Stale suricate etpro rules…

Tantamount

According to this link, the rule that checks java version shows that anything not 1.8.0_77 should be flagged as vulnerable:
http://doc.emergingthreats.net/bin/view/Main/2019401

However, the rules in my pfsense box shows !74 instead:

rules/suricata.rules:alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Vulnerable Java Version 1.8.x Detected"; flow:established,to_server; content:" Java/1.8.0_"; http_header; content:!"73"; within:2; http_header; content:!"74"; within:2; http_header; flowbits:set,ET.http.javaclient.vulnerable; threshold: type limit, count 2, seconds 300, track by_src; reference:url,javatester.org/version.html; classtype:bad-unknown; sid:2019401; rev:10;)

The only rules I've asked pfsense to download are the ETPro rules that I've got a paid subscription to, and I've got pfsense set to update the rules daily.  It looks like it isn't downloading from the correct source – where can I look in pfsense to verify it's pulling from the correct place?

BBcan177

In 2.2.x, the Rules are in the following folder:      (Change i386/amd64 and Snort/Suricata as required)
  /usr/pbi/snort-amd64/local/etc/snort/rules/

In 2.3.x, the Rules are in the following folder:      (Going by memory on this path)
  /usr/local/etc/snort/rules/

You can grep for all the rules for vulnerable Java with the following:
  grep "ET POLICY Vulnerable Java Version" /usr/local/etc/snort/rules/*

You will see the ETPro contains sid:2019401. Check to see if that Rule is enabled in your "ET Policy" category setup:

/usr/pbi/snort-amd64/local/etc/snort/rules/etpro-policy.rules:alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Vulnerable Java Version 1.4.x Detected"; flow:established,to_server; content:" Java/1.4."; http_header; flowbits:set,ET.http.javaclient.vulnerable; threshold: type limit, count 2, seconds 300, track by_src; reference:url,javatester.org/version.html; classtype:bad-unknown; sid:2011584; rev:9;)
/usr/pbi/snort-amd64/local/etc/snort/rules/etpro-policy.rules:alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Vulnerable Java Version 1.5.x Detected"; flow:established,to_server; content:" Java/1.5."; nocase; http_header; flowbits:set,ET.http.javaclient.vulnerable; threshold: type limit, count 2, seconds 300, track by_src; reference:url,javatester.org/version.html; classtype:bad-unknown; sid:2011581; rev:9;)
/usr/pbi/snort-amd64/local/etc/snort/rules/etpro-policy.rules:alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Vulnerable Java Version 1.6.x Detected"; flow:established,to_server; content:" Java/1.6.0_"; http_header; content:!"113"; within:3; http_header; flowbits:set,ET.http.javaclient.vulnerable; threshold: type limit, count 2, seconds 300, track by_src; reference:url,javatester.org/version.html; reference:url,www.oracle.com/technetwork/java/javase/2col/6u85-bugfixes-2298235.html; classtype:bad-unknown; sid:2011582; rev:41;)
/usr/pbi/snort-amd64/local/etc/snort/rules/etpro-policy.rules:alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Vulnerable Java Version 1.7.x Detected"; flow:established,to_server; content:" Java/1.7.0_"; http_header; content:!"99"; within:2; http_header; flowbits:set,ET.http.javaclient.vulnerable; threshold: type limit, count 2, seconds 300, track by_src; reference:url,javatester.org/version.html; reference:url,java.com/en/download/manual_java7.jsp; classtype:bad-unknown; sid:2014297; rev:41;)
/usr/pbi/snort-amd64/local/etc/snort/rules/etpro-policy.rules:alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Vulnerable Java Version 1.8.x Detected"; flow:established,to_server; content:" Java/1.8.0_"; http_header; content:!"77"; within:2; http_header; flowbits:set,ET.http.javaclient.vulnerable; threshold: type limit, count 2, seconds 300, track by_src; reference:url,javatester.org/version.html; classtype:bad-unknown; sid:2019401; rev:11;)

If the grep command doesn't show the latest rules, try to "Force Update" and see if that helps. You can also review the log in the "Updates" Tab…

Tantamount

Yeah, I know where the rules are (my quote above was taken from one of those files).  What I'm asking for is the place where pfsense stores the url it uses to download the rules.  I'm wondering if it's pulling the non-pro ruleset instead?

Thanks for the update tab info though … Here's the contents:

Rule Set Name/Publisher MD5 Signature Hash MD5 Signature Date
Emerging Threats Pro Rules 487efba060c718f6cf348482790fded1 Tuesday, 29-Mar-16 00:30:03 PDT

and

Last Update: Mar-29 2016 00:30
Result: success

After I clicked the "Update" button however, the rule file finally updated in the file system.

BBcan177

where can I look in pfsense to verify it's pulling from the correct place?

You can refer to Github:

https://github.com/pfsense/FreeBSD-ports/blob/devel/security/pfSense-pkg-suricata/files/usr/local/pkg/suricata/suricata_defs.inc

https://github.com/pfsense/FreeBSD-ports/blob/devel/security/pfSense-pkg-suricata/files/usr/local/pkg/suricata/suricata_check_for_rule_updates.php

Tantamount

Thanks!

It isn't a url issue – I had thought that maybe it was pulling the non-pro rules that are not as up to date as the pro versions.

I'll wait for the update to run tonight and check to see if the file timestamps on the rule files update.