Suricata improvements #330
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Wildcard sid modifications are not working due to wrong iteration over $rule_map[1] instead of $rule_map. Replaced this iteration with an array check as the code is only working on GID 1 anyway.
Set "modified" attribute at the rule_map entry when rules get modified by SID Mgmt
Added a new mode for suricata_parse_sidconf_file to NOT split lines at commas. This mode is used to get the $sid_mods from the "Modify SID File". That $sid_mods goes into suricata_modify_sid_content. suricata_modify_sid_content is splitting the list itself. If the list is splitted by suricata_parse_sidconf_file only the last "SID mod token" for a line retains the FROM & TO elements.
This commit adds functionality to modify all signatures within a category. suricata_modify_sid_content was restructured to walk always over the sid list. Now it is actually a list is of sids,category and the wildcard '*'. If an item is a specific SID it gets modified otherwise the whole rule_map is walk thru to find all rules that need be changed.
|
Before this pull request can be accepted you must first sign a CLA as described at https://www.pfsense.org/about-pfsense/#cla. Please read for more details. |
doktornotor
reviewed
Mar 12, 2017
| @@ -19,5 +19,13 @@ | |||
| # "HTTP_PORTS" "HTTPS_PORTS" | |||
|
|
|||
| # multiple sids can be specified as noted below: | |||
| # 302,429,1821 "\$EXTERNAL_NET" "\$HOME_NET" | |||
| # 302,429,1821 "$EXTERNAL_NET" "$HOME_NET" | |||
There was a problem hiding this comment.
Pretty sure these should remain escaped as it was before, and any added example should have those escaped, otherwise it's never going to match things in the rulesets. IOW, this it to replace the string $EXTERNAL_NET with a string $HOME_NET for the matching SIDs, not to expand those things to whatever is defined there and stick that in the rules.
There was a problem hiding this comment.
The code is escaping it itself. See line 2506. Actually that way you can't use regex for replacement. pulledpork supports replacement by regex in such case you need to escape it. I thought of removing the preg_quote so that the current example would be correct. But dropped that idea to no break the config for people who have noticed that escaping is not needed as displayed in the example.
There was a problem hiding this comment.
Yeah, currently the code performs internal escaping of the regex.
doktornotor
reviewed
Mar 12, 2017
| # emerging-scan,emerging-sql "$EXTERNAL_NET" "any" | ||
|
|
||
| # modify all signatures for a category and specific SIDs from other categories | ||
| # emerging-sql,2100691,2009817 "$EXTERNAL_NET" "any" |
|
Can you take a look at these changes @bmeeks8 ? |
|
I am OK with the changes submitted. Thank you to the submitter for improving the Suricata package! |
|
@securitym0nkey can you please rebase your fork and bump PORTREVISION so I can get it merged |
|
@bmeeks8 if you believe it's easier for you to include these changes together with the update you are working on just let me know |
|
I just submitted the pull request for the new Suricata 3.2.1 package update, but it was before I saw this notice. My update is not touching the files referenced in this pull request. |
|
Manually merged it, thanks! |
netgate-git-updates
pushed a commit
that referenced
this pull request
Jun 26, 2019
[ Robert Edmonds ] * Release 1.3.2. * Use protobuf 3.7.1 in the Travis-CI environment (#368). * Fix test suite build failure on newer versions of protobuf (#369). [ Ilya Lipnitskiy ] * Fix proto3 repeated scalar field default packing behavior (#330, #377). [ Adam Cozzette ] * Fix out-of-bounds read in scan_length_prefixed_data() (#375, #376). [ Jurriaan Bremer ] * Fix -Wdeclaration-after-statement warning in parse_oneof_member() (#360). [ Hayri Ugur Koltuk ] * Fix SIGSEGV in protobuf_c_message_check() on messages with unpopulated oneof members (#358). [ Italo Guerrieri ] * Do not allow tag values of 0 in protobuf messages, as these are not allowed by proto2 or proto3 (#299). The patch for version 1.3.1 is no longer required. Sort Makefile statements to pacify portlint. Reported by: portscout Sponsored by: Farsight Security, Inc.
netgate-git-updates
pushed a commit
that referenced
this pull request
Jul 5, 2022
Changes since 0.3.0: We reached v1.0.0 - fix!: Replace limit flag with paginate by @ankitpokhrel in #359 - fix!: Append components on edit instead of overriding by @ankitpokhrel in #368 - feat!: Append label to an issue, show labels at issue list view by @stchar in #300 - refactor!: Move boards and project list to subcommand by @ankitpokhrel in #314 - feat: Support custom fields on issue create by @ankitpokhrel in #319 - feat: Add support to read from .netrc by @adolsalamanca in #329 - feat: Add support for OS keyrings/-chains by @boyvanamstel in #348 - feat: Support auth with personal access tokens by @marek-veber / @ankitpokhrel in #327 - feat: Allow to set fixVersions on issue creation by @ankitpokhrel in #276 - feat: Allow insecure TLS by @ankitpokhrel in #305 - feat: Add --no-browser option to open cmd by @ankitpokhrel in #308 - feat: Add search option for boards on jira init by @ankitpokhrel in #322 - feat: Add issues unlink command by @sushilkg in #347 - feat: Support refresh for issues list by @GZLiew in #325 - feat: Ability to delete issue by @ankitpokhrel in #336 - feat: Allow to set custom fields on epic create by @ankitpokhrel in #364 - feat: Allow to edit release-info/fixVersions by @ankitpokhrel in #365 - feat: Allow removing labels on edit by @ankitpokhrel in #371 - feat: Support creating issues with custom subtask type by @danobi in #372 - feat: Allow removing component on edit by @ankitpokhrel in #374 - feat: Allow removing fixVersions on edit by @ankitpokhrel in #376 - feat: Support custom fields on issue edit by @ankitpokhrel in #377 - feat: Jira init non-interactive by @ankitpokhrel in #381 - feat: Show subtasks in issue view by @ankitpokhrel in #382 - feat: Allow project filter in raw jql by @ankitpokhrel in #395 - fix: Makefile compatiblity with Make 3.81 by @danmichaelo in #252 - fix: Config generation issue by @ankitpokhrel in #275 - fix(cfg): Strip trailing slash on server name by @ankitpokhrel in #295 - fix: Jira client should respect timeout opt by @ankitpokhrel in #304 - fix: Respect GLAMOUR_STYLE env on issue view by @ankitpokhrel in #317 - fix: Get subtask handle from config by @ankitpokhrel in #296 - fix: Jira wiki parser by @ankitpokhrel in #326 - fix: Display correctly columns in list sprint command help by @adolsalamanca in #320 - fix: Panic on empty sub-list by @ankitpokhrel in #330 - fix: Issue with assigning user by @ankitpokhrel in #321 - fix: OOM bug on issue view by @ankitpokhrel in #350 - fix: Assign parent key as is on edit by @ankitpokhrel in #351 - fix: Add additional check for total boards returned by @ankitpokhrel in #360 - fix: Issue with query param in user assignment by @ankitpokhrel in #380 - fix: Subtask clone by @ankitpokhrel in #383 - fix: editing issue with custom field in non interactive mode by @DrudgeRajen in #391 - dep: Upgrade charmbracelet/glamour to 0.5.0 by @ankitpokhrel in #309 - dep: Upgrade rivo/tview to latest by @ankitpokhrel in #310 - dep: Upgrade outdated packages by @ankitpokhrel in #311 - dep: Upgrade cobra to 1.4.0 by @ankitpokhrel in #373 - Use md ext for tmp file to trigger vim syntax by @ElementalWarrior in #318 Full Changelog: ankitpokhrel/jira-cli@v0.3.0...v1.0.0
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This are some improvements for the suricata SID content mgmt.
It resolves 2 bugs in the SID content mgmt:
Additionally it adds support to modify all signatures from a certain category