[Oisf-users] Oinkmaster cannot find existing rules

James Moe jimoe at sohnen-moe.com
Thu Nov 3 23:24:37 UTC 2016 

suricata 3.1.2
oinkmaster 2.0
opensuse 42.1
linux linux 4.1.34-33-default x86_64

  A little confusion here. Below are three rule modifications in
<oinkmaster.conf>; two of them are ignored because oinkmaster claims
they do not exist. Yet grepping for the rules yields success.
  And one rule, 22200006, is modified anyway.
  Can any one suggest what might be happening here?


----[ The oinkmaster commands ]----
modifysid drop.rules "^alert (.*ET DROP .*)" | "drop ${1}"
modifysid compromised.rules "^alert (.*ET COMPROMISED .*)" | "drop ${1}"
# 2220006 - "SURICATA SMTP no server welcome message" -- Dictionary attacks
modifysid 2220006 "^alert" | "drop"
# 2402000 - "ET DROP Dshield Block Listed Source group 1"
modifysid 2402000 "^alert" | "drop"
# 2240002 - "SURICATA DNS malformed request data"
modifysid 2240002 "^alert" | "drop"

----[ oinkmaster log entries ]----
Processing downloaded rules... disabled 9, enabled 0, modified 85,
total=23377
WARNING: attempt to use "modifysid" on non-existent SID 2220006
WARNING: attempt to use "modifysid" on non-existent SID 2240002
Setting up rules structures... done.

----[ grep results ]----
$ grep 2220006   suricata/rules/*.rules
suricata/rules/smtp-events.rules:drop smtp any any -> any any
(msg:"SURICATA SMTP no server welcome message";
flow:established,to_client;
app-layer-event:smtp.no_server_welcome_message;
flowint:smtp.anomaly.count,+,1; classtype:protocol-command-decode;
sid:2220006; rev:1;)

$ grep 2240002   suricata/rules/*.rules
suricata/rules/dns-events.rules:alert dns any any -> any any
(msg:"SURICATA DNS malformed request data"; flow:to_client;
app-layer-event:dns.malformed_data; sid:2240002; rev:1;)

-- 
James Moe
moe dot james at sohnen-moe dot com
520.743.3936
Think.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20161103/361a3661/attachment.sig>

More information about the Oisf-users mailing list