Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Editing snort rules

    Scheduled Pinned Locked Moved pfSense Packages
    40 Posts 6 Posters 13.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Y
      yoda715
      last edited by

      I need some input. I'm working on how the rules will be edited right now. I am looking for opinions on how this should be done.

      What I had in mind was opening a small popup window that would allow the user to edit the source, source port, destination, and the destination port. Also in this popup I plan on displaying, but not let it be editable, the content of the signature, and the other goodies.

      My question is: are the majority ok with a small popup? Or should it work similar to editing the firewall rules (i.e. no popup).

      See below

      1 Reply Last reply Reply Quote 0
      • H
        hoba
        last edited by

        I would prefer to not have popups and to have it similiar like the firewall edit screen.

        1 Reply Last reply Reply Quote 0
        • U
          unforeseen
          last edited by

          @hoba:

          I would prefer to not have popups and to have it similiar like the firewall edit screen.

          I would agree…BTW, thanks for taking this on! I'm sure there are many users that will find this useful.

          1 Reply Last reply Reply Quote 0
          • Y
            yoda715
            last edited by

            Ok will do.

            1 Reply Last reply Reply Quote 0
            • Y
              yoda715
              last edited by

              Allright. I'm done with the code. Anyone want to tell me how I get signed up for CVS to upload files? :)

              1 Reply Last reply Reply Quote 0
              • S
                sullrich
                last edited by

                It doesn't work that way.  We want to see the code first, then one of the developers has to "sponsor" you.

                1 Reply Last reply Reply Quote 0
                • Y
                  yoda715
                  last edited by

                  Understandable, Who wants to take a look at it?

                  1 Reply Last reply Reply Quote 0
                  • H
                    hoba
                    last edited by

                    Attach your changes as diffs against the latest versions of the the files that you changed here.

                    1 Reply Last reply Reply Quote 0
                    • S
                      sullrich
                      last edited by

                      If you like, email the new files to sullrich@gmail.com

                      1 Reply Last reply Reply Quote 0
                      • Y
                        yoda715
                        last edited by

                        Allright, emailing is easier than providing diffs :). Sending them right now.

                        2 new files, and 6 modified under the snort package.

                        1 Reply Last reply Reply Quote 0
                        • S
                          sullrich
                          last edited by

                          Well, I still want diffs of the "existing" files ;)

                          1 Reply Last reply Reply Quote 0
                          • Y
                            yoda715
                            last edited by

                            ok, what program do you use for the diffs? I use Examdiff

                            1 Reply Last reply Reply Quote 0
                            • S
                              sullrich
                              last edited by

                              Unified diffs is what I seek.  Almost any diff program should do this.

                              1 Reply Last reply Reply Quote 0
                              • S
                                sullrich
                                last edited by

                                Also, how are you dealing with the rule updates?  Are you storing the rules that the user does not want and remove them again after update?

                                1 Reply Last reply Reply Quote 0
                                • Y
                                  yoda715
                                  last edited by

                                  I haven't addressed the rule update problem yet. Honestly, that's a mind boggling challenge. I'm not sure how soon I can have that done.

                                  Actually any suggestions on how to proceed with that would be appreciated :).

                                  1 Reply Last reply Reply Quote 0
                                  • S
                                    sullrich
                                    last edited by

                                    That is easy.

                                    You just want to store the rule description.  If the rule does not have a description then that rule cannot be saved.  Then split all the rule descriptions up and seperate with || or something similar.  Then you just read the config value and do something like:

                                    $disabled_rule_descs = split("||", $config['installedpackages']['snortrules']['disabled_rule_descs']);

                                    Then you do a striarray(I think thats the function) to check if a rule description is in the item as you traverse the files and write them back out after updating the rules.  Of course this means you'll have to hook into the update code and insert your processing code after the update process is finished.

                                    1 Reply Last reply Reply Quote 0
                                    • Y
                                      yoda715
                                      last edited by

                                      Yea I had thought about that. That only applies to new rules though.

                                      The logic I keep running into problems with is, how do you decided if I should  keep an old rule that has been updated? Should I update with the new rule and overwrite the changes made, or keep the old rule?

                                      1 Reply Last reply Reply Quote 0
                                      • S
                                        sullrich
                                        last edited by

                                        You are basically always overwriting rules I would guess.  I am not taking into consideration the editing of rules.

                                        Let me chew on that, your right, the logic will be somewhat different.

                                        1 Reply Last reply Reply Quote 0
                                        • Y
                                          yoda715
                                          last edited by

                                          Yea, its a tricky thing, hence why I haven't gotten to it yet ;).

                                          Email is coming with the files and diffs. sorry for flooding your inbox, I got trigger happy and hit the wrong folder  >:(.

                                          1 Reply Last reply Reply Quote 0
                                          • Y
                                            yoda715
                                            last edited by

                                            @sullrich:

                                            You are basically always overwriting rules I would guess.  I am not taking into consideration the editing of rules.

                                            Let me chew on that, your right, the logic will be somewhat different.

                                            This is the only solution that I can see to this problem:

                                            1. If a user clicks update rules, the rules will be downloaded. All new rules will be inserted automatically. Any rules that are being changed, either in the current rule set or the new rule set, will bring up a new webpage. On this new webpage the user will be able to view his current rule, and the new rule in question. They will then be able to decide which rule to keep, the new rule, or the current rule.

                                            2. If autoupdate rules is checked, it will do the same thing and just prompt the user to review the rules in question at a later time.

                                            I think this option works best because it gives the user the ability to examine the new rule and see if anything important changed.

                                            What do you guys think?

                                            If I can ever get snort to run properly, I can start working on this.

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.