Unable to enable/disable/drop SIDs unless it's a fresh download
91 views
Skip to first unread message
Ricky Huang
Mar 20, 2013, 3:26:01 PM3/20/13
to pulledpo...@googlegroups.com
Hello,
I believe this is similar/related to my other issue with "Unable to load a ruleset unless it's a fresh download" (https://groups.google.com/d/msg/pulledpork-users/z8D2FkWO-d4/9dmfEhU7jJAJ).
According to the docs, I should be able to do a "no download" (-n) and enable/disable/drop SIDs.
= PART 1 =
So I start out fresh, security policy (pulledpork.security_online_fresh.log attached):
$ ./pulledpork.pl -vv -I security -c pulledpork.conf.new > pulledpork.security_online_fresh.log
A quick grep shows the appropriate number of rules downloaded/enabled:
# grep -v '^#' snort.rules | grep -v '^$' | wc8148 303887 4278623
Now let's focus on one rule only, 17031 (randomly chosen for no reason). A quick grep shows that it's disabled by default:
$ grep ':17031' snort.rules# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM burnshy.ru known spam email attempt"; flow:to_server, established; content:"burnshy.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17031; rev:6;)
In both my enablesid.conf and dropsid.conf there's only one line "1:17031" (not exciting, but attached). If I read the manual correctly, this should enable and change the rule to drop, so the expected change to snort.rules /should/ be:
drop tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM burnshy.ru known spam email attempt"; flow:to_server, established; content:"burnshy.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17031; rev:6;)
Now I run PP offline (because I am within my 15 minute cool-down and plus there should be no reason to be online for SID changes):
./pulledpork.pl -vvn -I security -c pulledpork.conf.new -e enablesid.conf -b dropsid.conf > pulledpork.enabledrop_offline.log 2>&1
It says "No Rule Changes" at the end, with no error, (pulledpork.enabledrop_offline.log attached). And a grep shows the rule is still "alert" and disabled:
$ grep ':17031' snort.rules# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM burnshy.ru known spam email attempt"; flow:to_server, established; content:"burnshy.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17031; rev:6;)
This cannot be the correct behavior.
= PART 2 =
Now, to show that it works when it's a *fresh download*.
First I remove the temp rule tar balls:
rm /tmp/snortrules-snapshot-2940.tar.gz* /tmp/emerging.rules.tar.gz* /tmp/opensource.gz*
Now I run PP online, security policy, and with paths to the enable and drop rules:
$ ./pulledpork.pl -vv -I security -c pulledpork.conf.new -e enablesid.conf -b dropsid.conf > pulledpork.enabledrop_online_fresh.log 2>&1
We see that one drop rule is enabled (pulledpork.enabledrop_online_fresh.log attached):
Dropped Rules:----1
and a grep of snort.rules confirms it:
$ grep ':17031' snort.rulesdrop tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM burnshy.ru known spam email attempt"; flow:to_server, established; content:"burnshy.ru"; nocase; metadata:service smtp; classtype:policy-violation; sid:17031; rev:6;)
I am running PulledPork r256, and I've also attached the pulledpork conf file.
Please help, PP/Snort would be unusable if I can't enable/disable and switch rulesets!
Thanks in advance.
JJC
Mar 20, 2013, 3:33:02 PM3/20/13
to pulledpo...@googlegroups.com
This is the correct behavior for the version within the repository.
You will need to also specify the force process flag.. it's a
different way of thinking about it.. but the flag is -P
JJC
> --
> You received this message because you are subscribed to the Google Groups
> "pulledpork users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to pulledpork-use...@googlegroups.com.
> To post to this group, send email to pulledpo...@googlegroups.com.
> Visit this group at http://groups.google.com/group/pulledpork-users?hl=en.
> For more options, visit https://groups.google.com/groups/opt_out.
>
>
>
>
>
>
>
>
>
You will need to also specify the force process flag.. it's a
different way of thinking about it.. but the flag is -P
JJC
> You received this message because you are subscribed to the Google Groups
> "pulledpork users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to pulledpork-use...@googlegroups.com.
> To post to this group, send email to pulledpo...@googlegroups.com.
> Visit this group at http://groups.google.com/group/pulledpork-users?hl=en.
> For more options, visit https://groups.google.com/groups/opt_out.
>
>
>
>
>
>
>
>
>
Ricky Huang
Mar 20, 2013, 7:03:40 PM3/20/13
to pulledpo...@googlegroups.com
I just tried it with with a fresh downloaded security policy (with no custom enable/drop) and then attempt to modify enable/drop with the P command as you described:
the rule specified in enablesid.conf and dropsid.conf (1:17031) still remains alert and commented out. Does it have anything to do with the "security" policy I chose?
./pulledpork.pl -vv -I security -c pulledpork.conf.new -e enablesid.conf -b dropsid.conf -nP > pulledpork.enabledrop_offline_P.log 2>&1
(log attached)
JJC
Mar 21, 2013, 12:32:56 PM3/21/13
to pulledpo...@googlegroups.com
Ok, just committed the codefix to allow for this
Ricky Huang
Mar 26, 2013, 6:30:04 PM3/26/13
to pulledpo...@googlegroups.com
On Mar 21, 2013, at 9:32 AM, JJC <cumm...@gmail.com> wrote:
Ok, just committed the codefix to allow for this
Verified -P now does allow for enable/drop SIDs and policy switch to happen as documented. But the summary "Rule Stats…" at the end is off, will present that with logs in another email.
Thank you!
Reply all
Reply to author
Forward
0 new messages