pulledpork
pulledpork copied to clipboard
shirkdog
Rules don't move when broken out
Here's a great example. I have my rules broken out via command line with -k.
Rule 16719 is currently in:
VRT-file-other.rules as rev:3
and
VRT-web-client.rules as rev:2
This rule was moved from web-client to file-other...pulled pork should probably
be able to deal with this.
Original issue reported on code.google.com by [email protected] on 16 Aug 2013 at 2:35
Any thoughts on this? I have over 200 duplicate rules in just the VRT set
alone...
Original comment by [email protected] on 20 Aug 2013 at 12:56
I'm not sure that this is a good idea.. we don't touch them now due to the fact
that users have custom rules files etc.
The best idea here would be to track each extracted file (and it's contents)..
more logging and disk overhead... but when a file is removed we remove the
file. This will be added to the low priority feature request section.
Suggestion in the meantime is to use the unified rules file. This way you
don't have this issue.
Original comment by [email protected] on 20 Aug 2013 at 2:27
- Changed state: Accepted
- Added labels: Priority-Low, Type-Enhancement
- Removed labels: Priority-Medium, Type-Defect
I have the same issue, even with the default merging of rules into a single
file:
[/etc/snort/rules/pulledpork.rules:21067]
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP HNAP
remote code execution attempt"; flow:established,to_server; content:"POST";
http_method; content:"/tmUnblock.cgi"; fast_pattern:only; http_uri;
content:"Authorization: Basic YWRtaW46"; http_header; content:"tmp";
http_client_body; metadata:policy balanced-ips drop, policy security-ips drop,
ruleset community, service http;
reference:url,isc.sans.edu/diary/Linksys+Worm+%28%22TheMoon%22%29+Captured/17630
; classtype:attempted-admin; sid:29831; rev:1;)
[/etc/snort/rules/pulledpork.rules:53273]
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP HNAP
remote code execution attempt"; flow:established,to_server; content:"POST";
http_method; content:"/tmUnblock.cgi"; fast_pattern:only; http_uri;
content:"Authorization: Basic YWRtaW46"; http_header; content:"tmp";
http_client_body; metadata:policy balanced-ips drop, policy security-ips drop,
ruleset community, service http;
reference:url,isc.sans.edu/diary/Linksys+Worm+%28%22TheMoon%22%29+Captured/17630
; classtype:attempted-admin; sid:29831; rev:1;)
The duplicates have always been related to the Community set.
Jason "The Snake Roberts" Rochon
Original comment by [email protected] on 7 Nov 2014 at 9:00