Pantek Library
Hosting Provided By
CybrHost
High Speed Hosting
Mailing Lists: snort.org > snort-devel > 03 > 080781.html (Request Expert snort.org Support)

[Snort-devel] Proposed patch: rule file versioning.

From: Sander Smeenk <ssmeenk(at)freshdot.net>
Date: Fri Aug 29 2003 - 07:10:54 EDT


Hello snort devel-team!

I'm the maintainer of the Debian package of Snort. Recently there has been a discussion on a debian list about snort, and other security related software, and we stumbled upon this problem:

(this is a forward from debian-devel, original poster was Javier  Fernández-Sanguino Peña <jfs@computer.org>):

> > Well. Snort just fails to start if it can't parse the rule files. And
> > usually that is with every major upstream release. :(
>
> [Short version: see the patch below.]
>
> [Long version: follows]
> That's obviously, suboptimal, snort should be able to determine in some way
> from a rules file if the format is a version it knows or it isn't. C'mon
> version headers are not unheard of, just take a look at the header of any
> HTML file in www.debian.org, it will tell you precisely which DTD to use to
> be able to "understand" it.
>
> It wouldn't be so difficult [1] to have snort analyse the rules file before
> including and determine if its rules can, or cannot, be added. Of course,
> that would be mean improving the way rules files are parsed currently.
>
> There is currently no distinction between snort's configuration and the
> rules files themselves (pv.config_file in snort.c) but if they were
> separated the ParseRulesFile in snort's parser.c could be rewritten to
> verify the call to ParseRule and not proceed if there is an indication that
> the rules belong to a new version.
>
> The adjointed patch (probably very ugly, untested and maybe broken)
> provides that functionality. If the snort parser encounters a place of the
> file which has 'version X' with X > SNORT_MAJOR_VERSION then it will not go
> on reading the rest of the rules file. That way you can have rules in one
> file which are read by older snort versions and rules that cannot (maybe
> because the Parser has been enhanced to included new formats).

So i'm presenting snort-devel with this patch to have snort say when rulefiles are outdated. Please remember that I just forwarded this. I'm not the creator of this patch.

Kind regards,
Sander.

  • parser.c.old 2003-08-26 01:04:50.000000000 +0200 +++ parser.c 2003-08-26 01:20:40.000000000 +0200 @@ -55,6 +55,8 @@ #include "threshold.h"

 #include "snort.h"
+#define SNORT_MAJOR_VERSION 2
+/* SNORT_VERSION should probably be defined in the snort generic headers */   

 ListHead Alert;         /* Alert Block Header */
 ListHead Log;           /* Log Block Header */
@@ -128,6 +130,7 @@
     int stored_file_line = file_line;
     char *saved_line = NULL;
     int continuation = 0;
+    int continueread = 1;
     char *new_line = NULL;
     struct stat file_stat; /* for include path testing */

@@ -198,7 +201,7 @@    

Do you need help?X

     /* loop thru each file line and send it to the rule parser */ - while((fgets(buf, STD_BUF, thefp)) != NULL) + while( continueread >0 && (fgets(buf, STD_BUF, thefp)) != NULL) 

     {
         /*
          * inc the line counter so the error messages know which line to
@@ -248,7 +251,7 @@
                 DEBUG_WRAP(DebugMessage(DEBUG_CONFIGRULES,
                             "[*] Processing rule: %s\n", index););
 
-                ParseRule(thefp, index, inclevel);
+                continueread = ParseRule(thefp, index, inclevel);
 
                 if(new_line != NULL)
                 {

@@ -454,14 +457,16 @@
  • Arguments: rule => rule string
  • inclevel => nr of stacked "include"s * - * Returns: void function + * Returns: integer, if greater than 0 the processor will keep reading + * the rules file otherwise it will stop * ***************************************************************************/ -void ParseRule(FILE *rule_file, char *prule, int inclevel) +int ParseRule(FILE *rule_file, char *prule, int inclevel) { char **toks; /* dbl ptr for mSplit call, holds rule tokens */ int num_toks; /* holds number of tokens found by mSplit */ int rule_type; /* rule type enumeration variable */ + int version; /* version of the rules below */ char rule[PARSERULE_SIZE]; int protocol = 0; char *tmp; @@ -493,6 +498,19 @@ /* handle non-rule entries */ switch(rule_type) { + case RULE_VERSION: + DEBUG_WRAP(DebugMessage(DEBUG_CONFIGRULES,"Version\n");); + version = strtol(toks[1], NULL, 10); + if ( errno == ERANGE || errno == EINVAL ) { + FatalError("%s(%d) => Version is not a number %s\n", + file_name, file_line, toks[1]); + } + if ( version > SNORT_MAJOR_VERSION ) { + ErrorMessage("%s(%d) => Version %s not supported, rules file will not be read any longer\n", file_name, file_line, toks[1]); + return 0; + } + return 1 ; + case RULE_PASS: DEBUG_WRAP(DebugMessage(DEBUG_CONFIGRULES,"Pass\n");); break; @@ -522,22 +540,22 @@

             ParseRulesFile(tmp, inclevel + 1);  

  • return; + return 1; 
         case RULE_VAR:
             DEBUG_WRAP(DebugMessage(DEBUG_CONFIGRULES,"Variable\n"););
             VarDefine(toks[1], toks[2]);
-            return;
+            return 1;
 
         case RULE_PREPROCESS:
             DEBUG_WRAP(DebugMessage(DEBUG_CONFIGRULES,"Preprocessor\n"););
             ParsePreprocessor(rule);
-            return;
+            return 1;
 
         case RULE_OUTPUT:
             DEBUG_WRAP(DebugMessage(DEBUG_CONFIGRULES,"Output Plugin\n"););
             ParseOutputPlugin(rule);
-            return;
+            return 1;
 
         case RULE_ACTIVATE:
             DEBUG_WRAP(DebugMessage(DEBUG_CONFIGRULES,"Activation rule\n"););
@@ -550,21 +568,21 @@
         case RULE_CONFIG:
             DEBUG_WRAP(DebugMessage(DEBUG_CONFIGRULES,"Rule file config\n"););
             ParseConfig(rule);
-            return;
+            return 1;
 
         case RULE_DECLARE:
             DEBUG_WRAP(DebugMessage(DEBUG_CONFIGRULES,"Rule type declaration\n"););
             ParseRuleTypeDeclaration(rule_file, rule);

Do you need more help?X

-            return;
+            return 1;
 
         case RULE_UNKNOWN:
             DEBUG_WRAP(DebugMessage(DEBUG_CONFIGRULES,"Unknown rule type, might be declared\n"););
             ParseDeclaredRuleType(rule);
-            return;
+            return 1;
 
         default:
             DEBUG_WRAP(DebugMessage(DEBUG_CONFIGRULES,"Invalid input: %s\n", prule););
-            return;
+            return 1;
     }
 
     if(num_toks < 7)
@@ -580,7 +598,7 @@
                    "    at the end of the line,  make sure there are no\n"
                    "    carriage returns before the end of this line)\n",
                    file_name, file_line);
-        return;
+        return 1;
     }
 
 
@@ -713,7 +731,7 @@
         free(toks[i]);
     }
  • return; + return 1; } 
 /****************************************************************************
@@ -1772,6 +1790,9 @@
         FatalError("%s(%d) => Unknown rule type (%s)\n", file_name, file_line, func);
     }
     
+    if(!strcasecmp(func, "version"))
+        return RULE_VERSION;
+
     if(!strcasecmp(func, "log"))
         return RULE_LOG;
 
53a54


> #define RULE_VERSION     12

-- 
| Showering in clothes shows you're crazy. Showering nude shows your nuts.
| 1024D/08CEC94D - 34B3 3314 B146 E13C 70C8  9BDB D463 7E41 08CE C94D

------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-devel mailing list Snort-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/snort-devel

  • application/pgp-signature attachment: stored
Received on Fri Aug 29 07:16:51 2003

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:08:09 EDT

Contact Us  Legal Notices  Order Services Online 
Pantek Home  Privacy Policy  IT news  Site Map  Pantek Library