Core: SURICATA: bug when converting commented out alerts to "drop"

Created on 14 Sep 2017  路  6Comments  路  Source: opnsense/core

Hi,

the lists of emergingthreats often contain rules that are commented out

alert http $HOME_NET any -> $EXTERNAL_NET

when changing 'all alerts to drop actions' these will get converted to

drop t http ...

resulting in errormessages

- [ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol "t" cannot be used in a signature.

I don't know why these rules are commented out - but this case has to be taken care of when changing from alert to drop.

Thank You & cheers,

Stephan

bug
Source
picture Stephanowicz

All 6 comments

Hi Stephan,

Looks like it tries to remove "alert" as five characters from the beginning of the stream. Not sure where this is, somewhere in src/opnsense/scripts/suricata/ I think, so handing over to Ad for assessment as he wrote the code.

Cheers,
Franco

fichtner picture fichtner on 14 Sep 2017
👍1

I can't check it right now, but the logic is here https://github.com/opnsense/core/blob/master/src/opnsense/scripts/suricata/lib/downloader.py#L62-L66

AdSchellevis picture AdSchellevis on 14 Sep 2017

https://github.com/opnsense/core/blob/master/src/opnsense/scripts/suricata/lib/downloader.py#L66

copy+paste issue, should probably be [6:]

fichtner picture fichtner on 14 Sep 2017

@Stephanowicz please try this:

# opnsense-patch 105fb5b
fichtner picture fichtner on 14 Sep 2017
👍1

Perfect!

Thanks again ;)

Stephanowicz picture Stephanowicz on 14 Sep 2017

yay, thanks for confirming

fichtner picture fichtner on 14 Sep 2017
Was this page helpful?
0 / 5 - 0 ratings

Related issues

paride picture paride  路  4Comments
lordraiden picture lordraiden  路  7Comments
sooslaca picture sooslaca  路  5Comments
nikaro picture nikaro  路  3Comments
xpac1985 picture xpac1985  路  5Comments