Recent changes causing local.rules to be copied to downloaded.rules?

[Jeff H]

I noticed recently that Snort was complaining about duplicate rules. Looking into it further I see that it looks like all of my rules from local.rules are also in downloaded.rules.

I know there have been a few updates recently (Snort, Pulledpork, rule-update), did this behavior change recently? Or has this always been the behavior and I just noticed it now?

Previously I had both downloaded.rules and local.rules in my snort.conf, which I don't remember manually modifying, but I may have when I first started adding local rules long ago. 

Since all of my local rules appear to now be getting added to the downloaded.rules I commented out the local.rules line and Snort stopped complaining.

Just wondering if this is:

1) Normal behavior?

2) New behavior? Or did I just notice it?

Thanks

Jeff

[Doug Burks]

Hi Jeff,

I just tested and it does appear that this a change in PulledPork.
PulledPork 0.7.0 does not copy local.rules to downloaded.rules, but
PulledPork 0.7.3 does.

I added a comment to this PulledPork issue:
https://github.com/shirkdog/pulledpork/issues/235

To clarify though, when you say that "Snort was complaining about
duplicate rules", is Snort just emitting a WARNING and continuing to
run, or is it emitting an ERROR and failing to run? My testing
indicates it's just a WARNING and Snort continues to run. In other
words, you could keep downloaded.rules and local.rules in your
snort.conf (the default) and Snort will log a WARNING but should still
run properly.

> --
> Follow Security Onion on Twitter!
> https://twitter.com/securityonion
> ---
> You received this message because you are subscribed to the Google Groups
> "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at https://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.



--
Doug Burks

[Michael Bower]

I'm seeing an error on mine, in addition to the WARNING:

ERROR: /etc/nsm/rules/downloaded.rules(29266) threshold (in rule): could not create threshold - only one per sig_id=10020171

Mike

[Doug Burks]

Hi Mike,

Is that ERROR causing Snort to fail, or is Snort still running properly?

[Michael Bower]

Alert data is failing:

  * netsniff-ng (full packet data)[  OK  ]

  * pcap_agent (SO-user)[  OK  ]

  * snort_agent-1 (SO-user)[  OK  ]

  * snort_agent-2 (SO-user)[  OK  ]

  * snort-1 (alert data)[ FAIL ]

  * stale PID file found, process will be restarted at the next 5-minute interval!

  * snort-2 (alert data)[ FAIL ]

  * stale PID file found, process will be restarted at the next 5-minute interval!

  * barnyard2-1 (spooler, unified2 format)[  OK  ]

  * barnyard2-2 (spooler, unified2 format)[  OK  ]

You received this message because you are subscribed to a topic in the Google Groups "security-onion" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/security-onion/-kedlgAxri8/unsubscribe.
To unsubscribe from this group and all its topics, send an email to security-onio...@googlegroups.com.

To post to this group, send email to securit...@googlegroups.com.
Visit this group at https://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.

--

Sent from my Android device

[Doug Burks]

Yep, I can duplicate this for rules that contain thresholds. Affected
folks can comment out "include $RULE_PATH/local.rules" in their
snort.conf until PulledPork Issue 235
(https://github.com/shirkdog/pulledpork/issues/235) is resolved and/or
we release a patch.

[Jeff H]

Just to confirm, I had the same error as Mike.

>> >> > email to security-onion+unsubscribe@googlegroups.com.
>> >> > To post to this group, send email to security-onion@googlegroups.com.

>> >> > Visit this group at https://groups.google.com/group/security-onion.
>> >> > For more options, visit https://groups.google.com/d/optout.
>> >>
>> >>
>> >>
>> >> --
>> >> Doug Burks
>> >
>> > --
>> > Follow Security Onion on Twitter!
>> > https://twitter.com/securityonion
>> > ---
>> > You received this message because you are subscribed to the Google
>> > Groups "security-onion" group.
>> > To unsubscribe from this group and stop receiving emails from it, send

>> > an email to security-onion+unsubscribe@googlegroups.com.
>> > To post to this group, send email to security-onion@googlegroups.com.

>> > Visit this group at https://groups.google.com/group/security-onion.
>> > For more options, visit https://groups.google.com/d/optout.
>>
>>
>>
>> --
>> Doug Burks
>>
>> --
>> Follow Security Onion on Twitter!
>> https://twitter.com/securityonion
>> ---
>> You received this message because you are subscribed to a topic in the
>> Google Groups "security-onion" group.
>> To unsubscribe from this topic, visit
>> https://groups.google.com/d/topic/security-onion/-kedlgAxri8/unsubscribe.
>> To unsubscribe from this group and all its topics, send an email to

>> security-onion+unsubscribe@googlegroups.com.
>> To post to this group, send email to security-onion@googlegroups.com.

>> Visit this group at https://groups.google.com/group/security-onion.
>> For more options, visit https://groups.google.com/d/optout.
>
> --
>
> Sent from my Android device
>
> --
> Follow Security Onion on Twitter!
> https://twitter.com/securityonion
> ---
> You received this message because you are subscribed to the Google Groups
> "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an

> email to security-onion+unsubscribe@googlegroups.com.
> To post to this group, send email to security-onion@googlegroups.com.

> Visit this group at https://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.



--
Doug Burks

--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.

To unsubscribe from this group and stop receiving emails from it, send an email to security-onion+unsubscribe@googlegroups.com.
To post to this group, send email to security-onion@googlegroups.com.

[Doug Burks]

I've created the following issue:
https://github.com/Security-Onion-Solutions/security-onion/issues/1062

I've also patched the NSM scripts to automatically comment out
local.rules entries in snort.conf and suricata.yaml:
https://github.com/Security-Onion-Solutions/securityonion-nsmnow-admin-scripts/commit/18813ecae3d5f53b9b5c82f3260f18b7cd62ce6f

The new package has been submitted for testing:
https://groups.google.com/d/topic/security-onion-testing/zlZ5XA8KlCU/discussion

Please help us test so it can be released ASAP.

Thanks!

>> >> >> > email to security-onio...@googlegroups.com.

>> >> >> > To post to this group, send email to

>> >> >> > securit...@googlegroups.com.

>> >> >> > Visit this group at
>> >> >> > https://groups.google.com/group/security-onion.
>> >> >> > For more options, visit https://groups.google.com/d/optout.
>> >> >>
>> >> >>
>> >> >>
>> >> >> --
>> >> >> Doug Burks
>> >> >
>> >> > --
>> >> > Follow Security Onion on Twitter!
>> >> > https://twitter.com/securityonion
>> >> > ---
>> >> > You received this message because you are subscribed to the Google
>> >> > Groups "security-onion" group.
>> >> > To unsubscribe from this group and stop receiving emails from it,
>> >> > send

>> >> > an email to security-onio...@googlegroups.com.
>> >> > To post to this group, send email to securit...@googlegroups.com.

>> >> > Visit this group at https://groups.google.com/group/security-onion.
>> >> > For more options, visit https://groups.google.com/d/optout.
>> >>
>> >>
>> >>
>> >> --
>> >> Doug Burks
>> >>
>> >> --
>> >> Follow Security Onion on Twitter!
>> >> https://twitter.com/securityonion
>> >> ---
>> >> You received this message because you are subscribed to a topic in the
>> >> Google Groups "security-onion" group.
>> >> To unsubscribe from this topic, visit
>> >>
>> >> https://groups.google.com/d/topic/security-onion/-kedlgAxri8/unsubscribe.
>> >> To unsubscribe from this group and all its topics, send an email to

>> >> security-onio...@googlegroups.com.
>> >> To post to this group, send email to securit...@googlegroups.com.

>> >> Visit this group at https://groups.google.com/group/security-onion.
>> >> For more options, visit https://groups.google.com/d/optout.
>> >
>> > --
>> >
>> > Sent from my Android device
>> >
>> > --
>> > Follow Security Onion on Twitter!
>> > https://twitter.com/securityonion
>> > ---
>> > You received this message because you are subscribed to the Google
>> > Groups
>> > "security-onion" group.
>> > To unsubscribe from this group and stop receiving emails from it, send
>> > an

>> > email to security-onio...@googlegroups.com.
>> > To post to this group, send email to securit...@googlegroups.com.

>> > Visit this group at https://groups.google.com/group/security-onion.
>> > For more options, visit https://groups.google.com/d/optout.
>>
>>
>>
>> --
>> Doug Burks
>>
>> --
>> Follow Security Onion on Twitter!
>> https://twitter.com/securityonion
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "security-onion" group.
>> To unsubscribe from this group and stop receiving emails from it, send an

>> email to security-onio...@googlegroups.com.
>> To post to this group, send email to securit...@googlegroups.com.

>> Visit this group at https://groups.google.com/group/security-onion.
>> For more options, visit https://groups.google.com/d/optout.
>
>
> --

> Follow Security Onion on Twitter!
> https://twitter.com/securityonion
> ---
> You received this message because you are subscribed to the Google Groups
> "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an

> email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.