Project

General

Profile

Actions

Bug #3161

closed

Set no-checksum option for default lists

Added by Kenneth Kolano over 5 years ago. Updated about 5 years ago.

Status:
Closed
Priority:
Normal
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

The new no-checksum option needs to be defaulted for the following ootb lists...

Sep 10 04:04:52 demo2 updateIDSRules[5341]: 2019-09-10 04:04:52,165 - <INFO> - Checking https://raw.githubusercontent.com/travisbgreen/hunting-rules/master/hunting.rules.md5.
Sep 10 04:04:52 demo2 updateIDSRules[5341]: 2019-09-10 04:04:52,295 - <WARNING> - Failed to check remote checksum: HTTP Error 404: Not Found
Sep 10 04:05:11 demo2 updateIDSRules[5341]: 2019-09-10 04:05:11,695 - <INFO> - Checking https://sslbl.abuse.ch/blacklist/sslblacklist.rules.md5.
Sep 10 04:05:11 demo2 updateIDSRules[5341]: 2019-09-10 04:05:11,794 - <WARNING> - Failed to check remote checksum: HTTP Error 404: Not Found
Sep 10 04:05:12 demo2 updateIDSRules[5341]: 2019-09-10 04:05:12,127 - <INFO> - Checking https://sslbl.abuse.ch/blacklist/ja3_fingerprints.rules.md5.
Sep 10 04:05:12 demo2 updateIDSRules[5341]: 2019-09-10 04:05:12,290 - <WARNING> - Failed to check remote checksum: HTTP Error 404: Not Found
Sep 10 04:05:15 demo2 updateIDSRules[5341]: 2019-09-10 04:05:15,943 - <INFO> - Checking https://rules.emergingthreats.net/blockrules/emerging-drop.suricata.rules.md5.
Sep 10 04:05:16 demo2 updateIDSRules[5341]: 2019-09-10 04:05:16,176 - <WARNING> - Failed to check remote checksum: HTTP Error 404: Not Found
Sep 10 04:05:16 demo2 updateIDSRules[5341]: 2019-09-10 04:05:16,467 - <INFO> - Checking https://openinfosecfoundation.org/rules/trafficid/trafficid.rules.md5.
Sep 10 04:05:16 demo2 updateIDSRules[5341]: 2019-09-10 04:05:16,610 - <WARNING> - Failed to check remote checksum: HTTP Error 404: Not Found
Sep 10 04:05:16 demo2 updateIDSRules[5341]: 2019-09-10 04:05:16,737 - <INFO> - Checking https://security.etnetera.cz/feeds/etn_aggressive.rules.md5.
Sep 10 04:05:18 demo2 updateIDSRules[5341]: 2019-09-10 04:05:18,055 - <WARNING> - Failed to check remote checksum: HTTP Error 404: Not Found

Additionally, the option should be applicable to the enable-source command to allow omitting MD5 downloads when they exist.

Actions #1

Updated by Jason Ish over 5 years ago

Have you updated to the latest version of the index with `suricata-update update-sources`?

All of these are now marked as not having a checksum URL with the exception of https://rules.emergingthreats.net/blockrules/emerging-drop.suricata.rules which is not in the index.

https://openinfosecfoundation.org/rules/index.yaml

The add-source command has the option to set this flag on sources added by URL. There should be no need to add it to enable-source as it should be already set in the index, or set during add-source.

Actions #2

Updated by Kenneth Kolano about 5 years ago

Sorry, didn't realize the DB was stored outside of code and hadn't seen any source related update in the check-in for this.

Actions #3

Updated by Jason Ish about 5 years ago

  • Status changed from New to Closed
  • Target version set to Support

Kenneth Kolano wrote:

Sorry, didn't realize the DB was stored outside of code and hadn't seen any source related update in the check-in for this.

The source index exists in this repo:
https://github.com/OISF/suricata-intel-index

Suricata-Update does bundle it to be immediately useful (whether or not that is a good idea).

Actions

Also available in: Atom PDF