Bug #3161
closedSet no-checksum option for default lists
Description
The new no-checksum option needs to be defaulted for the following ootb lists...
Sep 10 04:04:52 demo2 updateIDSRules[5341]: 2019-09-10 04:04:52,165 - <INFO> - Checking https://raw.githubusercontent.com/travisbgreen/hunting-rules/master/hunting.rules.md5. Sep 10 04:04:52 demo2 updateIDSRules[5341]: 2019-09-10 04:04:52,295 - <WARNING> - Failed to check remote checksum: HTTP Error 404: Not Found Sep 10 04:05:11 demo2 updateIDSRules[5341]: 2019-09-10 04:05:11,695 - <INFO> - Checking https://sslbl.abuse.ch/blacklist/sslblacklist.rules.md5. Sep 10 04:05:11 demo2 updateIDSRules[5341]: 2019-09-10 04:05:11,794 - <WARNING> - Failed to check remote checksum: HTTP Error 404: Not Found Sep 10 04:05:12 demo2 updateIDSRules[5341]: 2019-09-10 04:05:12,127 - <INFO> - Checking https://sslbl.abuse.ch/blacklist/ja3_fingerprints.rules.md5. Sep 10 04:05:12 demo2 updateIDSRules[5341]: 2019-09-10 04:05:12,290 - <WARNING> - Failed to check remote checksum: HTTP Error 404: Not Found Sep 10 04:05:15 demo2 updateIDSRules[5341]: 2019-09-10 04:05:15,943 - <INFO> - Checking https://rules.emergingthreats.net/blockrules/emerging-drop.suricata.rules.md5. Sep 10 04:05:16 demo2 updateIDSRules[5341]: 2019-09-10 04:05:16,176 - <WARNING> - Failed to check remote checksum: HTTP Error 404: Not Found Sep 10 04:05:16 demo2 updateIDSRules[5341]: 2019-09-10 04:05:16,467 - <INFO> - Checking https://openinfosecfoundation.org/rules/trafficid/trafficid.rules.md5. Sep 10 04:05:16 demo2 updateIDSRules[5341]: 2019-09-10 04:05:16,610 - <WARNING> - Failed to check remote checksum: HTTP Error 404: Not Found Sep 10 04:05:16 demo2 updateIDSRules[5341]: 2019-09-10 04:05:16,737 - <INFO> - Checking https://security.etnetera.cz/feeds/etn_aggressive.rules.md5. Sep 10 04:05:18 demo2 updateIDSRules[5341]: 2019-09-10 04:05:18,055 - <WARNING> - Failed to check remote checksum: HTTP Error 404: Not Found
Additionally, the option should be applicable to the enable-source command to allow omitting MD5 downloads when they exist.
Updated by Jason Ish over 5 years ago
Have you updated to the latest version of the index with `suricata-update update-sources`?
All of these are now marked as not having a checksum URL with the exception of https://rules.emergingthreats.net/blockrules/emerging-drop.suricata.rules which is not in the index.
https://openinfosecfoundation.org/rules/index.yaml
The add-source command has the option to set this flag on sources added by URL. There should be no need to add it to enable-source as it should be already set in the index, or set during add-source.
Updated by Kenneth Kolano about 5 years ago
Sorry, didn't realize the DB was stored outside of code and hadn't seen any source related update in the check-in for this.
Updated by Jason Ish about 5 years ago
- Status changed from New to Closed
- Target version set to Support
Kenneth Kolano wrote:
Sorry, didn't realize the DB was stored outside of code and hadn't seen any source related update in the check-in for this.
The source index exists in this repo:
https://github.com/OISF/suricata-intel-index
Suricata-Update does bundle it to be immediately useful (whether or not that is a good idea).