Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unable to ignore ET Pro rulesets #169

Open
GoogleCodeExporter opened this issue Apr 23, 2015 · 5 comments
Open

Unable to ignore ET Pro rulesets #169

GoogleCodeExporter opened this issue Apr 23, 2015 · 5 comments
Labels
bug Known bug in the code.
Milestone
0.8.0

Comments

@GoogleCodeExporter
Copy link 

Made the switch from et open to et pro.  Using PP7.0, command line is here:

/opt/bin/pulledpork.pl -v -l -P -c /opt/etc/snort/pp.conf



ignore=emerging-policy.rules doesn't work

Prepping rules from etpro.rules.tar.gz for work....
        extracting contents of /tmp/etpro.rules.tar.gz...
        Ignoring plaintext rules: emerging-policy.rules
        Extracted: /tha_rules/ET-policy.rules

grep 2012889  ~/snort/rules/rules.rules
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"ET POLICY Http Client Body 
contains pw= in cleartext"; flow:established,to_server; content:"pw="; nocase; 
http_client_body; classtype:policy-violation; sid:2012889; rev:2;)


ignore=ET-policy.rules doesn't work:

Prepping rules from etpro.rules.tar.gz for work....
        extracting contents of /tmp/etpro.rules.tar.gz...
        Ignoring plaintext rules: ET-policy.rules
        Extracted: /tha_rules/ET-policy.rules

grep 2012889  ~/snort/rules/rules.rules
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"ET POLICY Http Client Body 
contains pw= in cleartext"; flow:established,to_server; content:"pw="; nocase; 
http_client_body; classtype:policy-violation; sid:2012889; rev:2;)



ignore=et-policy doesn't work:

Prepping rules from etpro.rules.tar.gz for work....
        extracting contents of /tmp/etpro.rules.tar.gz...
        Ignoring plaintext rules: et-policy.rules
        Extracted: /tha_rules/ET-policy.rules

grep 2012889  ~/snort/rules/rules.rules
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"ET POLICY Http Client Body 
contains pw= in cleartext"; flow:established,to_server; content:"pw="; nocase; 
http_client_body; classtype:policy-violation; sid:2012889; rev:2;)



ignore=policy.rules does:

Prepping rules from etpro.rules.tar.gz for work....
        extracting contents of /tmp/etpro.rules.tar.gz...
        Ignoring plaintext rules: policy.rules

grep 2012889  ~/snort/rules/rules.rules

This however nukes the VRT-policy.rules:

Prepping rules from snortrules-snapshot-2970.tar.gz for work....
        extracting contents of /tmp/snortrules-snapshot-2970.tar.gz...
        Ignoring plaintext rules: policy.rules

How does one manage to do this with PP?  Thank you.

Original issue reported on code.google.com by [email protected] on 17 Feb 2015 at 5:46
@shirkdog shirkdog added this to the 0.7.2 Release milestone Jul 8, 2015
@shirkdog shirkdog added bug Known bug in the code. and removed auto-migrated Priority-Medium labels Nov 10, 2015
@shirkdog
Copy link
Owner

shirkdog commented Dec 1, 2015

I now have the ability to test all rulesets, it appears ignoring is not currently working for anything. This will be the use-case for how things should be working.

@shirkdog shirkdog modified the milestones: 0.7.3, 0.7.2 Release Jul 12, 2016
@shirkdog
Copy link
Owner

For now, moving this to 0.7.3, as this will take longer to resolve.

@shirkdog shirkdog modified the milestones: 0.7.3, 0.7.4 Oct 14, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Known bug in the code.
Projects
None yet
Milestone
0.8.0
Development

No branches or pull requests
2 participants
@shirkdog @GoogleCodeExporter