dropsid.conf

[chris....@tampinc.com]

HI,

    I've just set up Snort 2.9.5 and pulledpork 0.70 on my Fedora 17 home machine for testing before doing a proper test implementation on a production machine. I have been running snort in inline mode using NFQUEUE in iptables to send all traffic to the snort nfq daq module. Its working fine, blocks on drop rules, passes alert rules etc. I've been doing some testing with pings and specifically I am looking at the rule with sid 384. 

Contents of pulledpork.conf are ...

rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|<My Oink Code here>

#rule_url=https://s3.amazonaws.com/snort-org/www/rules/community/|community-rules.tar.gz|Community

rule_url=http://labs.snort.org/feeds/ip-filter.blf|IPBLACKLIST|<My Oink Code here>

# URL for rule documentation! (slow to process)

# rule_url=https://www.snort.org/reg-rules/|opensource.gz|<My Oink Code here>

rule_url=https://rules.emergingthreatspro.com/|emerging.rules.tar.gz|open

temp_path=/tmp

rule_path=/etc/snort/rules/snort.rules

local_rules=/etc/snort/rules/local.rules

sid_msg=/etc/snort/sid-msg.map

sid_msg_version=1

sid_changelog=/var/log/snort/sid_changes.log

sorule_path=/usr/local/lib/snort_dynamicrules/

snort_path=/usr/local/bin/snort

config_path=/etc/snort/snort.conf

distro=RHEL-6-0

black_list=/etc/snort/rules/iplists/default.blacklist

IPRVersion=/etc/snort/rules/iplists

snort_control=/usr/local/bin/snort_control

state_order=disable,drop,enable

pid_path=/var/run/snort_.pid,/var/run/barnyard2_p17p1.pid

# docs=/path/to/base/www

# snort_version=2.9.0.0

# ips_policy=security

# enablesid=/etc/snort/enablesid.conf

dropsid=/etc/snort/dropsid.conf

# disablesid=/etc/snort/disablesid.conf

# modifysid=/etc/snort/modifysid.conf

version=0.7.0

When dropsid.conf is empty PP output contains

Rule Stats...

New:-------0

Deleted:---0

Enabled Rules:----19701

Dropped Rules:----0

Disabled Rules:---25324

Total Rules:------45025

"grep 'sid:384;' /etc/snort/rules/snort.rules" produces

# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP PING"; icode:0; itype:8; metadata:ruleset community; classtype:misc-activity; sid:384; rev:8;)

The alert is disabled, this is the way it is in the rules tarball so that's OK!

Then I add the following line to dropsid.conf: pcre:metadata:[^;]*balanced-ips\sdrop and run PP again 

Processing /etc/snort/dropsid.conf....

Modified 16878 rules

Done

Setting Flowbit State....

Enabled 280 flowbits

Enabled 24 flowbits

Enabled 4 flowbits

Enabled 2 flowbits

Done

Writing /etc/snort/rules/snort.rules....

Done

Generating sid-msg.map....

Done

Writing v1 /etc/snort/sid-msg.map....

Done

Writing /var/log/snort/sid_changes.log....

Done

Rule Stats...

New:-------0

Deleted:---0

Enabled Rules:----15094

Dropped Rules:----16877

Disabled Rules:---13054

Total Rules:------45025

"grep 'sid:384;' /etc/snort/rules/snort.rules" produces

drop icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP PING"; icode:0; itype:8; metadata:ruleset community; classtype:misc-activity; sid:384; rev:8;)

I don't understand why my regex matched this rule and PP changed the state to "enabled drop" from "disabled alert". I thought it should only convert rules with "balanced-ips drop" in their metadata. 

Am I mistaken, is PP doing other processing I should be aware of?

Cheers,

   Chris

[JJC]

Something definitely looks odd.. worth an investigation / bug report I would say

[JJC]

What other opts are set in dropsid.conf?

On Thursday, August 22, 2013 6:55:39 AM UTC-6, chris....@tampinc.com wrote:

[chris....@tampinc.com]

Its the only line

<snip>

Cheers,

   Chris

[JJC]

let's reduce the complexity of your pcre.. 

try just

pcre:balanced-ips\ drop

--
You received this message because you are subscribed to the Google Groups "pulledpork users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pulledpork-use...@googlegroups.com.
To post to this group, send email to pulledpo...@googlegroups.com.
Visit this group at http://groups.google.com/group/pulledpork-users.
For more options, visit https://groups.google.com/groups/opt_out.