Comments (6)
So it is different than other tools.. Better? Worse? I'm not sure yet. The order is disable, then enable on a per rule basis.
foreach rule:
if rule matches a disable filter then disable
if rule matches enable filter then enable
Using your files above, I see some deleted rules being enabled as well. The regular expressions are cases insensitive - perhaps that is wrong.. So "re:^[^#].* EXPLOIT .*" is matching some. Is it reasonable to tighten up the regular expressions a little? For instance, to enable to EXPLOIT rules:
re:msg:"(\w)+ EXPLOIT
to enable all ET, ETPRO and GPL exploit rules?
I'm curious to hear your thoughts on what could make this better.
from py-idstools.
You're right. I cleaned up my regex and they are much better.
Previously I was using scirius and I prefer rulecat. It isn't bad behavior, I just didn't know where the problem was because I didn't know what order the files were evaluated. Once upon a time I was a developer but I'm so far removed I forget I can look at the source myself... ID10T error.
Thank You,
Joseph Barkley
On Mar 10, 2016, at 4:32 PM, Jason Ish [email protected] wrote:
So it is different than other tools.. Better? Worse? I'm not sure yet. The order is disable, then enable on a per rule basis.
foreach rule:
if rule matches a disable filter then disableif rule matches enable filter then enable
Using your files above, I see some deleted rules being enabled as well. The regular expressions are cases insensitive - perhaps that is wrong.. So "re:^[^#].* EXPLOIT .*" is matching some. Is it reasonable to tighten up the regular expressions a little? For instance, to enable to EXPLOIT rules:
re:msg:"(\w)+ EXPLOIT
to enable all ET, ETPRO and GPL exploit rules?I'm curious to hear your thoughts on what could make this better.
—
Reply to this email directly or view it on GitHub.
from py-idstools.
No worries. To be fair, its a little different than the other tools and its not documented as so. I'm not sure, but I think I prefer it.. Time will tell, and user comments.
Closing for now. Thanks.
from py-idstools.
Hey. Just wanted to run something else by you on this topic. I disable everything and then re-enable based on category. Not sure if there's a better way of doing this or not, but...
If I do a count of rules that have "DELETED" in them (which is basically one determining factor of rule that I never want enabled) I have 58. Now, I'm admittedly not an expert on this particular subject, so maybe you can convince me otherwise, but I'd also say that if a rule has a flowbit dependency on a DELETED rule it is likely to cause false positives and should also be disabled.
I'm not sure how this would be handled from a logic standpoint. Special syntax for an "Always disable no matter what" rule in the disable file, which could then be trumped by a similar "always enable no matter what" syntax in the enable file? I don't really like that idea but am coming up short on an alternative.
I can always go in and find the deleted rules and threshold them, but that would require some regular intervention and I'd like to not have those rules even being processed. If you think the above approach is the way to go let me know. I'll try to find some time to work on it and do a pull request. If you have a different idea I'm also interested. I think my idea will get ugly. really. fast.
from py-idstools.
Both of these have come up in discussions with other people, so its about time I address them.
As for deleted.rules, I think a list of files to completely ignore is in order, with a default set to "deleted.rules". This would make it impossible for these rules to be enabled. This is more of a something I haven't yet done yet.
The more interesting problem is forcing something always off or always on despite what other patterns or flowbit resolution would do. I was thinking of something like "1:2019401!" where the exclamation mark means leave this rule enabled/disabled no matter what!
Comments welcome.
from py-idstools.
I like the ! Idea. I'd say that if you have a rule or expression with that, the flowbit behavior is to disable any dependent rules. You may have meant that already but just figured I'd throw that in there.
Thanks,
jb
On Apr 1, 2016, at 6:02 PM, Jason Ish [email protected] wrote:
Both of these have come up in discussions with other people, so its about time I address them.
As for deleted.rules, I think a list of files to completely ignore is in order, with a default set to "deleted.rules". This would make it impossible for these rules to be enabled. This is more of a something I haven't yet done yet.
The more interesting problem is forcing something always off or always on despite what other patterns or flowbit resolution would do. I was thinking of something like "1:2019401!" where the exclamation mark means leave this rule enabled/disabled no matter what!
Comments welcome.
—
You are receiving this because you authored the thread.
Reply to this email directly or view it on GitHub
from py-idstools.
Related Issues (20)
- appStats u2 can't work HOT 1
- Bug: Multiple instances of rule options fields clobber eachother HOT 4
- Recent versions of Snort unified2 not supported. HOT 5
- Feature Request: ability to parse the source, destination, protocol using dictionary.
- SoolRecordReader stop working HOT 2
- eve2pcap.py fails with IPv6 addresses HOT 1
- python2-scapy as pkg dependency
- Connection with suricata-update HOT 2
- Coverting packets object to pcap file HOT 7
- Feature request: mutate metadata key value pairs
- Add .md5 extension between URL's filename and its parameters HOT 1
- Provide option for idstools-u2eve to reload sid-msg.map after updating sid-msg.map contents. HOT 1
- Unified2 Event Types mpls, vlan, and appid not included in u2eve output
- u2json event.appid output is in byte format and mangled
- Tests fail with python 3.11 HOT 1
- Rule parsing fails if last option doesn't close with semi-colon HOT 1
- memory usage increase issue HOT 3
- New release to support python 3.13 HOT 6
- Wrong parsing of pcre and possibly others
- Invalid issue
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from py-idstools.