Project

General

Profile

Actions
Copy link

Bug #2688

closed

filemd5 files are not migrated /w rules

Added by Kenneth Kolano over 5 years ago. Updated over 3 years ago.

Status:
Closed
Priority:
High
Assignee:
Shivani Bhardwaj
Target version:
1.2.0rc1
Affected Versions:
1.0.0
Effort:
Difficulty:
Label:

Description

When rules using a filemd5 directive are imported the rules are migrated to /var/lib/suricata/rules/suricata.rules, but the related files are left in their original location (likely /etc/suricata/rules), which breaks the references.

alert http any any -> $HOME_NET any (msg:"OTX - FILE MD5 from pulse Threats Targeted against Civil Society";  filemd5:5bedad78bb5ab60a53de19a4.txt; reference: url, otx.alienvault.com/pulse/5bedad78bb5ab60a53de19a4; sid:411683; rev:1;)

Referenced files should be migrated along with their related rules.

To work around this I currently run the following command prior to Suricata-Update to generate hard links on relevant files between the two locations:

sudo cp -l /etc/suricata/rules/???????????*.txt /var/lib/suricata/rules

Files

Download all files
otx_file_rules.rules (226 KB) otx_file_rules.rules OTX Rules file example Kenneth Kolano, 08/08/2019 12:27 AM
546ce8eb11d40838dc6e43f1.txt (264 Bytes) 546ce8eb11d40838dc6e43f1.txt MD5 Hashes file example Kenneth Kolano, 08/08/2019 12:27 AM

Related issues 2 (1 open1 closed)

Related to Suricata-Update - Bug #3528: dataset files are not migrated /w rulesClosedShivani BhardwajActions
Blocks Suricata-Update - Bug #2691: Error thrown with -o optionAssignedShivani BhardwajActions
Actions
Copy link
 #1

Updated by Shivani Bhardwaj almost 5 years ago

  • Assignee changed from Jason Ish to Shivani Bhardwaj
  • Target version set to TBD
Actions
Copy link
 #2

Updated by Shivani Bhardwaj almost 5 years ago

  • Status changed from New to Assigned
Actions
Copy link
 #3

Updated by Jason Ish over 4 years ago

@Kenneth Kolano: Are you able to provide us with an example of this ruleset (how the md5 file is put in the tarball for example). Private is OK, we can use it to craft some test cases with no private info in them.

Thanks.

Actions
Copy link Download all files
 #4

Updated by Kenneth Kolano over 4 years ago

Sorry for my delayed response here.

The default OTX ruleset (as generated by this tool: https://github.com/AlienVault-OTX/OTX-Suricata) would be relevant. I provided an example rule above. There is no tarball, just a rules file, and series of text files with MD5 hashes. I've attached a complete rules file here and an example of one of the MD5 txt files.

Actions
Copy link
 #5

Updated by Jason Ish over 4 years ago

  • Blocks Bug #2691: Error thrown with -o option added
Actions
Copy link
 #6

Updated by Jason Ish over 4 years ago

  • Target version changed from TBD to 1.2.0
Actions
Copy link
 #7

Updated by Jason Ish over 4 years ago

  • Priority changed from Normal to High
Actions
Copy link
 #8

Updated by Shivani Bhardwaj about 4 years ago

  • Related to Bug #3528: dataset files are not migrated /w rules added
Actions
Copy link
 #9

Updated by Shivani Bhardwaj about 4 years ago

  • Status changed from Assigned to In Review
Actions
Copy link
 #10

Updated by Jason Ish over 3 years ago

  • Status changed from In Review to Closed
Actions
Copy link
 #11

Updated by Jason Ish over 3 years ago

  • Target version changed from 1.2.0 to 1.2.0rc1
Actions
Copy link

Also available in: Atom PDF