Modifysid doesn't modify rules

[jmgascoriego]

Hi guys,

I'm trying to modify a rule from "drop" to "alert" action, but for some reason, pulledpork is skipping any configuration in the modifysid.conf file.

my setup:
OS: Ubuntu 16.04
Snort version: 2.9.9
Pulledpork version: 0.8.0

Pulledpork config file:

rule_url=https://www.snort.org/downloads/registered/|snortrules-snapshot-2983.tar.gz|OINK-OMITTED
rule_url=https://snort.org/downloads/community/|community-rules.tar.gz|Community
rule_url=https://snort.org/downloads/ip-block-list|IPBLOCKLIST|open
ignore=deleted.rules,experimental.rules,local.rules
temp_path=/tmp
rule_path=/etc/snort/rules/snort.rules
local_rules=/etc/snort/rules/local.rules
sid_msg=/etc/snort/sid-msg.map
sid_msg_version=2
sid_changelog=/var/log/sid_changes.log
sorule_path=/usr/local/lib/snort_dynamicrules/
snort_path=/usr/local/bin/snort
config_path=/etc/snort/snort.conf
distro=Ubuntu-16-4
block_list=/etc/snort/rules/iplists/default.blocklist
IPRVersion=/etc/snort/rules/iplists
snort_control=/usr/local/bin/snort_control
state_order=disable,modify,drop,enable
pid_path=/var/log/snort/snort_ens192:ens224.pid
enablesid=/etc/snort/enablesid.conf
dropsid=/etc/snort/dropsid.conf
disablesid=/etc/snort/disablesid.conf
modifysid=/etc/snort/modifysid.conf
ips_policy=security
version=0.8.0

Modifysid.conf file:

1:20212 "^drop" "alert"

Rule:

drop tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"SERVER-OTHER SSL CBC encryption mode weakness brute force attempt"; flow:to_server,established,no_stream; isdataat:1; isdataat:!1001; detection_filter:track by_src,count 100,seconds 1; metadata:policy max-detect-ips drop, service ssl; reference:cve,2011-3389; reference:url,attack.mitre.org/techniques/T1110; reference:url,technet.microsoft.com/en-us/security/advisory/2588513; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-006; reference:url,vnhacker.blogspot.com/2011/09/beast.html; classtype:attempted-recon; sid:20212; rev:11;)

Running pulledpork, basically, it is doing nothing:

/usr/local/bin/pulledpork.pl -c /etc/snort/pulledpork.conf -l

    https://github.com/shirkdog/pulledpork
      _____ ____
     `----,\    )
      `--==\\  /    PulledPork v0.8.0 - The only positive thing to come out of 2020...well this and take-out liquor!
       `--==\\/
     .-~~~~-.Y|\\_  Copyright (C) 2009-2021 JJ Cummings, Michael Shirk
  @_/        /  66\_  and the PulledPork Team!
    |    \   \   _(")
     \   /-| ||'--'  Rules give me wings!
      \_\  \_\\
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Checking latest MD5 for snortrules-snapshot-2983.tar.gz....
        They Match
        Done!
Checking latest MD5 for community-rules.tar.gz....
        They Match
        Done!
IP Blocklist download of https://snort.org/downloads/ip-block-list....
Reading IP List...
Writing Blocklist File /etc/snort/rules/iplists/default.blocklist....
Writing Blocklist Version 1715026232 to /etc/snort/rules/iplists/IPRVersion.dat....
Writing /var/log/sid_changes.log....
        Done

No Rule Changes

IP Blocklist Stats...
        Total IPs:-----815

Done
Please review /var/log/sid_changes.log for additional details
Fly Piggy Fly!

I've tried the below configurations in the modifysid.conf file:

1:20212:11 "^drop" "alert"
1:20212 "^drop" "alert"
1:20212 "drop" "alert"
regex:'20212' "^drop" "alert"
regex:'sid:20212' "^drop" "alert"

Any idea about what is wrong?

Thanks in advance,
Kind regards

[shirkdog]

For the first three, you should remove "1:" so your line in your modifysid.conf looks like this:
20212 "^\s*drop" "alert"
pulledpork assumes a list of "SIDs". I also assume you mean to change drop to alert after you have set all of the other rules to drop, but the pattern is "SID SEARCH REPLACE"

[finchy]

Also, you say you are running 2.9.9.0 (which is EOL), but you are downloading 2.9.8.3 rules. 2.9.9.0 don't exist anymore, so I would suggest that you upgrade your version of Snort & your ruleset.

[jmgascoriego]

Thanks for the information provided.
I just managed to complete the upgrade from 2.9.9.0 to 2.9.17.1. At the same time, I also pointed pulledpork to the latest snapshot version.
I will monitor a couple of days the stability of the IPS, and then I will try adding the line suggested in the modifysid.conf file.

[jmgascoriego]

It seems the modifying file is skipped for some reason by Pulledpork even using the suggested rule:

pulledpork output

    https://github.com/shirkdog/pulledpork
      _____ ____
     `----,\    )
      `--==\\  /    PulledPork v0.8.0 - The only positive thing to come out of 2020...well this and take-out liquor!
       `--==\\/
     .-~~~~-.Y|\\_  Copyright (C) 2009-2021 JJ Cummings, Michael Shirk
  @_/        /  66\_  and the PulledPork Team!
    |    \   \   _(")
     \   /-| ||'--'  Rules give me wings!
      \_\  \_\\
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Checking latest MD5 for snortrules-snapshot-29171.tar.gz....
        No Match
        Done
Rules tarball download of snortrules-snapshot-29171.tar.gz....
        They Match
        Done!
Checking latest MD5 for community-rules.tar.gz....
        No Match
        Done
Rules tarball download of community-rules.tar.gz....
        They Match
        Done!
IP Blocklist download of https://snort.org/downloads/ip-block-list....
Reading IP List...
Prepping rules from snortrules-snapshot-29171.tar.gz for work....
        Done!
Prepping rules from community-rules.tar.gz for work....
        Done!
Reading rules...
Generating Stub Rules....
        An error occurred: WARNING: ip4 normalizations disabled because not inline.

        An error occurred: WARNING: tcp normalizations disabled because not inline.

        An error occurred: WARNING: icmp4 normalizations disabled because not inline.

        An error occurred: WARNING: ip6 normalizations disabled because not inline.

        An error occurred: WARNING: icmp6 normalizations disabled because not inline.

        Done
Reading rules...
Reading rules...
Writing Blocklist File /etc/snort/rules/iplists/default.blocklist....
Writing Blocklist Version 1633761587 to /etc/snort/rules/iplists/IPRVersion.dat....
Activating security rulesets....
        Done
Modifying Sids....
        Done!
Processing /etc/snort/disablesid.conf....
        Modified 0 rules
        Skipped 0 rules (already disabled)
        Done
Processing /etc/snort/modifysid.conf....
        Modified 0 rules
        Skipped 0 rules (already disabled)
        Done
Processing /etc/snort/dropsid.conf....
        Modified 34762 rules
        Skipped 0 rules (already disabled)
        Done
Processing /etc/snort/enablesid.conf....
        Modified 0 rules
        Skipped 0 rules (already disabled)
        Done
Setting Flowbit State....
        Enabled 1179 flowbits
        Enabled 5 flowbits
        Done
Writing /etc/snort/rules/snort.rules....
        Done
Generating sid-msg.map....
        Done
Writing v2 /etc/snort/sid-msg.map....
        Done
Writing /var/log/sid_changes.log....
        Done
Rule Stats...
        New:-------29
        Deleted:---1
        Enabled Rules:----1202
        Dropped Rules:----34762
        Disabled Rules:---8898
        Total Rules:------44862
IP Blocklist Stats...
        Total IPs:-----1476

Done
Please review /var/log/sid_changes.log for additional details
Fly Piggy Fly!

modifysid.conf

# egrep -v "^#|^$" /etc/snort/modifysid.conf
20212 "^\s*drop" "alert"

Snort rule

# grep "20212" /etc/snort/rules/snort.rules
drop tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"SERVER-OTHER SSL CBC encryption mode weakness brute force attempt"; flow:to_server,established,no_stream; isdataat:1; isdataat:!1001; detection_filter:track by_src,count 100,seconds 1; metadata:policy max-detect-ips drop, service ssl; reference:cve,2011-3389; reference:url,attack.mitre.org/techniques/T1110; reference:url,technet.microsoft.com/en-us/security/advisory/2588513; reference:url,technet.microsoft.com/en-us/security/bulletin/MS12-006; reference:url,vnhacker.blogspot.com/2011/09/beast.html; classtype:attempted-recon; sid:20212; rev:11;)

Any idea about what's wrong?

[shirkdog]

what user is running pulledpork (maybe perms, but probably not an issue)? you have modifysid.conf in your pulledpork.conf from before, but you are using dropsid.conf to set everything to drop, then only changing this one signature to alert?

Run again with -vvv, and see if anything states modifysid.conf is being used. Another test is to remove dropsid.conf, and change the modifysid.conf to go from "alert" to "drop" just to test. This may point to an order of operation issue, where pulledpork is only processing the drops, and not processing the modification.