From mboxrd@z Thu Jan  1 00:00:00 1970
From: Adolf Belka <adolf.belka@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: [PATCH] ids-functions.pl: Fixes bug#13203 - snort community rules
 not extracted
Date: Tue, 01 Aug 2023 12:45:59 +0200
Message-ID: <a2a29255-4bc7-8b5e-ea1a-a8d54ca71aa3@ipfire.org>
In-Reply-To: <4e2ba315-687a-96a7-7b0d-eee260be49d3@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============1511869313845403410=="
List-Id: <development.lists.ipfire.org>

--===============1511869313845403410==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Hi All,

Please note that I have dropped this patch in Patchwork as on its own it=20
does not fully solve the problem in bug#13203

It allows the snort community rules file to be extracted and placed into=20
/var/lib/suricata and it can then be selected in the customise rules=20
table. However every signature in this rules file then fails when parsed=20
by suricata and so none of them end up loaded. So something else is=20
different and an additional modification is still needed.

Regards,

Adolf.

On 01/08/2023 12:10, Bernhard Bitsch wrote:
> Reviewed-by: Bernhard Bitsch <bbitsch(a)ipfire.org>
>=20
> Am 31.07.2023 um 22:46 schrieb Adolf Belka:
>> - The snort top level directory in the archive has been changed from=20
>> community.rules
>> =C2=A0=C2=A0=C2=A0 to snort3-community.rules so the regex no longer finds =
the tarball=20
>> to extract.
>> - Modified the regex to include the current snort naming for the top=20
>> level archive directory
>>
>> Fixes: Bug#13203
>> Tested-by: Adolf Belka <adolf.belka(a)ipfire.org>
>> Signed-off-by: Adolf Belka <adolf.belka(a)ipfire.org>
>> ---
>> =C2=A0 config/cfgroot/ids-functions.pl | 2 +-
>> =C2=A0 1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/config/cfgroot/ids-functions.pl=20
>> b/config/cfgroot/ids-functions.pl
>> index d97431b4a..f2b2ffc58 100644
>> --- a/config/cfgroot/ids-functions.pl
>> +++ b/config/cfgroot/ids-functions.pl
>> @@ -572,7 +572,7 @@ sub extractruleset ($) {
>> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0 # Handle rules files.
>> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0 } elsif ($file =3D~ m/\.rules$/) {
>> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 # Skip rule files which are not located in the=
 rules=20
>> directory or archive root.
>> -=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0 next unless(($packed_file =3D~ /^rules\//) ||=20
>> ($packed_file =3D~ /^$provider-rules\//) || ($packed_file !~ /\//));
>> +=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0 next unless(($packed_file =3D~ /^rules\//) ||=20
>> ($packed_file =3D~ /^$provider-rules\//) || ($packed_file =3D~=20
>> /^snort3-$provider-rules\//) || ($packed_file !~ /\//));
>> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 # Skip deleted.rules.
>> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 #

--=20
Sent from my laptop

--===============1511869313845403410==--