"Rule Stats" "No Rule Changes" when switching policy

[Ricky Huang]

Hello all,

When I switch security policy (and/or change rules) the "Rule Stats" at the end of the PP run does not give correct count even though snort.rules have changed.

1) I download a fresh ruleset and apply no policy and no SID changes (pulledpork.online_fresh.log attached):

rm /tmp/snortrules-snapshot-2940.tar.gz* /tmp/emerging.rules.tar.gz* /tmp/opensource.gz*

$ ./pulledpork.pl -vv -c pulledpork.conf.new > pulledpork.online_fresh.log 2>&1

Rule Stats...

New:-------1

Deleted:---1

Enabled Rules:----17562

Dropped Rules:----0

Disabled Rules:---16050

Total Rules:------33612

A quick grep verifies the enabled rules:

$ grep -v '^#' snort.rules | grep -v '^$' | wc

   17562  578730 8143451

2) Now I switch ruleset to "security" in an offline mode because I am within 15 minute cooldown (pulledpork.offline_security.log attached):

$ ./pulledpork.pl -vv -c pulledpork.conf.new -I security -nP > pulledpork.offline_security.log 2>&1

The log actually reads: "No Rule Changes" even through flowbits are enabled correctly.

A quick grep verified security ruleset enabled

$ grep -v '^#' snort.rules | grep -v '^$' | wc

    8220  306855 4316129

$ grep '^alert' snort.rules | wc

    8220  306855 4316129

3) Now adding dropsid rules (pulledpork.offline_security_dropsid.log attached):

$ ./pulledpork.pl -vv -c pulledpork.conf.new -I security -nP -b dropsid.conf > pulledpork.offline_security_dropsid.log 2>&1

The log still reads: "No Rule Changes", even though flowbits and rules were dropped.

grep shows rules are enabled and dropped correctly:

# grep -v '^#' snort.rules | grep -v '^$' | wc

    8221  306904 4309991

# grep '^alert' snort.rules | wc

    1423   43967  639409

# grep '^drop' snort.rules | wc

    6798  262937 3670582

4) Now if I switch ruleset back to no policy and no dropSID, clear out the downloaded policies, and rerun with "security" and "dropsid", the counts are correct (pulledpork.online_security_dropsid.log attached):

$ ./pulledpork.pl -vv -c pulledpork.conf.new -nP

$ rm /tmp/snortrules-snapshot-2940.tar.gz* /tmp/emerging .rules.tar.gz* /tmp/opensource.gz*

$ ./pulledpork.pl -vv -c pulledpork.conf.new -I security -b dropsid.conf > pulledpork.online_security_dropsid.log 2>&1

The rule stats now reads correctly:

Rule Stats...

New:-------1

Deleted:---1

Enabled Rules:----1423

Dropped Rules:----6798

Disabled Rules:---25391

Total Rules:------33612

And grep shows rules are enabled and dropped correctly:

$ grep -v '^#' snort.rules | grep -v '^$' | wc

    8221  306904 4309991

$ grep '^alert' snort.rules | wc

    1423   43967  639409

$ grep -v '^#' snort.rules | grep -v '^$' | wc

    8221  306904 4309991

Please let me know if this is expected behavior, or I should file a bug on this.

Thanks!