HI,
I've just set up Snort 2.9.5 and pulledpork 0.70 on my Fedora 17 home machine for testing before doing a proper test implementation on a production machine. I have been running snort in inline mode using NFQUEUE in iptables to send all traffic to the snort nfq daq module. Its working fine, blocks on drop rules, passes alert rules etc. I've been doing some testing with pings and specifically I am looking at the rule with sid 384.
Contents of pulledpork.conf are ...
# URL for rule documentation! (slow to process)
temp_path=/tmp
rule_path=/etc/snort/rules/snort.rules
local_rules=/etc/snort/rules/local.rules
sid_msg=/etc/snort/sid-msg.map
sid_msg_version=1
sid_changelog=/var/log/snort/sid_changes.log
sorule_path=/usr/local/lib/snort_dynamicrules/
snort_path=/usr/local/bin/snort
config_path=/etc/snort/snort.conf
distro=RHEL-6-0
black_list=/etc/snort/rules/iplists/default.blacklist
IPRVersion=/etc/snort/rules/iplists
snort_control=/usr/local/bin/snort_control
state_order=disable,drop,enable
pid_path=/var/run/snort_.pid,/var/run/barnyard2_p17p1.pid
# docs=/path/to/base/www
# snort_version=2.9.0.0
# ips_policy=security
# enablesid=/etc/snort/enablesid.conf
dropsid=/etc/snort/dropsid.conf
# disablesid=/etc/snort/disablesid.conf
# modifysid=/etc/snort/modifysid.conf
version=0.7.0
When dropsid.conf is empty PP output contains
Rule Stats...
New:-------0
Deleted:---0
Enabled Rules:----19701
Dropped Rules:----0
Disabled Rules:---25324
Total Rules:------45025
"grep 'sid:384;' /etc/snort/rules/snort.rules" produces
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP PING"; icode:0; itype:8; metadata:ruleset community; classtype:misc-activity; sid:384; rev:8;)
The alert is disabled, this is the way it is in the rules tarball so that's OK!
Then I add the following line to dropsid.conf: pcre:metadata:[^;]*balanced-ips\sdrop and run PP again
Processing /etc/snort/dropsid.conf....
Modified 16878 rules
Done
Setting Flowbit State....
Enabled 280 flowbits
Enabled 24 flowbits
Enabled 4 flowbits
Enabled 2 flowbits
Done
Writing /etc/snort/rules/snort.rules....
Done
Generating sid-msg.map....
Done
Writing v1 /etc/snort/sid-msg.map....
Done
Writing /var/log/snort/sid_changes.log....
Done
Rule Stats...
New:-------0
Deleted:---0
Enabled Rules:----15094
Dropped Rules:----16877
Disabled Rules:---13054
Total Rules:------45025
"grep 'sid:384;' /etc/snort/rules/snort.rules" produces
drop icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP PING"; icode:0; itype:8; metadata:ruleset community; classtype:misc-activity; sid:384; rev:8;)
I don't understand why my regex matched this rule and PP changed the state to "enabled drop" from "disabled alert". I thought it should only convert rules with "balanced-ips drop" in their metadata.
Am I mistaken, is PP doing other processing I should be aware of?
Cheers,
Chris