Hello,
According to the docs, I should be able to do a "no download" (-n) and enable/disable/drop SIDs.
= PART 1 =
So I start out fresh, security policy (pulledpork.security_online_fresh.log attached):
$ ./pulledpork.pl -vv -I security -c pulledpork.conf.new > pulledpork.security_online_fresh.log
A quick grep shows the appropriate number of rules downloaded/enabled:
# grep -v '^#' snort.rules | grep -v '^$' | wc
8148 303887 4278623
Now let's focus on one rule only, 17031 (randomly chosen for no reason). A quick grep shows that it's disabled by default:
$ grep ':17031' snort.rules
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM
burnshy.ru known spam email attempt"; flow:to_server, established; content:"
burnshy.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17031; rev:6;)
In both my enablesid.conf and dropsid.conf there's only one line "1:17031" (not exciting, but attached). If I read the manual correctly, this should enable and change the rule to drop, so the expected change to snort.rules /should/ be:
drop tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM burnshy.ru known spam email attempt"; flow:to_server, established; content:"burnshy.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17031; rev:6;)
Now I run PP offline (because I am within my 15 minute cool-down and plus there should be no reason to be online for SID changes):
./pulledpork.pl -vvn -I security -c pulledpork.conf.new -e enablesid.conf -b dropsid.conf > pulledpork.enabledrop_offline.log 2>&1
It says "No Rule Changes" at the end, with no error, (pulledpork.enabledrop_offline.log attached). And a grep shows the rule is still "alert" and disabled:
$ grep ':17031' snort.rules
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM
burnshy.ru known spam email attempt"; flow:to_server, established; content:"
burnshy.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17031; rev:6;)
This cannot be the correct behavior.
= PART 2 =
Now, to show that it works when it's a *fresh download*.
First I remove the temp rule tar balls:
rm /tmp/snortrules-snapshot-2940.tar.gz* /tmp/emerging.rules.tar.gz* /tmp/opensource.gz*
Now I run PP online, security policy, and with paths to the enable and drop rules:
$ ./pulledpork.pl -vv -I security -c pulledpork.conf.new -e enablesid.conf -b dropsid.conf > pulledpork.enabledrop_online_fresh.log 2>&1
We see that one drop rule is enabled (pulledpork.enabledrop_online_fresh.log attached):
and a grep of snort.rules confirms it:
$ grep ':17031' snort.rules
drop tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM
burnshy.ru known spam email attempt"; flow:to_server, established; content:"
burnshy.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17031; rev:6;)
I am running PulledPork r256, and I've also attached the pulledpork conf file.
Please help, PP/Snort would be unusable if I can't enable/disable and switch rulesets!
Thanks in advance.