Feature #3697
opena command line option for suricata-update that would set downloaded rules to their default state
Description
When downloading and activating rules, suricata-update applies disable and enable filters for rules, but apparently there is no way to disable the rule if it has been disabled in the original downloaded rule file. However, if the rule has been commented out in the original rule file, it often indicates the fact it is regarded prone to false positives by its authors.
PulledPork addresses this issue nicely and supports -R command line option for that purpose, and this option is very handy for disabling noisy rules (see https://github.com/shirkdog/pulledpork for more details).
Would it be possible to introduce a similar command line option (or configuration file setting) for suricata-update?
Updated by Jason Ish over 4 years ago
Suricata-Update when run without enable/disable configurations will leave the rules as-is in their original source (with the exception of flowbit resolution). So unless an enable statement matches and enables it, it will be left as-is in the source.
I'm not really sure what -R in PulledPork does. Apparently the authors of PulledPork are a little unsure themselves given this in the commit for -R:
+- Bug #47 - This should be used by advanced users only, it can produce results that may + not make sense to the typical user. And frankly, I don't understand it ;-)
Do you have a test case where a rule is not maintaining its enable/disable state from the source?
Updated by Shivani Bhardwaj about 4 years ago
Hi Risto Vaarandi!
Could you please provide us with a test case as requested by Jason?
Updated by Risto Vaarandi about 4 years ago
What I meant was to disable the rule after it has been enabled by enable-rule, provided that the rule was originally disabled in the rule tarball. Naturally, the rule should be disabled only if it has no flowbit dependency on other rules that remain active (but that is usually the case for rules that their original authors have commented out).
Updated by Risto Vaarandi about 4 years ago
Let me provide an example what I mean -- lets assume I would first like to disable all rules, and then enable a smaller subset according to some criteria.
Here is the content of disable.conf file:
- disable all rules
re:.
and here is enable.conf:
- enable only rules described below
re:msg:"(ET|ETPRO|GPL).*\sclasstype:\s*(trojan-activity|targeted-activity|exploit-kit|domain-c2|command-and-control)\s*;
Now consider the following rule which has been disabled by authors in the rule tarball:
#alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Possible Updatre SSL Certificate cardiffpower"; flow:established,from_server; content:"|55 04 03|"; content:"|10|cardiffpower.com"; distance:1; within:17; content:"|55 04 03|"; distance:0; content:"|10|cardiffpower.com"; distance:1; within:17; classtype:domain-c2; sid:2017977; rev:2; metadata:attack_target Client_Endpoint, created_at 2014_01_16, deployment Perimeter, former_category CURRENT_EVENTS, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_10_25;)
Given the disable.conf and enable.conf above, suricata-update would enable this rule. So would pulledpork if executed with similar disablesid.conf and enablesid.conf, and without R. However, the presence of -R flag would leave the above rule disabled. My point here is the following - if authors disable their rules, it is usually because of rule producing false positives or being no longer relevant, and it would be nice to have a command line or config file option to leave such rules disabled. If there is already a way to achieve that, I would be thankful for any advise.
Updated by Jason Ish almost 3 years ago
- Assignee changed from Shivani Bhardwaj to Jason Ish