[Oisf-users] Oinkmaster cannot find existing rules
James Moe
jimoe at sohnen-moe.com
Thu Nov 3 23:24:37 UTC 2016
suricata 3.1.2
oinkmaster 2.0
opensuse 42.1
linux linux 4.1.34-33-default x86_64
A little confusion here. Below are three rule modifications in
<oinkmaster.conf>; two of them are ignored because oinkmaster claims
they do not exist. Yet grepping for the rules yields success.
And one rule, 22200006, is modified anyway.
Can any one suggest what might be happening here?
----[ The oinkmaster commands ]----
modifysid drop.rules "^alert (.*ET DROP .*)" | "drop ${1}"
modifysid compromised.rules "^alert (.*ET COMPROMISED .*)" | "drop ${1}"
# 2220006 - "SURICATA SMTP no server welcome message" -- Dictionary attacks
modifysid 2220006 "^alert" | "drop"
# 2402000 - "ET DROP Dshield Block Listed Source group 1"
modifysid 2402000 "^alert" | "drop"
# 2240002 - "SURICATA DNS malformed request data"
modifysid 2240002 "^alert" | "drop"
----[ oinkmaster log entries ]----
Processing downloaded rules... disabled 9, enabled 0, modified 85,
total=23377
WARNING: attempt to use "modifysid" on non-existent SID 2220006
WARNING: attempt to use "modifysid" on non-existent SID 2240002
Setting up rules structures... done.
----[ grep results ]----
$ grep 2220006 suricata/rules/*.rules
suricata/rules/smtp-events.rules:drop smtp any any -> any any
(msg:"SURICATA SMTP no server welcome message";
flow:established,to_client;
app-layer-event:smtp.no_server_welcome_message;
flowint:smtp.anomaly.count,+,1; classtype:protocol-command-decode;
sid:2220006; rev:1;)
$ grep 2240002 suricata/rules/*.rules
suricata/rules/dns-events.rules:alert dns any any -> any any
(msg:"SURICATA DNS malformed request data"; flow:to_client;
app-layer-event:dns.malformed_data; sid:2240002; rev:1;)
--
James Moe
moe dot james at sohnen-moe dot com
520.743.3936
Think.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20161103/361a3661/attachment.sig>
More information about the Oisf-users
mailing list