From: Adolf Belka <adolf.belka@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: [PATCH] ids-functions.pl: Fixes bug#13203 - snort community rules not extracted
Date: Tue, 01 Aug 2023 12:45:59 +0200 [thread overview]
Message-ID: <a2a29255-4bc7-8b5e-ea1a-a8d54ca71aa3@ipfire.org> (raw)
In-Reply-To: <4e2ba315-687a-96a7-7b0d-eee260be49d3@ipfire.org>
[-- Attachment #1: Type: text/plain, Size: 2187 bytes --]
Hi All,
Please note that I have dropped this patch in Patchwork as on its own it
does not fully solve the problem in bug#13203
It allows the snort community rules file to be extracted and placed into
/var/lib/suricata and it can then be selected in the customise rules
table. However every signature in this rules file then fails when parsed
by suricata and so none of them end up loaded. So something else is
different and an additional modification is still needed.
Regards,
Adolf.
On 01/08/2023 12:10, Bernhard Bitsch wrote:
> Reviewed-by: Bernhard Bitsch <bbitsch(a)ipfire.org>
>
> Am 31.07.2023 um 22:46 schrieb Adolf Belka:
>> - The snort top level directory in the archive has been changed from
>> community.rules
>> to snort3-community.rules so the regex no longer finds the tarball
>> to extract.
>> - Modified the regex to include the current snort naming for the top
>> level archive directory
>>
>> Fixes: Bug#13203
>> Tested-by: Adolf Belka <adolf.belka(a)ipfire.org>
>> Signed-off-by: Adolf Belka <adolf.belka(a)ipfire.org>
>> ---
>> config/cfgroot/ids-functions.pl | 2 +-
>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/config/cfgroot/ids-functions.pl
>> b/config/cfgroot/ids-functions.pl
>> index d97431b4a..f2b2ffc58 100644
>> --- a/config/cfgroot/ids-functions.pl
>> +++ b/config/cfgroot/ids-functions.pl
>> @@ -572,7 +572,7 @@ sub extractruleset ($) {
>> # Handle rules files.
>> } elsif ($file =~ m/\.rules$/) {
>> # Skip rule files which are not located in the rules
>> directory or archive root.
>> - next unless(($packed_file =~ /^rules\//) ||
>> ($packed_file =~ /^$provider-rules\//) || ($packed_file !~ /\//));
>> + next unless(($packed_file =~ /^rules\//) ||
>> ($packed_file =~ /^$provider-rules\//) || ($packed_file =~
>> /^snort3-$provider-rules\//) || ($packed_file !~ /\//));
>> # Skip deleted.rules.
>> #
--
Sent from my laptop
next prev parent reply other threads:[~2023-08-01 10:45 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20230731204617.1411345-1-adolf.belka@ipfire.org>
2023-08-01 10:10 ` Bernhard Bitsch
2023-08-01 10:45 ` Adolf Belka [this message]
2023-08-01 15:58 ` [PATCH] ruleset-sources: Adjust download URL for snort community ruleset Stefan Schantl
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=a2a29255-4bc7-8b5e-ea1a-a8d54ca71aa3@ipfire.org \
--to=adolf.belka@ipfire.org \
--cc=development@lists.ipfire.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox