Feature #2556
openSuricata-update gives disabled messages but also still parse errors which don't get disabled > so test fails
Description
Dear,
Running latest suricata-update (1.0.0rc1), I'm getting a list of messages saying rules get disabled, which is a nice feature.... but still it is followed by a list of rules giving a parse error. Because of this, the test at the end fails, forcing me to use the 'no test' option.
I have attached the output in a textfile for the following:
suricata-update list-enabled-sources
followed by
suricata-update
Thank you in advance,
Kind regards
Files
Updated by Jason Ish over 5 years ago
This is because suricata-update does not have a fully validating parsing. It will parse things that follow the general structure of a rule, and validates and disables a few things - such as protocols that may not be enabled. But unknown keywords would still get through.
An idea for future consideration would be to use Suricata to validate that all rules parse and disable the ones that don't. One would have to be careful with this usage though as it may lead one to think that all is well, when rules they wanted had errors in them. But an idea that could be discussed.
Updated by Wim Claes over 5 years ago
Jason Ish wrote:
This is because suricata-update does not have a fully validating parsing. It will parse things that follow the general structure of a rule, and validates and disables a few things - such as protocols that may not be enabled. But unknown keywords would still get through.
An idea for future consideration would be to use Suricata to validate that all rules parse and disable the ones that don't. One would have to be careful with this usage though as it may lead one to think that all is well, when rules they wanted had errors in them. But an idea that could be discussed.
Hi Jason,
Thanks for checking this. I'm pretty much a beginner at linux and IPS, but here's my 2 cents:
I'm nowhere near writing my own rules yet and I'm making use of the 'Emerging Threats' & Snort VRT free rules. There's no automated control to make sure any of the rules included in those sets are written ok, probably more specific the snort set (as it's not suricata optimized?). So for those a flag to make sure invalid rules get disabled & reported would be a good help, when running a script to auto-update rules daily. Ofcourse custom written rules should not be disabled and issues with those should be corrected. Maybe some indicator flag per rule set or file could be specified wether or not disabling is allowed?
Anyway, either way I'm happy with wathever you feel is the right thing and will probably go the manual route for now:
output the errors to a file and manually add the sid's to the disable.conf.
Thank you for your time and feedback,
Wim
Updated by Andreas Herz almost 5 years ago
- Tracker changed from Bug to Feature
- Affected Versions deleted (
1.0.0rc1)