[outreachy] Working on Bug #2869

[Shivani Bhardwaj]

On Tue, Mar 12, 2019 at 5:19 PM Vrinda Narayan <vrinda18120 at iiitd.ac.in> wrote:
>
> Yes thank you,
Please do not top post.

> I have sent a pull request for this issue on Github. Thank you for your help. I'm currently looking for more issues to work on in Readmine.
Thanks. We shall review it soon.

> Also I think I forgot to introduce myself.
> My name is Vrinda Narayan and I'm an Outreachy Applicant. I'm a CSE undergraduate and I know python, C, JavaScript and some basic git. I'm interested in working in the project Improve Suricata-update. I really look forward to working with Suricata and contributing more to this community.

Great to have you here.

> Warm regards
>
> On Tue, Mar 12, 2019 at 3:54 PM Shivani Bhardwaj <sbhardwaj at openinfosecfoundation.org> wrote:
>>
>> Please do not top post and do a "Reply-all" in all the messages so
>> just in case I am not around someone else can help you.
>>
>> On Tue, Mar 12, 2019 at 1:35 PM Vrinda Narayan <vrinda18120 at iiitd.ac.in> wrote:
>> >
>> > Could you explain to me how exactly would I change a rule to not have a gid or sid, or not include a semicolon?
>> >
>> You do not have to change the rule.
>> See below.
>>
>> A typical rule in Suricata should look like the following.
>> drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:”ET TROJAN Likely Bot
>> Nick in IRC (USA +..)”; flow:established,to_server;
>> flowbits:isset,is_proto_irc; content:”NICK “; pcre:”/NICK
>> .*USA.*[0-9]{3,}/i”; reference:url,doc.emergingthreats.net/2008124;
>> classtype:trojan-activity; sid:2008124; rev:2;)
>>
>> Now somebody by mistake removed the semicolon after defining the
>> classtype. Now the rule looks like,
>> drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:”ET TROJAN Likely Bot
>> Nick in IRC (USA +..)”; flow:established,to_server;
>> flowbits:isset,is_proto_irc; content:”NICK “; pcre:”/NICK
>> .*USA.*[0-9]{3,}/i”; reference:url,doc.emergingthreats.net/2008124;
>> classtype:trojan-activity sid:2008124; rev:2;)
>>
>> Read more about rules here:
>> https://suricata.readthedocs.io/en/suricata-4.1.3/rules/intro.html
>>
>> Now since there is no keyword separator (which is semicolon in our
>> case) between "classtype" and "sid", it is perceived as one value and
>> "sid" is set to None after parsing.
>> This on the user end causes the exception mentioned in the bug to
>> raise. In order to fix the issue you only need to think from the
>> perspective of the person who is running suricata-update. You cannot
>> control somebody manually changing a rule file. What you can control
>> is the exceptions that are raised on the user end in case something
>> inappropriate is parsed.
>> Does this make sense?
>>
>> > On Tue, Mar 12, 2019 at 8:48 AM Shivani Bhardwaj <sbhardwaj at openinfosecfoundation.org> wrote:
>> >>
>> >> Hi, Vrinda!
>> >>
>> >> On Tue, Mar 12, 2019 at 12:56 AM Vrinda Narayan via Outreachy
>> >> <outreachy at lists.openinfosecfoundation.org> wrote:
>> >> >
>> >> > Heyy,
>> >> > Can I start working on Bug #2869?
>> >> > Description : Running into an issue when I run 'suricata-update --no-merge'.
>> >> > Link : https://redmine.openinfosecfoundation.org/issues/2869
>> >> > If yes, then can this issue be assigned to me?
>> >> >
>> >> How do you feel about
>> >> https://redmine.openinfosecfoundation.org/issues/2867 instead?
>> >>
>> >> > Regards
>> >> > Vrinda Narayan
>> >> > _______________________________________________
>> >> > Outreachy mailing list
>> >> > Outreachy at lists.openinfosecfoundation.org
>> >> > https://lists.openinfosecfoundation.org/listinfo/outreachy
>> >>
>> >>
>> >>
>> >> --
>> >> Shivani
>> >
>> >
>> >
>> > --
>> > Vrinda Narayan
>>
>>
>>
>> --
>> Shivani
>
>
>
> --
> Vrinda Narayan



-- 
Shivani