Project

General

Profile

Actions
Copy link

Bug #2688

closed
KK SB

filemd5 files are not migrated /w rules

Bug #2688: filemd5 files are not migrated /w rules

Added by Kenneth Kolano over 7 years ago. Updated over 5 years ago.

Status:
Closed
Priority:
High
Assignee:
Shivani Bhardwaj
Target version:
1.2.0rc1
Affected Versions:
1.0.0
Effort:
Difficulty:
Label:

Description

When rules using a filemd5 directive are imported the rules are migrated to /var/lib/suricata/rules/suricata.rules, but the related files are left in their original location (likely /etc/suricata/rules), which breaks the references.

alert http any any -> $HOME_NET any (msg:"OTX - FILE MD5 from pulse Threats Targeted against Civil Society";  filemd5:5bedad78bb5ab60a53de19a4.txt; reference: url, otx.alienvault.com/pulse/5bedad78bb5ab60a53de19a4; sid:411683; rev:1;)

Referenced files should be migrated along with their related rules.

To work around this I currently run the following command prior to Suricata-Update to generate hard links on relevant files between the two locations:

sudo cp -l /etc/suricata/rules/???????????*.txt /var/lib/suricata/rules

Files

Download all files
otx_file_rules.rules (226 KB) otx_file_rules.rules OTX Rules file example Kenneth Kolano, 08/08/2019 12:27 AM
546ce8eb11d40838dc6e43f1.txt (264 Bytes) 546ce8eb11d40838dc6e43f1.txt MD5 Hashes file example Kenneth Kolano, 08/08/2019 12:27 AM

Related issues 2 (1 open1 closed)

Related to Suricata-Update - Bug #3528: dataset files are not migrated /w rulesClosedShivani BhardwajActions
Blocks Suricata-Update - Bug #2691: Error thrown with -o optionAssignedOISF DevActions

SB Updated by Shivani Bhardwaj almost 7 years ago Actions
Copy link
 #1

  • Assignee changed from Jason Ish to Shivani Bhardwaj
  • Target version set to TBD

SB Updated by Shivani Bhardwaj almost 7 years ago Actions
Copy link
 #2

  • Status changed from New to Assigned

JI Updated by Jason Ish over 6 years ago Actions
Copy link
 #3

@Kolano: Are you able to provide us with an example of this ruleset (how the md5 file is put in the tarball for example). Private is OK, we can use it to craft some test cases with no private info in them.

Thanks.

KK Updated by Kenneth Kolano over 6 years ago Actions
Copy link Download all files
 #4

Sorry for my delayed response here.

The default OTX ruleset (as generated by this tool: https://github.com/AlienVault-OTX/OTX-Suricata) would be relevant. I provided an example rule above. There is no tarball, just a rules file, and series of text files with MD5 hashes. I've attached a complete rules file here and an example of one of the MD5 txt files.

JI Updated by Jason Ish over 6 years ago Actions
Copy link
 #5

  • Blocks Bug #2691: Error thrown with -o option added

JI Updated by Jason Ish over 6 years ago Actions
Copy link
 #6

  • Target version changed from TBD to 1.2.0

JI Updated by Jason Ish over 6 years ago Actions
Copy link
 #7

  • Priority changed from Normal to High

SB Updated by Shivani Bhardwaj about 6 years ago Actions
Copy link
 #8

  • Related to Bug #3528: dataset files are not migrated /w rules added

SB Updated by Shivani Bhardwaj about 6 years ago Actions
Copy link
 #9

  • Status changed from Assigned to In Review

JI Updated by Jason Ish over 5 years ago Actions
Copy link
 #10

  • Status changed from In Review to Closed

JI Updated by Jason Ish over 5 years ago Actions
Copy link
 #11

  • Target version changed from 1.2.0 to 1.2.0rc1
Actions
Copy link

Also available in: PDF Atom