head	1.1;
access;
symbols;
locks; strict;
comment	@# @;


1.1
date	2012.11.03.13.14.06;	author ohauer;	state Exp;
branches;
next	;


desc
@@


1.1
log
@SVN rev 306914 on 2012-11-03 13:14:06Z by ohauer

- update to svn revision 243

Changes: http://code.google.com/p/pulledpork/source/detail?r=243
- Bug #121 - Update to allow for new etpro.com url and cert!
- Bug #119 - Fixed regex [^\\]...
- Unlisted Bug - Allow for escaped ; "\;" in references

Feature safe: yes
@
text
@Index: doc/README.CHANGES
===================================================================
--- doc/README.CHANGES	(revision 230)
+++ doc/README.CHANGES	(revision 243)
@@@@ -1,5 +1,30 @@@@
 PulledPork Changelog
 
+V0.6.2 the Cigar Pig
+
+Bug Fixes:
+- Bug #79 - Fixed race condition that did not allow for disabled rules to be modified using modifysid
+	These rules would then be enabled by flowbit dependency check and be unmodified
+- Bug #77 - Adjusted chown property of archive::tar
+- Bug #78 - Adjusted per bug report to allow for proper ignoring of preproc.rules 
+- Bug #102 - Only Enabled rules are written to sid-msg.map now when -E flag is specified
+- Bug #99 - Doc Bug, updated docs associated with snort_version variable
+- Bug #96 - Modified code to allow for same-line traling comments: "1:10011 #can haz disable!"
+		Also updated the rulestate files (enable,disable,drop)
+- Bug #82 - Modified run order to force modifysid to run before all other sid state modification routines
+		This allows for sid changes to be made prior to automatic state determination ala automatic
+		flowbit resolution.  NOTE that this DOES NOT AND WILL NOT disable automatic flowbit
+		resolution, this is a critical piece.
+- Bug #81 - Updated valid SO distro pre-compiled list
+- Bug #114 - Update Regex to allow for null search/replace in modify_sid sub
+- Unlisted Bug - Allow for escaped ; "\;" in references
+- Bug #121 - Update to allow for new etpro.com url and cert!
+- Bug #119 - Fixed regex [^\\]...
+
+New Features / changes:
+- Bug #105 - Removed Switch function as it is deprecated in > 5.12 perl
+- Unlisted Bug - Include IP Reputation capability
+
 v0.6.1 the Smoking Pig, revisited
 
 Bug Fixes:
Index: etc/pulledpork.conf
===================================================================
--- etc/pulledpork.conf	(revision 230)
+++ etc/pulledpork.conf	(revision 243)
@@@@ -10,20 +10,22 @@@@
 #######  snort version and subscription etc...)
 ####### 
 
-# The rule_url value replaces the old base_url and rule_file configuration
-# options.  You can now specify one or as many rule_urls as you like, they 
+# You can specify one or as many rule_urls as you like, they 
 # must appear as http://what.site.com/|rulesfile.tar.gz|1234567.  You can specify
 # each on an individual line, or you can specify them in a , separated list
 # i.e. rule_url=http://x.y.z/|a.tar.gz|123,http://z.y.z/|b.tar.gz|456
 # note that the url, rule file, and oinkcode itself are separated by a pipe |
 # i.e. url|tarball|123456789, 
 rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|<oinkcode>
+# NEW For IP Blacklisting! Note the format is urltofile|IPBLACKLIST|<oinkcode>
+# This format MUST be followed to let pulledpork know that this is a blacklist
+rule_url=http://labs.snort.org/feeds/ip-filter.blf|IPBLACKLIST|open
 # get the rule docs!
 rule_url=https://www.snort.org/reg-rules/|opensource.gz|<oinkcode>
-rule_url=https://rules.emergingthreats.net/|emerging.rules.tar.gz|open
+rule_url=https://rules.emergingthreatspro.com/|emerging.rules.tar.gz|open
 # THE FOLLOWING URL is for etpro downloads, note the tarball name change!
 # and the et oinkcode requirement!
-rule_url=https://rules.emergingthreats.net/|etpro.rules.tar.gz|<et oinkcode>
+rule_url=https://rules.emergingthreatspro.com/|etpro.rules.tar.gz|<et oinkcode>
 # NOTE above that the VRT snortrules-snapshot does not contain the version
 # portion of the tarball name, this is because PP now automatically populates
 # this value for you, if, however you put the version information in, PP will
@@@@ -50,9 +52,6 @@@@
 # previous ignore line and uncomment the following!
 # ignore=deleted,experimental,local,decoder,preprocessor,sensitive-data
 
-# Define your Oinkcode - DEPRICATED, SEE RULE_URL
-# oinkcode=replacethiswithyouroinkcode
-
 # What is our temp path, be sure this path has a bit of space for rule 
 # extraction and manipulation, no trailing slash
 temp_path=/tmp
@@@@ -116,12 +115,15 @@@@
 sostub_path=/usr/local/etc/snort/rules/so_rules.rules
 
 # Define your distro, this is for the precompiled shared object libs!
-# Valid Distro Types=Debian-Lenny, Ubuntu-6.01.1, Ubuntu-8.04
-# CentOS-4.6, Centos-4-8, CentOS-5.0, Centos-5-4
-# FC-5, FC-9, FC-11, FC-12, RHEL-5.0
-# FreeBSD-6.3, FreeBSD-7-2, FreeBSD-7-3, FreeBSD-7.0, FreeBSD-8-0, FreeBSD-8-1
-# OpenSUSE-11-3
-distro=FreeBSD-8.0
+# Valid Distro Types:
+# Debian-5-0, Debian-6-0,
+# Ubuntu-8.04, Ubuntu-10-4
+# Centos-4-8, Centos-5-4
+# FC-12, FC-14, RHEL-5-5, RHEL-6-0
+# FreeBSD-7-3, FreeBSD-8-1
+# OpenBSD-4-8
+# Slackware-13-1
+distro=FreeBSD-8.1
 
 #######  This next section is optional, but probably pretty useful to you.
 #######  Please read thoroughly!
@@@@ -160,8 +162,7 @@@@
 
 # This defines the version of snort that you are using, for use ONLY if the 
 # proper snort binary is not on the system that you are fetching the rules with
-# Defining this value will set the Textonly flag, and thus will NOT allow
-# you to use shared object rules.  This value MUST contain all 4 minor version
+# This value MUST contain all 4 minor version
 # numbers. ET rules are now also dependant on this, verify supported ET versions
 # prior to simply throwing rubbish in this variable kthx!
 # snort_version=2.9.0.0
@@@@ -183,4 +184,4 @@@@
 ####### need to process so_rules, simply comment out the so_rule section
 ####### you can also specify -T at runtime to process only GID 1 rules.
 
-version=0.6.0
+version=0.6.1
Index: etc/disablesid.conf
===================================================================
--- etc/disablesid.conf	(revision 230)
+++ etc/disablesid.conf	(revision 243)
@@@@ -6,6 +6,10 @@@@
 # Example of modifying state for rule ranges
 # 1:220-1:3264,3:13010-3:13013
 
+# Comments are allowed in this file, and can also be on the same line
+# As the modify state syntax, as long as it is a trailing comment
+# 1:1011 # I Disabled this rule because I could!
+
 # Example of modifying state for MS and cve rules, note the use of the : 
 # in cve. This will modify MS09-008, cve 2009-0233, bugtraq 21301,
 # and all MS00 and all cve 2000 related sids!  These support regular expression
Index: etc/dropsid.conf
===================================================================
--- etc/dropsid.conf	(revision 230)
+++ etc/dropsid.conf	(revision 243)
@@@@ -10,6 +10,10 @@@@
 # Example of modifying state for rule ranges
 # 1:220-1:3264,3:13010-3:13013
 
+# Comments are allowed in this file, and can also be on the same line
+# As the modify state syntax, as long as it is a trailing comment
+# 1:1011 # I Disabled this rule because I could!
+
 # Example of modifying state for MS and cve rules, note the use of the : 
 # in cve. This will modify MS09-008, cve 2009-0233, bugtraq 21301,
 # and all MS00 and all cve 2000 related sids!  These support regular expression
Index: etc/enablesid.conf
===================================================================
--- etc/enablesid.conf	(revision 230)
+++ etc/enablesid.conf	(revision 243)
@@@@ -10,6 +10,10 @@@@
 # Example of modifying state for rule ranges
 # 1:220-1:3264,3:13010-3:13013
 
+# Comments are allowed in this file, and can also be on the same line
+# As the modify state syntax, as long as it is a trailing comment
+# 1:1011 # I Disabled this rule because I could!
+
 # Example of modifying state for MS and cve rules, note the use of the : 
 # in cve. This will modify MS09-008, cve 2009-0233, bugtraq 21301,
 # and all MS00 and all cve 2000 related sids!  These support regular expression
Index: pulledpork.pl
===================================================================
--- pulledpork.pl	(revision 230)
+++ pulledpork.pl	(revision 243)
@@@@ -33,7 +33,6 @@@@
 use Getopt::Long qw(:config no_ignore_case bundling);
 use Archive::Tar;
 use POSIX qw(:errno_h);
-use Switch;
 use Cwd;
 use Carp;
 
@@@@ -41,7 +40,7 @@@@
 
 # we are gonna need these!
 my ( $oinkcode, $temp_path, $rule_file, $Syslogging );
-my $VERSION = "PulledPork v0.6.1 the Smoking Pig <////~";
+my $VERSION = "PulledPork v0.6.2dev the Cigar Pig <////~";
 my $ua      = LWP::UserAgent->new;
 
 my ( $Hash, $ALogger, $Config_file, $Sorules, $Auto );
@@@@ -139,11 +138,12 @@@@
    -d Do not verify signature of rules tarball, i.e. downloading fron non VRT or ET locations.
    -D What Distro are you running on, for the so_rules
       For latest supported options see http://www.snort.org/snort-rules/shared-object-rules
-      Valid Distro Types=Debian-Lenny, Ubuntu-6.01.1, Ubuntu-8.04
-		CentOS-4.6, Centos-4-8, CentOS-5.0, Centos-5-4
-		FC-5, FC-9, FC-11, FC-12, RHEL-5.0
-		FreeBSD-6.3, FreeBSD-7-2, FreeBSD-7-3, FreeBSD-7.0, FreeBSD-8-0, FreeBSD-8-1
-		OpenSUSE-11-3
+      Valid Distro Types:
+		Debian-5-0, Debian-6-0, Ubuntu-8.04, Ubuntu-10-4
+		Centos-4-8, Centos-5-4,	FC-12, FC-14, RHEL-5-5, RHEL-6-0
+		FreeBSD-7-3, FreeBSD-8-1
+		OpenBSD-4-8
+		Slackware-13-1
    -e Where the enablesid config file lives.
    -E Write ONLY the enabled rules to the output files.
    -g grabonly (download tarball rule file(s) and do NOT process)
@@@@ -222,6 +222,7 @@@@
     my $tar = Archive::Tar->new();
     $tar->read( $temp_path . $rule_file );
     $tar->setcwd( cwd() );
+    local $Archive::Tar::CHOWN = 0; 
     my @@ignores = split( /,/, $ignore );
 
     foreach (@@ignores) {
@@@@ -233,7 +234,7 @@@@
             print "\tIgnoring preprocessor rules: $_\n"
               if ( $Verbose && !$Quiet );
             my $preprocfile = $_;
-            $preprocfile =~ s/preproc/rules/;
+            $preprocfile =~ s/\.preproc/\.rules/;
             $tar->remove("preproc_rules/$preprocfile");
         }
         elsif ( $_ =~ /\.so/ ) {
@@@@ -368,6 +369,10 @@@@
           getstore( "https://www.snort.org/reg-rules/$rule_file/$oinkcode",
             $temp_path . $rule_file );
     }
+    elsif ($rule_file eq "IPBLACKLIST"){
+	$getrules_rule =
+	  getstore( "http://labs.snort.org/feeds/ip-filter.blf", $temp_path . "black_list.rules")
+    }
     else {
         $getrules_rule =
           getstore( $base_url . "/" . $rule_file, $temp_path . $rule_file );
@@@@ -435,7 +440,7 @@@@
           getstore( "https://www.snort.org/reg-rules/$rule_file.md5/$oinkcode",
             $temp_path . $rule_file . ".md5" );
     }
-    elsif ( $base_url =~ /emergingthreats\.net/i ) {
+    elsif ( $base_url =~ /(emergingthreats\.net|emergingthreatspro\.com)/i ) {
         $getrules_md5 = getstore(
             "$base_url/$rule_file" . ".md5",
             $temp_path . $rule_file . ".md5"
@@@@ -708,17 +713,16 @@@@
     open( FH, "<$file" ) || carp "Unable to open $file\n";
     while (<FH>) {
         next if ( ( $_ =~ /^\s*#/ ) || ( $_ eq " " ) );
-        if ( $_ =~ /([\d+|,|\*]*)\s+"(.+)"\s+"(.+)"/ ) {
+        if ( $_ =~ /([\d+|,|\*]*)\s+"(.+)"\s+"(.*)"/ ) {
             my ( $sids, $from, $to ) = ( $1, $2, $3 );
             @@arry = split( /,/, $sids ) if $sids !~ /\*/;
             @@arry = "*" if $sids =~ /\*/;
             foreach my $sid (@@arry) {
                 $sid = trim($sid);
-                if ( $sid ne "*" && exists $$href{1}{$sid} ) {
+                if ( $sid ne "*" && defined $$href{1}{$sid}{'rule'} ) {
                     print "\tModifying SID:$sid from:$from to:$to\n"
                       if ( $Verbose && !$Quiet );
-                    $$href{1}{$sid}{'rule'} =~ s/$from/$to/
-                      if $$href{1}{$sid}{'rule'} !~ /^\s*#/;
+                    $$href{1}{$sid}{'rule'} =~ s/$from/$to/;
                 }
                 elsif ( $sid eq "*" ) {
                     print "\tModifying ALL SIDS from:$from to:$to\n"
@@@@ -739,21 +743,22 @@@@
 # speed ftw!
 sub modify_state {
     my ( $function, $SID_conf, $hashref, $rstate ) = @@_;
-    my ( @@sid_mod, $sidlist );
+    my ( @@sid_mod, $sidlist);
     print "Processing $SID_conf....\n" if !$Quiet;
     print "\tSetting rules specified in $SID_conf to their default state!\n"
       if ( !$Quiet && $function eq 'enable' && $rstate );
     if ( -f $SID_conf ) {
         open( DATA, "$SID_conf" ) or carp "unable to open $SID_conf $!";
         while (<DATA>) {
-            $sidlist = $_;
+	    next unless ($_ !~ /^\s*#/ && $_ ne "");
+	    $sidlist = (split '#',$_)[0];
             chomp($sidlist);
             $sidlist = trim($sidlist);
-            if ( ( $sidlist !~ /^\s*#/ ) && ( $sidlist ne "" ) && !(@@sid_mod) )
+            if (!@@sid_mod )
             {
                 @@sid_mod = split( /,/, $sidlist );
             }
-            elsif ( ( $sidlist !~ /^\s*#/ ) && ( $sidlist ne "" && @@sid_mod ) )
+            elsif (@@sid_mod)
             {
                 push( @@sid_mod, split( /,/, $sidlist ) );
             }
@@@@ -861,8 +866,8 @@@@
                     if ( $gid && $sid ) {
                         $gid =~ s/:\d+//;
                         $sid =~ s/\d+://;
-                        switch ($function) {
-                            case "enable" {
+                        if ($function) {
+                            if ($function eq "enable") {
                                 if ( exists $$hashref{$gid}{$sid}
                                     && $$hashref{$gid}{$sid}{'rule'} =~
                                     /^\s*#\s*(alert|drop|pass)/i
@@@@ -904,7 +909,7 @@@@
                                     }
                                 }
                             }
-                            case "drop" {
+                            elsif ($function eq "drop") {
                                 if ( exists $$hashref{$gid}{$sid}
                                     && $$hashref{$gid}{$sid}{'rule'} =~
                                     /^\s*#*\s*alert/i )
@@@@ -919,7 +924,7 @@@@
                                     $sidcount++;
                                 }
                             }
-                            case "disable" {
+                            elsif ($function eq "disable") {
                                 if ( exists $$hashref{$gid}{$sid}
                                     && $$hashref{$gid}{$sid}{'rule'} =~
                                     /^\s*(alert|drop|pass)/i )
@@@@ -974,15 +979,16 @@@@
 
 ## make the sid-msg.map
 sub sid_msg {
-    my ( $ruleshash, $sidhash ) = @@_;
+    my ( $ruleshash, $sidhash, $enonly ) = @@_;
     my ( $gid, $arg, $msg );
     print "Generating sid-msg.map....\n" if !$Quiet;
     foreach my $k ( sort keys %$ruleshash ) {
         foreach my $k2 ( sort keys %{ $$ruleshash{$k} } ) {
+	    next if ((defined $enonly) && $$ruleshash{$k}{$k2}{'rule'} !~ /^\s*(alert|drop|pass)/);
             ( my $header, my $options ) =
               split( /^[^"]* \(\s*/, $$ruleshash{$k}{$k2}{'rule'} )
               if defined $$ruleshash{$k}{$k2}{'rule'};
-            my @@optarray = split( /;(\t|\s)?/, $options ) if $options;
+            my @@optarray = split( /[^\\];(\t|\s)?/, $options ) if $options;
             foreach my $option ( reverse(@@optarray) ) {
                 my ( $kw, $arg ) = split( /:/, $option ) if $option;
                 if ( $kw && $arg ) {
@@@@ -1460,8 +1466,8 @@@@
 
 if ( exists $Config_info{'version'} ) {
     croak "You are not using the current version of pulledpork.conf!\n",
-      "Please use the version that shipped with $VERSION!\n\n"
-      if $Config_info{'version'} ne "0.6.0";
+      "Please use the version of pulledpork.conf that shipped with $VERSION!\n\n"
+      if $Config_info{'version'} ne "0.6.1";
 }
 else {
     croak
@@@@ -1674,6 +1680,7 @@@@
     }
     else {
         $ENV{HTTPS_PROXY} = $proxy;
+	$ENV{HTTP_PROXY} = $proxy;
     }
 }
 undef $proxy;
@@@@ -1742,7 +1749,7 @@@@
                     $rule_file = "snortrules-snapshot-$Snortv.tar.gz";
                 }
             }
-            elsif ( $base_url =~ /emergingthreats.net/ ) {
+            elsif ( $base_url =~ /(emergingthreats.net|emergingthreatspro.com)/ ) {
                 $prefix = "ET-";
                 my $Snortv = $Snort;
                 $Snortv =~ s/(?<=\d\.\d\.\d)\.\d//;
@@@@ -1794,7 +1801,7 @@@@
                     $rule_file = "snortrules-snapshot-$Snortv.tar.gz";
                 }
             }
-            $prefix = "ET-" if $base_url =~ /emergingthreats.net/;
+            $prefix = "ET-" if $base_url =~ /(emergingthreats.net|emergingthreatspro.com)/;
             croak "file $temp_path/$rule_file does not exist!\n"
               unless -f "$temp_path/$rule_file";
             rule_extract(
@@@@ -1843,6 +1850,10 @@@@
         policy_set( $ips_policy, \%rules_hash );
     }
 
+    if ( $sidmod{modify} && -f $sidmod{modify} ) {
+        modify_sid( \%rules_hash, $sidmod{modify} );
+    }
+    
     foreach (@@sidact) {
         if ( $sidmod{$_} && -f $sidmod{$_} ) {
             modify_state( $_, $sidmod{$_}, \%rules_hash, $rstate );
@@@@ -1852,11 +1863,7 @@@@
         }
     }
 
-    if ( $sidmod{modify} && -f $sidmod{modify} ) {
-        modify_sid( \%rules_hash, $sidmod{modify} );
-    }
-
-    print "Setting Flowbit State....\n"
+   print "Setting Flowbit State....\n"
       if ( !$Quiet );
 
     my $fbits = 1;
@@@@ -1878,8 +1885,7 @@@@
     }
 
     if ($sid_msg_map) {
-
-        sid_msg( \%rules_hash, \%sid_msg_map );
+        sid_msg( \%rules_hash, \%sid_msg_map, $enonly );
         sid_write( \%sid_msg_map, $sid_msg_map );
     }
 
@
