* Re: [PATCH] ids-functions.pl: Fixes bug#13203 - snort community rules not extracted
[not found] <20230731204617.1411345-1-adolf.belka@ipfire.org>
@ 2023-08-01 10:10 ` Bernhard Bitsch
2023-08-01 10:45 ` Adolf Belka
0 siblings, 1 reply; 3+ messages in thread
From: Bernhard Bitsch @ 2023-08-01 10:10 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 1354 bytes --]
Reviewed-by: Bernhard Bitsch <bbitsch(a)ipfire.org>
Am 31.07.2023 um 22:46 schrieb Adolf Belka:
> - The snort top level directory in the archive has been changed from community.rules
> to snort3-community.rules so the regex no longer finds the tarball to extract.
> - Modified the regex to include the current snort naming for the top level archive directory
>
> Fixes: Bug#13203
> Tested-by: Adolf Belka <adolf.belka(a)ipfire.org>
> Signed-off-by: Adolf Belka <adolf.belka(a)ipfire.org>
> ---
> config/cfgroot/ids-functions.pl | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/config/cfgroot/ids-functions.pl b/config/cfgroot/ids-functions.pl
> index d97431b4a..f2b2ffc58 100644
> --- a/config/cfgroot/ids-functions.pl
> +++ b/config/cfgroot/ids-functions.pl
> @@ -572,7 +572,7 @@ sub extractruleset ($) {
> # Handle rules files.
> } elsif ($file =~ m/\.rules$/) {
> # Skip rule files which are not located in the rules directory or archive root.
> - next unless(($packed_file =~ /^rules\//) || ($packed_file =~ /^$provider-rules\//) || ($packed_file !~ /\//));
> + next unless(($packed_file =~ /^rules\//) || ($packed_file =~ /^$provider-rules\//) || ($packed_file =~ /^snort3-$provider-rules\//) || ($packed_file !~ /\//));
>
> # Skip deleted.rules.
> #
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH] ids-functions.pl: Fixes bug#13203 - snort community rules not extracted
2023-08-01 10:10 ` [PATCH] ids-functions.pl: Fixes bug#13203 - snort community rules not extracted Bernhard Bitsch
@ 2023-08-01 10:45 ` Adolf Belka
2023-08-01 15:58 ` [PATCH] ruleset-sources: Adjust download URL for snort community ruleset Stefan Schantl
0 siblings, 1 reply; 3+ messages in thread
From: Adolf Belka @ 2023-08-01 10:45 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 2187 bytes --]
Hi All,
Please note that I have dropped this patch in Patchwork as on its own it
does not fully solve the problem in bug#13203
It allows the snort community rules file to be extracted and placed into
/var/lib/suricata and it can then be selected in the customise rules
table. However every signature in this rules file then fails when parsed
by suricata and so none of them end up loaded. So something else is
different and an additional modification is still needed.
Regards,
Adolf.
On 01/08/2023 12:10, Bernhard Bitsch wrote:
> Reviewed-by: Bernhard Bitsch <bbitsch(a)ipfire.org>
>
> Am 31.07.2023 um 22:46 schrieb Adolf Belka:
>> - The snort top level directory in the archive has been changed from
>> community.rules
>> to snort3-community.rules so the regex no longer finds the tarball
>> to extract.
>> - Modified the regex to include the current snort naming for the top
>> level archive directory
>>
>> Fixes: Bug#13203
>> Tested-by: Adolf Belka <adolf.belka(a)ipfire.org>
>> Signed-off-by: Adolf Belka <adolf.belka(a)ipfire.org>
>> ---
>> config/cfgroot/ids-functions.pl | 2 +-
>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/config/cfgroot/ids-functions.pl
>> b/config/cfgroot/ids-functions.pl
>> index d97431b4a..f2b2ffc58 100644
>> --- a/config/cfgroot/ids-functions.pl
>> +++ b/config/cfgroot/ids-functions.pl
>> @@ -572,7 +572,7 @@ sub extractruleset ($) {
>> # Handle rules files.
>> } elsif ($file =~ m/\.rules$/) {
>> # Skip rule files which are not located in the rules
>> directory or archive root.
>> - next unless(($packed_file =~ /^rules\//) ||
>> ($packed_file =~ /^$provider-rules\//) || ($packed_file !~ /\//));
>> + next unless(($packed_file =~ /^rules\//) ||
>> ($packed_file =~ /^$provider-rules\//) || ($packed_file =~
>> /^snort3-$provider-rules\//) || ($packed_file !~ /\//));
>> # Skip deleted.rules.
>> #
--
Sent from my laptop
^ permalink raw reply [flat|nested] 3+ messages in thread
* [PATCH] ruleset-sources: Adjust download URL for snort community ruleset
2023-08-01 10:45 ` Adolf Belka
@ 2023-08-01 15:58 ` Stefan Schantl
0 siblings, 0 replies; 3+ messages in thread
From: Stefan Schantl @ 2023-08-01 15:58 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 706 bytes --]
Fixes: #13203
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
---
config/suricata/ruleset-sources | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/config/suricata/ruleset-sources b/config/suricata/ruleset-sources
index 592cbedf0..14d1b865f 100644
--- a/config/suricata/ruleset-sources
+++ b/config/suricata/ruleset-sources
@@ -43,7 +43,7 @@ our %Providers = (
website => "https://www.snort.org",
tr_string => "community rules",
requires_subscription => "False",
- dl_url => "https://www.snort.org/rules/community",
+ dl_url => "https://www.snort.org/downloads/community/community-rules.tar.gz",
dl_type => "archive",
},
--
2.39.2
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2023-08-01 15:58 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
[not found] <20230731204617.1411345-1-adolf.belka@ipfire.org>
2023-08-01 10:10 ` [PATCH] ids-functions.pl: Fixes bug#13203 - snort community rules not extracted Bernhard Bitsch
2023-08-01 10:45 ` Adolf Belka
2023-08-01 15:58 ` [PATCH] ruleset-sources: Adjust download URL for snort community ruleset Stefan Schantl
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox