Syntax for ET categories for drop sid file



  • In the dropsid-sample.conf it looks like the syntax to modify all rules Emerging Threats SMTP to drop traffic instead of alert would be:

    ET-emergingthreats-smtp

    But when I tried to configure this it didn't change the rules. I saw a forum post and found that using:

    emerging-smtp

    accomplished what I wanted. Is this the correct syntax? Should the dropsid-sample.conf file be updated?





  • @jeffh:

    In the dropsid-sample.conf it looks like the syntax to modify all rules Emerging Threats SMTP to drop traffic instead of alert would be:

    ET-emergingthreats-smtp

    But when I tried to configure this it didn't change the rules. I saw a forum post and found that using:

    emerging-smtp

    accomplished what I wanted. Is this the correct syntax? Should the dropsid-sample.conf file be updated?

    The dropsid code uses regular expression pattern matching on the actual rules file name as shown on the CATEGORIES tab.  You must match the name (in lowercase, as well) as shown on the CATEGORIES tab.  You can use parts of the name and get a match, so the more specific you are with the name, the tighter the category file selection will be.  For example, if you put just "smtp", then that would match "emerging-smtp" and "snort_smtp" (just for example assuming a "snort_smtp" were to exist).

    Bill



  • Trying to modify the dropsid.conf file and having troubles….

    Firstly, running the daily Beta releases. The on the SID Management tab there are no example.conf files. Trying to add a New file, I input dropsid.conf for a filename and a couple of lines in the body below and then save. After the save, there still is nothing there, nor after exiting and re-entering the GUI.

    I'm about to edit a file outside of the GUI and try the Import function. Any recommendations? Is there a location where the dropsid-example.conf file can be downloaded or pulled out of a distribution? TIA

    edit:
    Tried to create the file offline and import with same result.

    Copied crash report for this activity below:
    Crash report begins.  Anonymous machine information:

    amd64
    10.3-RELEASE-p3
    FreeBSD 10.3-RELEASE-p3 #104 95be4fb(RELENG_2_3): Sun Jun  5 10:51:54 CDT 2016    root@ce23-amd64-builder:/builder/pfsense/tmp/obj/builder/pfsense/tmp/FreeBSD-src/sys/pfSense

    Crash report details:

    PHP Errors:
    [05-Jun-2016 10:50:44 America/Denver] PHP Warning:  move_uploaded_file(/var/db/suricata/sidmods/dropsid.conf): failed to open stream: No such file or directory in /usr/local/www/suricata/suricata_sid_mgmt.php on line 125
    [05-Jun-2016 10:50:44 America/Denver] PHP Stack trace:
    [05-Jun-2016 10:50:44 America/Denver] PHP  1. {main}() /usr/local/www/suricata/suricata_sid_mgmt.php:0
    [05-Jun-2016 10:50:44 America/Denver] PHP  2. move_uploaded_file() /usr/local/www/suricata/suricata_sid_mgmt.php:125
    [05-Jun-2016 10:50:44 America/Denver] PHP Warning:  move_uploaded_file(): Unable to move '/tmp/phpAm5LA8' to '/var/db/suricata/sidmods/dropsid.conf' in /usr/local/www/suricata/suricata_sid_mgmt.php on line 125
    [05-Jun-2016 10:50:44 America/Denver] PHP Stack trace:
    [05-Jun-2016 10:50:44 America/Denver] PHP  1. {main}() /usr/local/www/suricata/suricata_sid_mgmt.php:0
    [05-Jun-2016 10:50:44 America/Denver] PHP  2. move_uploaded_file() /usr/local/www/suricata/suricata_sid_mgmt.php:125

    After investigation, found /var/db/suricata did not exist. Created /var/db/suricata/sidmods. Went back to the GUI and performed the import function again and the template was imported and displayed in the file list and I was able to select it from the Drop SID File section drop-down list.


Log in to reply