Re: IDS with support for multiple ruleset providers

[Stefan Schantl <stefan.schantl@ipfire.org>]

[-- Attachment #1: Type: text/plain, Size: 4312 bytes --]

Hello Adolf,

a big thanks for downloading, testing and sharing your feedback.

As you reported mostly the same issues than Michael did, I've answered
them already in the response to his mail.

I'm going to fix all this issues and report back if a new test version
is finished.

Best regards,

- Stefan

> Hi Stefan,
> 
> I tested this on my vm testbed.
> 
> On 09/04/2021 21:27, Stefan Schantl wrote:
> > Hello Development Team and list followers,
> > 
> > there are a lot of different vendors out there which offers
> > different
> > IDS rules for suricata. Some of them offers a complete set of rules
> > and
> > other ones some very specialized rules for different tasks.
> > 
> > Unfortunately it only was possible to select only one ruleset
> > provider
> > at the same time, so it usually wasn't an option to use one of them
> > and
> > keep a lot of traffic uninspected by the IDS.
> > 
> > Today I'm very happy to announce a testing version of a reworked
> > Intrusion Detection System which supports the usage of multiple
> > different providers and rulesets at the same time.
> > 
> > In total up to 15 different ruleset providers now can be used and
> > mixed
> > together to fit your personal requirements. They easily can be
> > managed
> > and configured via the WUI. Of course each one individually can be
> > disabled or re-enabled at each time.
> > 
> > The section for customizing the entire ruleset has been moved to a
> > subpage, which allows to enable a certain amount of ruleset files
> > or
> > enabling / disabling single rules inside them.
> > 
> > This helps to speed up the CGI if you want to mange your whitelist,
> > manage your ruleset providers or change basic settings of your IDS.
> > 
> > If you liked this short introduction, please help us testing to get
> > this cool stuff as soon as possible into the core distribution and
> > to
> > find bugs or other improvements.
> > 
> > The test versions and some screenshots can be found here:
> > 
> > https://people.ipfire.org/~stevee/ids-multiple-providers/
> > 
> > To join testing, please download the latest tarball and place it on
> > your IPFire test machine.
> > 
> > Execute the archive by using "tar -xvf ids-multiple-providers-
> > XXX.tar.gz - C /" on your local console or via SSH remote session.
> > bash: /usr/sbin/convert-ids-multiple-providers: Permission denied
> Extracting the archive worked with no problems.
> > The next steps would be to regenerate the language cache by
> > executing
> > "update-langs-cache" and to launch "convert-ids-multiple-
> > providers".
> 
> update-lang-cache worked fine. When tried to run convert-ids-
> multiple-providers I got the message
> 
> bash: /usr/sbin/convert-ids-multiple-providers: Permission denied
> 
> I was running the command as root so I checked the file and it was
> not set as executable. I changed this and it then ran but came back
> with the following error message
> 
> Can't locate /var/ipfire/ids-functions.pl1 at /usr/sbin/convert-ids-
> multiple-providers line 25
> 
> I edited the .pl1 to .pl and re-ran the converter and it completed
> without any further error message.
> 
> 
> I then had the new WUI IDS page.
> 
> 
> I selected an additional provider, OISF, and it was added to the list
> of providers. I then selected customise rules and I selected the oisf
> ruleset and pressed apply. I just got a white screen with nothing
> happening. I then reloaded IPFire in the browser again and OISF
> provider was still listed but on the rules page it was not selected.
> Tried again and same thing happened. I then pressed the delete button
> to remove the OISF provider from the list and I get the message "The
> ruleset changes are being applied. Please wait until all opersations
> have completed successfully..." That message has not changed since I
> started writing this email. I then reloaded IPFire in the browser and
> OISF had been removed from the list.
> 
> 
> Regards,
> 
> Adolf
> 
> > The converter will convert all your existing settings into the new
> > format and also will take care about your used rules and their
> > settings.
> > 
> > As usual, please report back any kind of feedback on this list and
> > submit any found bugs to our bugtracker (https://bugs.ipfire.org).
> > 
> > Thanks in advance,
> > 
> > -Stefan
> > 
> >