Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    change action for all ruleset categories except one (via regex?) in dropsid.conf

    Scheduled Pinned Locked Moved
    IDS/IPS
    2
    6
    389
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • tinfoilmattT
      tinfoilmatt
      last edited by tinfoilmatt

      if "emerging" is specificed in dropsid.conf, all ET rules from all categories have their action changed from ALERT to DROP. now how can emerging-info.rules be excluded? is it possible using regex?

      replacing "emerging" with any of the following expressions fails (but the rest of dropsid.conf succeeds):

      emerging-
      emerging-(?!inf).+
      emerging-(?!inf)\w+
      emerging-(?!inf)\w+.+
      emerging-(?!inf)\w+.rules

      emerging\-
      emerging\-(?!inf).+
      emerging\-(?!inf)\w+
      emerging\-(?!inf)\w+.+
      emerging\-(?!inf)\w+.rules

      prefixing "emerging" with the keyword "pcre:" behaves the same as "emerging": all ET rules from all categories have their action changed from ALERT to DROP. but prefixing any of the above expressions with "pcre:" fails (and still the rest of dropsid.conf succeeds).

      1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks
        last edited by

        No, the dropsid.conf logic is not expecting regex in the names. It is looking for a complete category name, a specific SID, or a SID range.

        Just enter the specific Emerging Threats files you want in the list by name. It will take a few minutes to type or paste in, but then your done.

        tinfoilmattT 1 Reply Last reply Reply Quote 0
        • tinfoilmattT
          tinfoilmatt @bmeeks
          last edited by tinfoilmatt

          hey @bmeeks, thanks for the quick reply. thought that might be the case after seeing this thread. would have to agree with @Gblenn however that there is a legitimate use case to change rule action to DROP selectively by category via dropsid.conf, given the package's ruleset and SID MGMT processing 'order of operations'.

          in this case working with the ET ruleset—and the goal is to change action for all rule categories to DROP while excluding only a few such as Deleted, Info, Hunting, and JA3 for example. you maintain the most effective way to accomplish that is to type out all 53 categories save for the ones to be excluded? ditto for the 68 current Snort categories?

          bmeeksB 1 Reply Last reply Reply Quote 0
          • bmeeksB
            bmeeks @tinfoilmatt
            last edited by bmeeks

            @cyberconsultants said in change action for all ruleset categories except one (via regex?) in dropsid.conf:

            you maintain the most effective way to accomplish that is to type out all 53 categories save for the ones to be excluded? ditto for the 68 current Snort categories?

            No, not saying it is the most effective way -- just that currently it is the only way the PHP code as currently written in the package works.

            I am a volunteer maintainer for the package and receive no compensation for my efforts. However, it is completely open source and pull requests are accepted for improvements. The Netgate GitHub project for the PHP GUI portion of the package can be found here: https://github.com/pfsense/FreeBSD-ports/tree/devel/security/pfSense-pkg-snort.

            I should also mention that the Snort package on pfSense is currently based on Snort 2.9.x and not the more recent and current 3.x branch. There is currently no effort that I am aware of to create a Snort3 package. Thus, unless someone takes up that mantle to create a Snort3 package, once Talos/Cisco upstream drops support of Snort 2.9.x, then the pfSense Snort package will disappear. I've been concentrating most of my efforts on Suricata.

            tinfoilmattT 1 Reply Last reply Reply Quote 0
            • tinfoilmattT
              tinfoilmatt @bmeeks
              last edited by

              @bmeeks your efforts are well known and appreciated by a wide range of communities across both softwares and their respective pfSense packages, Bill! didn't mean to come across as ungrateful. was more so continuing what seemed like the discussion from the other thread i linked. my apologies.

              just realizing it hasn't yet been mentioned that this has all been within the Suricata package.

              and we did have a look at what we think is the dropsid.conf parser function while trying to determine if the regex efforts were futile, but frankly lack the skill to decipher it.

              would you consider this a legitimate Suricata feature request? a regex subparser included in both the modifysid.conf and dropsid.conf files? it would greatly enhance the functionality of both, advanced 'find and replace' with the former, and action management by rule category (etc.) with the latter, as just two examples.

              1 Reply Last reply Reply Quote 0
              • bmeeksB
                bmeeks
                last edited by

                It might be useful, but trying to incorporate regex parsing where you accept others' regex arguments has proven to be "prickly" in PHP. It seems hard to handle the escape codes properly.

                You will note that the current code uses regex parsing itself, but those expressions are built into the code. They are not being supplied by the user. That's the part that has proven hard to get right (at least for me). I've had to modify the code around modify.sid at least twice as I recall in both packages because users complained about the implementation. It centered around properly detecting escape delimiters and the behavior of them when the regex was evaluated within PHP.

                So, long story shortened a bit, I'm not enough of a regex expert (far, far from one, actually) to have confidence I would get such code working correctly in all situations.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post