 | SearchForum Home | |
| | |
| | |
| | |
 | | |
|
|
|
| Enabled rules not uploaded |
|
|
I noticed a strange situation today that I thought I'd report here. We're running IDSPM v2 beta2. I updated one of my policies and pushed it to a sensor and then noticed that the snort process on that sensor did not restart. I checked the logs on the sensor and it was complaining that bleeding-botcc.rules didn't exist. So I checked the snort.conf, and bleeding-botcc.rules was indeed included (was not commented) but it was not present in the rules directory. So I went back to IDSPM and double-checked that it was enabled, and it was. I pushed the policy again, and the bleeding-botcc.rules file was not uploaded. I deleted the bleeding-botcc rule category from the policy in IDSPM and updated the policy so that the rules were downloaded again. I then pushed the policy again, but again the bleeding-botcc.rules file wasn't uploaded.
Finally, I decided to just disable it in the IDSPM. I pushed the policy to the sensor and was a bit surprised to see that the bleeding-botcc.rules file showed up! It was commented out of the snort.conf as I would have expected. I then tried to enable it again from IDSPM and push the policy to the sensor again. But again it was back to the behavior of not sending the bleeding-botcc.rules file. It was still there from the previous policy push, but date/time stamps indicated it was not updated as recently as other rules files and I did not do a Fast update so all policy files were updated.
Any idea why this might be happening? I haven't noticed this with any of my other policies, but I've only been using v2 beta 2 for a couple days now.
Mark
|
|
|
|
| |
|
|
| Re: Enabled rules not uploaded |
|
|
Uncheck fast update checkbox on the update sensors form and see if this solves the problem. It sounds like it is not updating the last modified time for the rule group correctly, therefore not uploading the rules file for that group during fast upload. I will take a look, thanks for the detailed explanation.
FYI: Fast rules update tries to determine which rules have been updated since the last upload and only upload those files. This will increase the upload speed dramatically over updating all files. now if it only worked. :)
Cheers,
Jeff |
|
|
|
| |
|
|
| Re: Enabled rules not uploaded |
|
|
Jeff,
It may be bad news but the IDSPM seems to leave out the botcc rules file even with fast update unchecked. At least that was my experience yesterday. If I find any differently after doing some more testing tomorrow I'll post back.
Mark
|
|
|
|
| |
|
|
| Re: Enabled rules not uploaded |
|
|
I will take a look at fast update and if it is working correctly. As for the rule group update time not updating correctly, this has been resolved in the latest build when enabling and disabling rules and rule groups. This new build will be released on Monday.
Cheers,
Jeff |
|
|
|
| |
| | |
| | |
| | |
|