[outreachy] Working on Bug #2869

Shivani Bhardwaj sbhardwaj at openinfosecfoundation.org
Tue Mar 12 10:25:13 UTC 2019

Previous message (by thread): [outreachy] Working on Bug #2869
Next message (by thread): [outreachy] Working on Bug #2869
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Please do not top post and do a "Reply-all" in all the messages so
just in case I am not around someone else can help you.

On Tue, Mar 12, 2019 at 1:35 PM Vrinda Narayan <vrinda18120 at iiitd.ac.in> wrote:
>
> Could you explain to me how exactly would I change a rule to not have a gid or sid, or not include a semicolon?
>
You do not have to change the rule.
See below.

A typical rule in Suricata should look like the following.
drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:”ET TROJAN Likely Bot
Nick in IRC (USA +..)”; flow:established,to_server;
flowbits:isset,is_proto_irc; content:”NICK “; pcre:”/NICK
.*USA.*[0-9]{3,}/i”; reference:url,doc.emergingthreats.net/2008124;
classtype:trojan-activity; sid:2008124; rev:2;)

Now somebody by mistake removed the semicolon after defining the
classtype. Now the rule looks like,
drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:”ET TROJAN Likely Bot
Nick in IRC (USA +..)”; flow:established,to_server;
flowbits:isset,is_proto_irc; content:”NICK “; pcre:”/NICK
.*USA.*[0-9]{3,}/i”; reference:url,doc.emergingthreats.net/2008124;
classtype:trojan-activity sid:2008124; rev:2;)

Read more about rules here:
https://suricata.readthedocs.io/en/suricata-4.1.3/rules/intro.html

Now since there is no keyword separator (which is semicolon in our
case) between "classtype" and "sid", it is perceived as one value and
"sid" is set to None after parsing.
This on the user end causes the exception mentioned in the bug to
raise. In order to fix the issue you only need to think from the
perspective of the person who is running suricata-update. You cannot
control somebody manually changing a rule file. What you can control
is the exceptions that are raised on the user end in case something
inappropriate is parsed.
Does this make sense?

> On Tue, Mar 12, 2019 at 8:48 AM Shivani Bhardwaj <sbhardwaj at openinfosecfoundation.org> wrote:
>>
>> Hi, Vrinda!
>>
>> On Tue, Mar 12, 2019 at 12:56 AM Vrinda Narayan via Outreachy
>> <outreachy at lists.openinfosecfoundation.org> wrote:
>> >
>> > Heyy,
>> > Can I start working on Bug #2869?
>> > Description : Running into an issue when I run 'suricata-update --no-merge'.
>> > Link : https://redmine.openinfosecfoundation.org/issues/2869
>> > If yes, then can this issue be assigned to me?
>> >
>> How do you feel about
>> https://redmine.openinfosecfoundation.org/issues/2867 instead?
>>
>> > Regards
>> > Vrinda Narayan
>> > _______________________________________________
>> > Outreachy mailing list
>> > Outreachy at lists.openinfosecfoundation.org
>> > https://lists.openinfosecfoundation.org/listinfo/outreachy
>>
>>
>>
>> --
>> Shivani
>
>
>
> --
> Vrinda Narayan

-- 
Shivani

Previous message (by thread): [outreachy] Working on Bug #2869
Next message (by thread): [outreachy] Working on Bug #2869
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Outreachy mailing list