ITUS Networks User Forum
Intrusion Prevention Rule 2017005 Blocking downloads - Printable Version

+- ITUS Networks User Forum (https://packetinspector.org)
+-- Forum: Shield (https://packetinspector.org/forumdisplay.php?fid=1)
+--- Forum: Shield Mode - Bridge (https://packetinspector.org/forumdisplay.php?fid=3)
+---- Forum: RC2 - Firmware (https://packetinspector.org/forumdisplay.php?fid=30)
+---- Thread: Intrusion Prevention Rule 2017005 Blocking downloads (/showthread.php?tid=634)



Intrusion Prevention Rule 2017005 Blocking downloads - nickthewhale - 11-21-2015

Is anyone seeing the Intrusion Prevention Rule with SID 2017005 blocking downloading apps from the iTunes App store. I have commented out this rules a couple of time but everything Suri updates the rules gets enabled again. Any help would be great.

Thanks


RE: Intrusion Prevention Rule 2017005 Blocking downloads - Garrett - 11-21-2015

Nick,

The next firmware release is just around the corner and has the ability to exclude a rule that will remain between updates baked into the Web GUI. Until then you can add the following line to the suri rules update script.

sed -i '/sid:2017005/s/^/#/' /etc/suricata/rules/suri.rules


RE: Intrusion Prevention Rule 2017005 Blocking downloads - nickthewhale - 11-21-2015

(11-21-2015, 12:30 PM)Garrett Wrote: Nick,

The next firmware release is just around the corner and has the ability to exclude a rule that will remain between updates baked into the Web GUI.  Until then you can add the following line to the suri rules update script.

sed -i '/sid:2017005/s/^/#/' /etc/suricata/rules/suri.rules

Garrett,

Thank you for the information. Can you explain what each part of this line does. And where in the script should I add the line. 

Also I am using v3 of the Suri script.

thanks


RE: Intrusion Prevention Rule 2017005 Blocking downloads - Garrett - 11-21-2015

(11-21-2015, 01:03 PM)nickthewhale Wrote:
(11-21-2015, 12:30 PM)Garrett Wrote: Nick,

The next firmware release is just around the corner and has the ability to exclude a rule that will remain between updates baked into the Web GUI.  Until then you can add the following line to the suri rules update script.

sed -i '/sid:2017005/s/^/#/' /etc/suricata/rules/suri.rules

Garrett,

Thank you for the information. Can you explain what each part of this line does. And where in the script should I add the line. 

thanks


The command finds the SID number 2017005 and inserts a # at the beginning of the rule to comment it out.

Insert it like below:

cp /etc/suricata/rules/download/suri.rules /etc/suricata/rules/suri.rules
sed -i '/sid:2017005/s/^/#/' /etc/suricata/rules/suri.rules
/etc/init.d/suricata restart


RE: Intrusion Prevention Rule 2017005 Blocking downloads - nickthewhale - 11-21-2015

(11-21-2015, 01:17 PM)Garrett Wrote:
(11-21-2015, 01:03 PM)nickthewhale Wrote:
(11-21-2015, 12:30 PM)Garrett Wrote: Nick,

The next firmware release is just around the corner and has the ability to exclude a rule that will remain between updates baked into the Web GUI.  Until then you can add the following line to the suri rules update script.

sed -i '/sid:2017005/s/^/#/' /etc/suricata/rules/suri.rules

Garrett,

Thank you for the information. Can you explain what each part of this line does. And where in the script should I add the line. 

thanks


The command finds the SID number 2017005 and inserts a # at the beginning of the rule to comment it out.

Insert it like below:

cp /etc/suricata/rules/download/suri.rules /etc/suricata/rules/suri.rules
sed -i '/sid:2017005/s/^/#/' /etc/suricata/rules/suri.rules
/etc/init.d/suricata restart

Garrett,

Thanks I added that to the script, one last question about this topic, is there are way to update the rules I see it has a rev number. How do we report rules that are acting up, like this? Were it is blocking Apple Store Download or other issue so the rules can be review and updated.

Thanks


RE: Intrusion Prevention Rule 2017005 Blocking downloads - Garrett - 11-21-2015

(11-21-2015, 01:35 PM)nickthewhale Wrote:
(11-21-2015, 01:17 PM)Garrett Wrote:
(11-21-2015, 01:03 PM)nickthewhale Wrote:
(11-21-2015, 12:30 PM)Garrett Wrote: Nick,

The next firmware release is just around the corner and has the ability to exclude a rule that will remain between updates baked into the Web GUI.  Until then you can add the following line to the suri rules update script.

sed -i '/sid:2017005/s/^/#/' /etc/suricata/rules/suri.rules

Garrett,

Thank you for the information. Can you explain what each part of this line does. And where in the script should I add the line. 

thanks


The command finds the SID number 2017005 and inserts a # at the beginning of the rule to comment it out.

Insert it like below:

cp /etc/suricata/rules/download/suri.rules /etc/suricata/rules/suri.rules
sed -i '/sid:2017005/s/^/#/' /etc/suricata/rules/suri.rules
/etc/init.d/suricata restart

Garrett,

Thanks I added that to the script, one last question about this topic, is there are way to update the rules I see it has a rev number. How do we report rules that are acting up, like this? Were it is blocking Apple Store Download or other issue so the rules can be review and updated.

Thanks

The new firmware that we are shooting to release next week will show the update date for Blacklist & Snort Rules on the overview screen when you login.  This is the first I have seen a report of Snort blocking the apple store downloads as we usually see the Web Filter causing this issue. 

False positives can be reported here:
https://itus.io/support/#Help