Project

General

Profile

Actions

Bug #2688

closed

filemd5 files are not migrated /w rules

Added by Kenneth Kolano about 6 years ago. Updated over 4 years ago.

Status:
Closed
Priority:
High
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

When rules using a filemd5 directive are imported the rules are migrated to /var/lib/suricata/rules/suricata.rules, but the related files are left in their original location (likely /etc/suricata/rules), which breaks the references.

alert http any any -> $HOME_NET any (msg:"OTX - FILE MD5 from pulse Threats Targeted against Civil Society";  filemd5:5bedad78bb5ab60a53de19a4.txt; reference: url, otx.alienvault.com/pulse/5bedad78bb5ab60a53de19a4; sid:411683; rev:1;)

Referenced files should be migrated along with their related rules.

To work around this I currently run the following command prior to Suricata-Update to generate hard links on relevant files between the two locations:

sudo cp -l /etc/suricata/rules/???????????*.txt /var/lib/suricata/rules


Files

otx_file_rules.rules (226 KB) otx_file_rules.rules OTX Rules file example Kenneth Kolano, 08/08/2019 12:27 AM
546ce8eb11d40838dc6e43f1.txt (264 Bytes) 546ce8eb11d40838dc6e43f1.txt MD5 Hashes file example Kenneth Kolano, 08/08/2019 12:27 AM

Related issues 2 (1 open1 closed)

Related to Suricata-Update - Bug #3528: dataset files are not migrated /w rulesClosedShivani BhardwajActions
Blocks Suricata-Update - Bug #2691: Error thrown with -o optionAssignedShivani BhardwajActions
Actions #1

Updated by Shivani Bhardwaj over 5 years ago

  • Assignee changed from Jason Ish to Shivani Bhardwaj
  • Target version set to TBD
Actions #2

Updated by Shivani Bhardwaj over 5 years ago

  • Status changed from New to Assigned
Actions #3

Updated by Jason Ish over 5 years ago

@Kenneth Kolano: Are you able to provide us with an example of this ruleset (how the md5 file is put in the tarball for example). Private is OK, we can use it to craft some test cases with no private info in them.

Thanks.

Updated by Kenneth Kolano over 5 years ago

Sorry for my delayed response here.

The default OTX ruleset (as generated by this tool: https://github.com/AlienVault-OTX/OTX-Suricata) would be relevant. I provided an example rule above. There is no tarball, just a rules file, and series of text files with MD5 hashes. I've attached a complete rules file here and an example of one of the MD5 txt files.

Actions #5

Updated by Jason Ish almost 5 years ago

  • Blocks Bug #2691: Error thrown with -o option added
Actions #6

Updated by Jason Ish almost 5 years ago

  • Target version changed from TBD to 1.2.0
Actions #7

Updated by Jason Ish almost 5 years ago

  • Priority changed from Normal to High
Actions #8

Updated by Shivani Bhardwaj almost 5 years ago

  • Related to Bug #3528: dataset files are not migrated /w rules added
Actions #9

Updated by Shivani Bhardwaj over 4 years ago

  • Status changed from Assigned to In Review
Actions #10

Updated by Jason Ish over 4 years ago

  • Status changed from In Review to Closed
Actions #11

Updated by Jason Ish over 4 years ago

  • Target version changed from 1.2.0 to 1.2.0rc1
Actions

Also available in: Atom PDF