users were not starting snort with the correct
flag to tread drop as alert.

> 3) Assuming #2 is the correct behavior, is this where I have to use
> dropsid.conf to change those alerts to drops? (Reading README.DROPSID, I am
> unable to find example of dropping an entire policy.)

in dropsid:
pcre:security-ips\ drop

The power of regular expressions :-)

I will be adding a flag that will allow for "state" in terms of drop
to be used also, but for now this is the expected behavior.

[Ricky Huang]

Thanks for the regex suggestion, now I will be able to turn the entire security class to drop in  dropsid.  =)

The first part of my question still remains through, I originally have "-I security" option selected, and I have some rules enabled:

$ grep -v '^#' snort.rules | grep -v '^$' | wc

    8147  303858 4278265

When I run PP offline (I am within 15 minute cool down time) to try to switch to connectivity mode:

./pulledpork.pl -c pulledpork.conf.new -vvn -I connectivity

I get "No Rule Changes", and a quick grep of the rules file shows that enabled rules have not change:

$ grep -v '^#' snort.rules | grep -v '^$' | wc

    8147  303858 4278265

I would expect connectivity ruleset to be more "loose" than security.

So I switch back to no "-I" option, still offline "./pulledpork.pl -c pulledpork.conf.new -vvn", I still get "No Rule Changes".

Then only way I can get it to the "loosest" rule set possible (with security or any other ruleset in place) is to first delete all downloaded rules, then run Pulledpork without "-I" option:

Rule Stats...

New:-------1

Deleted:---1

Enabled Rules:----17419

Dropped Rules:----0

Disabled Rules:---16014

Total Rules:------33433

Now if I want to apply "security" setting offline, I won't be able to:

 $ ./pulledpork.pl -c pulledpork.conf.new -vvn -I security

[…]

No Rule Changes

Question is, should I be able to apply different ruleset policies offline?

Thank you.

[JJ Cummings]

You should, yes... Can I see verbose output for each run 

Sent from the iRoad

[Ricky Huang]

I have a set of logs that aren't the exact scenario from friday but illustrates the point.  Files description below:

pulledpork.noruleset_online.log - Fresh download, no "-I", and online.

pulledpork.security_offline.log - Offline download, "-I security" police.  Notice the "No Rule Changes" at the end of the log.

After 15 minutes of "cooldown".

pulledpork.security_online.log - Online download (but I don't think download happened because the tar balls are still in /tmp), "-I security" policy.  Notice the "No Rule Changes" at the end of the log.

pulledpork.security_online_fresh.log - Clear all emerging.rules.tar.gz* snortrules-snapshot-2940.tar.gz* and opensource.gz*, online download, "-I security" policy.  Notice security policy gets applied.

This is PulledPork r255.

Thanks!