[outreachy] Working on Bug #2869

[Vrinda Narayan]

Yes thank you,
I have sent a pull request for this issue on Github. Thank you for your
help. I'm currently looking for more issues to work on in Readmine.
Also I think I forgot to introduce myself.
My name is Vrinda Narayan and I'm an Outreachy Applicant. I'm a CSE
undergraduate and I know python, C, JavaScript and some basic git. I'm
interested in working in the project Improve Suricata-update. I really look
forward to working with Suricata and contributing more to this community.
Warm regards

On Tue, Mar 12, 2019 at 3:54 PM Shivani Bhardwaj <
sbhardwaj at openinfosecfoundation.org> wrote:

> Please do not top post and do a "Reply-all" in all the messages so
> just in case I am not around someone else can help you.
>
> On Tue, Mar 12, 2019 at 1:35 PM Vrinda Narayan <vrinda18120 at iiitd.ac.in>
> wrote:
> >
> > Could you explain to me how exactly would I change a rule to not have a
> gid or sid, or not include a semicolon?
> >
> You do not have to change the rule.
> See below.
>
> A typical rule in Suricata should look like the following.
> drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:”ET TROJAN Likely Bot
> Nick in IRC (USA +..)”; flow:established,to_server;
> flowbits:isset,is_proto_irc; content:”NICK “; pcre:”/NICK
> .*USA.*[0-9]{3,}/i”; reference:url,doc.emergingthreats.net/2008124;
> classtype:trojan-activity; sid:2008124; rev:2;)
>
> Now somebody by mistake removed the semicolon after defining the
> classtype. Now the rule looks like,
> drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:”ET TROJAN Likely Bot
> Nick in IRC (USA +..)”; flow:established,to_server;
> flowbits:isset,is_proto_irc; content:”NICK “; pcre:”/NICK
> .*USA.*[0-9]{3,}/i”; reference:url,doc.emergingthreats.net/2008124;
> classtype:trojan-activity sid:2008124; rev:2;)
>
> Read more about rules here:
> https://suricata.readthedocs.io/en/suricata-4.1.3/rules/intro.html
>
> Now since there is no keyword separator (which is semicolon in our
> case) between "classtype" and "sid", it is perceived as one value and
> "sid" is set to None after parsing.
> This on the user end causes the exception mentioned in the bug to
> raise. In order to fix the issue you only need to think from the
> perspective of the person who is running suricata-update. You cannot
> control somebody manually changing a rule file. What you can control
> is the exceptions that are raised on the user end in case something
> inappropriate is parsed.
> Does this make sense?
>
> > On Tue, Mar 12, 2019 at 8:48 AM Shivani Bhardwaj <
> sbhardwaj at openinfosecfoundation.org> wrote:
> >>
> >> Hi, Vrinda!
> >>
> >> On Tue, Mar 12, 2019 at 12:56 AM Vrinda Narayan via Outreachy
> >> <outreachy at lists.openinfosecfoundation.org> wrote:
> >> >
> >> > Heyy,
> >> > Can I start working on Bug #2869?
> >> > Description : Running into an issue when I run 'suricata-update
> --no-merge'.
> >> > Link : https://redmine.openinfosecfoundation.org/issues/2869
> >> > If yes, then can this issue be assigned to me?
> >> >
> >> How do you feel about
> >> https://redmine.openinfosecfoundation.org/issues/2867 instead?
> >>
> >> > Regards
> >> > Vrinda Narayan
> >> > _______________________________________________
> >> > Outreachy mailing list
> >> > Outreachy at lists.openinfosecfoundation.org
> >> > https://lists.openinfosecfoundation.org/listinfo/outreachy
> >>
> >>
> >>
> >> --
> >> Shivani
> >
> >
> >
> > --
> > Vrinda Narayan
>
>
>
> --
> Shivani
>


-- 
Vrinda Narayan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/outreachy/attachments/20190312/7a2096bd/attachment.html>