Project

General

Profile

Actions

Feature #2556

open

Suricata-update gives disabled messages but also still parse errors which don't get disabled > so test fails

Added by Wim Claes over 6 years ago. Updated over 5 years ago.

Status:
New
Priority:
Normal
Assignee:
Target version:
-
Effort:
Difficulty:
Label:

Description

Dear,
Running latest suricata-update (1.0.0rc1), I'm getting a list of messages saying rules get disabled, which is a nice feature.... but still it is followed by a list of rules giving a parse error. Because of this, the test at the end fails, forcing me to use the 'no test' option.
I have attached the output in a textfile for the following:

suricata-update list-enabled-sources
followed by
suricata-update

Thank you in advance,
Kind regards


Files

suricataupdate_rule_errors.txt (281 KB) suricataupdate_rule_errors.txt Wim Claes, 07/26/2018 07:11 PM
Actions #1

Updated by Jason Ish over 6 years ago

This is because suricata-update does not have a fully validating parsing. It will parse things that follow the general structure of a rule, and validates and disables a few things - such as protocols that may not be enabled. But unknown keywords would still get through.

An idea for future consideration would be to use Suricata to validate that all rules parse and disable the ones that don't. One would have to be careful with this usage though as it may lead one to think that all is well, when rules they wanted had errors in them. But an idea that could be discussed.

Actions #2

Updated by Wim Claes about 6 years ago

Jason Ish wrote:

This is because suricata-update does not have a fully validating parsing. It will parse things that follow the general structure of a rule, and validates and disables a few things - such as protocols that may not be enabled. But unknown keywords would still get through.

An idea for future consideration would be to use Suricata to validate that all rules parse and disable the ones that don't. One would have to be careful with this usage though as it may lead one to think that all is well, when rules they wanted had errors in them. But an idea that could be discussed.

Hi Jason,

Thanks for checking this. I'm pretty much a beginner at linux and IPS, but here's my 2 cents:
I'm nowhere near writing my own rules yet and I'm making use of the 'Emerging Threats' & Snort VRT free rules. There's no automated control to make sure any of the rules included in those sets are written ok, probably more specific the snort set (as it's not suricata optimized?). So for those a flag to make sure invalid rules get disabled & reported would be a good help, when running a script to auto-update rules daily. Ofcourse custom written rules should not be disabled and issues with those should be corrected. Maybe some indicator flag per rule set or file could be specified wether or not disabling is allowed?

Anyway, either way I'm happy with wathever you feel is the right thing and will probably go the manual route for now:
output the errors to a file and manually add the sid's to the disable.conf.

Thank you for your time and feedback,
Wim

Actions #3

Updated by Andreas Herz over 5 years ago

  • Tracker changed from Bug to Feature
  • Affected Versions deleted (1.0.0rc1)
Actions

Also available in: Atom PDF