Danger level settings of 'classification.config' are applied applied only to rules in 'signatures' - not to rest of '*.rules' rules
thanos-massias opened this issue · 1 comments
This is what I understand the code ( psad-2.4.4 ) to be doing:
%snort_class_dl is initialized in sub import_snort_class_priorities(), by reading 'SNORT_RULES_DIR/classification.config' and is used only in sub import_signatures() to "assign the danger level from the classification.config file if the psad_dl field does not exist" to rules in the 'PSAD_CONF_DIR/signatures' file.
For the fwsnort rules in 'SNORT_RULES_DIR/*.rules' files, such an assignment of danger levels, based on the 'SNORT_RULES_DIR/classification.config' file, does not happen. Instead, to set the danger levels for these fwsnort rules one has to add a line for each of them in the 'PSAD_CONF_DIR/snort_rule_dl' file. If that is not done, the psad code uses a default danger level of 2.
My question is if this is by design and I am supposed to configure psad in a different way ( i.e. perhaps there is a way to automatically create the 'PSAD_CONF_DIR/snort_rule_dl' file from my 'SNORT_RULES_DIR/*.rules' files ) or if it would be better to patch psad to automatically assign danger levels to all fwsnort rules used, based on the contents of 'SNORT_RULES_DIR/classification.config' and use 'PSAD_CONF_DIR/snort_rule_dl' just for finetuning.
I include the following diff for enabling the later in psad-2.4.4, to illustrate the point:
--- psad-2.4.4 2017-03-18 12:55:03.519344682 +0000
+++ psad 2017-03-27 09:20:52.444063104 +0000
@@ -4017,6 +4017,10 @@
%fwsnort_sigs = ();
+ # Test patch
+ ### import the Snort classification.config file
+ &import_snort_class_priorities();
+
for my $dir ($config{'SNORT_RULES_DIR'},
$config{'FWSNORT_RULES_DIR'}) {
next unless -d $dir;
@@ -4055,6 +4059,10 @@
if (/[\s;]classtype:\s*(.*?)\s*;/) {
$fwsnort_sigs{$sid}{'classtype'} = $1;
+ # Test patch
+ if (defined $snort_class_dl{$1} ) {
+ $snort_rule_dl{$sid} = $snort_class_dl{$1};
+ }
} else {
$fwsnort_sigs{$sid}{'classtype'} = '';
}
@@ -4086,9 +4094,6 @@
}
}
- ### import the Snort classification.config file
- &import_snort_class_priorities();
-
### import the reference.config file
&import_snort_reference_config();
@@ -4158,7 +4163,8 @@
sub import_snort_rule_dl() {
- %snort_rule_dl = ();
+ # Test patch
+ #%snort_rule_dl = ();
### parse the snort_rule_dl file
return unless -e $config{'SNORT_RULE_DL_FILE'};
@@ -4172,7 +4178,15 @@
unless ($dl >= 0 and $dl < 6) {
next;
}
- $snort_rule_dl{$sid} = $dl;
+ # Test patch
+ if ( defined $snort_rule_dl{$sid} ) {
+ if ( $snort_rule_dl{$sid} lt $dl ) {
+ $snort_rule_dl{$sid} = $dl;
+ }
+ } else {
+ $snort_rule_dl{$sid} = $dl;
+ }
+ #$snort_rule_dl{$sid} = $dl;
}
}
close F;
PS: line numbers may be slightly off because we have a few more lines of patching to enable psad to work with shorewall.
The last section of the above patch should be ignored as it honors danger levels in 'snort_rule_dl' only if they are greater than the ones assigned though 'classification.config' and this is not reasonable.