Hello all,
When I switch security policy (and/or change rules) the "Rule Stats" at the end of the PP run does not give correct count even though snort.rules have changed.
1) I download a fresh ruleset and apply no policy and no SID changes (pulledpork.online_fresh.log attached):
rm /tmp/snortrules-snapshot-2940.tar.gz* /tmp/emerging.rules.tar.gz* /tmp/opensource.gz*
$ ./pulledpork.pl -vv -c pulledpork.conf.new > pulledpork.online_fresh.log 2>&1
Rule Stats...
New:-------1
Deleted:---1
Enabled Rules:----17562
Dropped Rules:----0
Disabled Rules:---16050
Total Rules:------33612
A quick grep verifies the enabled rules:
$ grep -v '^#' snort.rules | grep -v '^$' | wc
17562 578730 8143451
2) Now I switch ruleset to "security" in an offline mode because I am within 15 minute cooldown (pulledpork.offline_security.log attached):
$ ./pulledpork.pl -vv -c pulledpork.conf.new -I security -nP > pulledpork.offline_security.log 2>&1
The log actually reads: "No Rule Changes" even through flowbits are enabled correctly.
A quick grep verified security ruleset enabled
$ grep -v '^#' snort.rules | grep -v '^$' | wc
8220 306855 4316129
$ grep '^alert' snort.rules | wc
8220 306855 4316129
3) Now adding dropsid rules (pulledpork.offline_security_dropsid.log attached):
$ ./pulledpork.pl -vv -c pulledpork.conf.new -I security -nP -b dropsid.conf > pulledpork.offline_security_dropsid.log 2>&1
The log still reads: "No Rule Changes", even though flowbits and rules were dropped.
grep shows rules are enabled and dropped correctly:
# grep -v '^#' snort.rules | grep -v '^$' | wc
8221 306904 4309991
# grep '^alert' snort.rules | wc
1423 43967 639409
# grep '^drop' snort.rules | wc
6798 262937 3670582
4) Now if I switch ruleset back to no policy and no dropSID, clear out the downloaded policies, and rerun with "security" and "dropsid", the counts are correct (pulledpork.online_security_dropsid.log attached):
$ rm /tmp/snortrules-snapshot-2940.tar.gz* /tmp/emerging .rules.tar.gz* /tmp/opensource.gz*
$ ./
pulledpork.pl -vv -c pulledpork.conf.new -I security -b dropsid.conf > pulledpork.online_security_dropsid.log 2>&1
The rule stats now reads correctly:
Rule Stats...
New:-------1
Deleted:---1
Enabled Rules:----1423
Dropped Rules:----6798
Disabled Rules:---25391
Total Rules:------33612
And grep shows rules are enabled and dropped correctly:
$ grep -v '^#' snort.rules | grep -v '^$' | wc
8221 306904 4309991
$ grep '^alert' snort.rules | wc
1423 43967 639409
$ grep -v '^#' snort.rules | grep -v '^$' | wc
8221 306904 4309991
Please let me know if this is expected behavior, or I should file a bug on this.
Thanks!