From b6eb062e73bea5a85fbd7c43e3661208796dc360 Mon Sep 17 00:00:00 2001 From: Eddie Arrage Date: Tue, 24 Apr 2018 00:22:07 +0000 Subject: Fix snort rule with blank content & WR packet in alert - Fix bug with addition of content field in rule definition that causes rules with a blank content fields to inhibit snort from starting successfully. - Write more of the packet data for snort alert into Redis - Above includes X-Real-IP, X-Forwarded-For header fields for http traffic from proxy that shows source IP Some packet data is missing in alerts from snort. Change-Id: I2c5c29e514d1ca9e8e5b9b3f7990afa87c6311b9 Signed-off-by: Eddie Arrage --- samples/services/snort_ids/docker/grpc/snort_server.py | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) (limited to 'samples/services/snort_ids/docker/grpc/snort_server.py') diff --git a/samples/services/snort_ids/docker/grpc/snort_server.py b/samples/services/snort_ids/docker/grpc/snort_server.py index 9ece832..223461a 100644 --- a/samples/services/snort_ids/docker/grpc/snort_server.py +++ b/samples/services/snort_ids/docker/grpc/snort_server.py @@ -33,10 +33,16 @@ class Controller(snort_pb2_grpc.ControllerServicer): # file_local = 'testfile' file_local = '/etc/snort/rules/local.rules' f = open(file_local, 'a') - rule = 'alert {} {} {} -> {} {} '.format( - r.protocol, r.src_ip, r.src_port, r.dest_ip, r.dest_port) \ - + '(msg:"{}"; content:{}; sid:{}; rev:{};)\n'.format( - r.msg, r.content, r.sid, r.rev) + if r.content: + rule = 'alert {} {} {} -> {} {} '.format( + r.protocol, r.src_ip, r.src_port, r.dest_ip, r.dest_port) \ + + '(msg:"{}"; content:{}; sid:{}; rev:{};)\n'.format( + r.msg, r.content, r.sid, r.rev) + else: + rule = 'alert {} {} {} -> {} {} '.format( + r.protocol, r.src_ip, r.src_port, r.dest_ip, r.dest_port) \ + + '(msg:"{}"; sid:{}; rev:{};)\n'.format( + r.msg, r.sid, r.rev) f.write(rule) f.close msg = "Added to local rules" -- cgit 1.2.3-korg