Ticket #38 (closed task: fixed)

Opened 11 years ago

Last modified 11 years ago

Test snort rule update

Reported by: rmcmillen Owned by: rmcmillen
Priority: major Milestone: roo-1.4
Component: Honeywall Version: 1.4b3
Keywords: Cc:

Description

Test the snort rule update mechanism and verify the sids are updated in the db once the new ruleset is enabled.

Change History

Changed 11 years ago by rmcmillen

  • type changed from defect to task

Changed 11 years ago by rmcmillen

  • owner changed from [email protected] to rmcmillen
  • status changed from new to assigned

UI menu added to walleye (See ChangeSet? 56). hwruleupdate works properly and places new rules in /etc/snort/rules. However, it does not regenerate the sid-msg.map nor does it load it to the db. This can potentially result in an unknown signature value in walleye when it tries to display the alerts.

Also, it does not restart snort by default to use the new rules. However, since the rules are placed in the proper location, if snort is restarted, it will use the new rules.

Todo:
1. recreate /etc/snort/rules/sid-msg.map when new rules are added.
2. load new sid-msg.map to db when new rules are added.
3. test (cannot test till tomorrow because I have already exceeded my max download for the day).

Changed 11 years ago by rmcmillen

ChangeSet? [60] handles the recreation of the sid-msg.map and the load of the new map into the db. Till need to test it.

Changed 11 years ago by rmcmillen

  • status changed from assigned to closed
  • resolution set to fixed

Tested on 2 test systems. Downloads new rules, if new rules updates them; generates snort_inline rules; and updates sids in db.

Note: See TracTickets for help on using tickets.