[PATCH 1/7] suricata: Include all default rules

[PATCH 1/7] suricata: Include all default rules

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 3926 bytes --]

These rules do not drop anything, but only alert when internal parts of
the engine trigger an event. This will allow us more insight on what is
happening.

Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
---
 config/rootfiles/common/suricata | 22 ++++++++++++++++++++++
 config/suricata/suricata.yaml    | 24 ++++++++++++++++++++++--
 lfs/suricata                     |  3 ---
 3 files changed, 44 insertions(+), 5 deletions(-)

diff --git a/config/rootfiles/common/suricata b/config/rootfiles/common/suricata
index 32358483a..21dbeae64 100644
--- a/config/rootfiles/common/suricata
+++ b/config/rootfiles/common/suricata
@@ -19,6 +19,28 @@ usr/bin/suricata
 #usr/share/man/man1/suricatactl-filestore.1
 #usr/share/man/man1/suricatactl.1
 #usr/share/man/man1/suricatasc.1
+usr/share/suricata/
+#usr/share/suricata/classification.config
+#usr/share/suricata/reference.config
+#usr/share/suricata/rules
+#usr/share/suricata/rules/app-layer-events.rules
+#usr/share/suricata/rules/decoder-events.rules
+#usr/share/suricata/rules/dhcp-events.rules
+#usr/share/suricata/rules/dnp3-events.rules
+#usr/share/suricata/rules/dns-events.rules
+#usr/share/suricata/rules/files.rules
+#usr/share/suricata/rules/http2-events.rules
+#usr/share/suricata/rules/http-events.rules
+#usr/share/suricata/rules/ipsec-events.rules
+#usr/share/suricata/rules/kerberos-events.rules
+#usr/share/suricata/rules/modbus-events.rules
+#usr/share/suricata/rules/mqtt-events.rules
+#usr/share/suricata/rules/nfs-events.rules
+#usr/share/suricata/rules/ntp-events.rules
+#usr/share/suricata/rules/smb-events.rules
+#usr/share/suricata/rules/smtp-events.rules
+#usr/share/suricata/rules/stream-events.rules
+#usr/share/suricata/rules/tls-events.rules
 var/lib/suricata
 var/lib/suricata/classification.config
 var/lib/suricata/reference.config
diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml
index 6f37671c8..0ad36e705 100644
--- a/config/suricata/suricata.yaml
+++ b/config/suricata/suricata.yaml
@@ -46,8 +46,28 @@ vars:
 ##
 default-rule-path: /var/lib/suricata
 rule-files:
-    # Include enabled ruleset files from external file.
-    include: /var/ipfire/suricata/suricata-used-rulefiles.yaml
+    # Default rules
+    - /usr/share/suricata/rules/app-layer-events.rules
+    - /usr/share/suricata/rules/decoder-events.rules
+    - /usr/share/suricata/rules/dhcp-events.rules
+    - /usr/share/suricata/rules/dnp3-events.rules
+    - /usr/share/suricata/rules/dns-events.rules
+    - /usr/share/suricata/rules/files.rules
+    - /usr/share/suricata/rules/http2-events.rules
+    - /usr/share/suricata/rules/http-events.rules
+    - /usr/share/suricata/rules/ipsec-events.rules
+    - /usr/share/suricata/rules/kerberos-events.rules
+    - /usr/share/suricata/rules/modbus-events.rules
+    - /usr/share/suricata/rules/mqtt-events.rules
+    - /usr/share/suricata/rules/nfs-events.rules
+    - /usr/share/suricata/rules/ntp-events.rules
+    - /usr/share/suricata/rules/smb-events.rules
+    - /usr/share/suricata/rules/smtp-events.rules
+    - /usr/share/suricata/rules/stream-events.rules
+    - /usr/share/suricata/rules/tls-events.rules
+
+    # Include enabled ruleset files from external file
+    - !include: /var/ipfire/suricata/suricata-used-rulefiles.yaml
 
 classification-file: /var/lib/suricata/classification.config
 reference-config-file: /var/lib/suricata/reference.config
diff --git a/lfs/suricata b/lfs/suricata
index c7f189bf4..bd57b829e 100644
--- a/lfs/suricata
+++ b/lfs/suricata
@@ -96,9 +96,6 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 	# Install IPFire related config file.
 	install -m 0644 $(DIR_SRC)/config/suricata/suricata.yaml /etc/suricata
 
-	# Remove shipped rules.
-	rm -rvf /usr/share/suricata
-
 	# Create emtpy rules directory.
 	-mkdir -p /var/lib/suricata
 
-- 
2.30.2

[PATCH 2/7] rust: Drop Cargo home directory after build

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 1450 bytes --]

Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
---
 config/rootfiles/common/suricata | 2 --
 lfs/Config                       | 5 ++++-
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/config/rootfiles/common/suricata b/config/rootfiles/common/suricata
index 21dbeae64..7c512b033 100644
--- a/config/rootfiles/common/suricata
+++ b/config/rootfiles/common/suricata
@@ -1,7 +1,5 @@
 etc/suricata
 etc/suricata/suricata.yaml
-#root/.cargo
-#root/.cargo/.package-cache
 usr/bin/suricata
 #usr/share/doc/suricata
 #usr/share/doc/suricata/AUTHORS
diff --git a/lfs/Config b/lfs/Config
index a2d3cddc5..8b2e5dabb 100644
--- a/lfs/Config
+++ b/lfs/Config
@@ -143,6 +143,9 @@ ifeq "$(BUILD_ARCH)" "aarch64"
 	GOARCH = arm64
 endif
 
+# Rust
+export CARGOPATH = $(HOME)/.cargo
+
 ###############################################################################
 # Common Macro Definitions
 ###############################################################################
@@ -184,7 +187,7 @@ define POSTBUILD
 	@echo "Updating linker cache..."
 	@type -p ldconfig >/dev/null && ldconfig || :
 	@echo "Install done; saving file list to $(TARGET) ..."
-	@rm -rf $(GOPATH)
+	@rm -rf $(GOPATH) $(CARGOPATH)
 	@$(FIND_FILES) > $(DIR_SRC)/lsalrnew
 	@diff $(DIR_SRC)/lsalr $(DIR_SRC)/lsalrnew | grep '^> ' | sed 's/^> //' > $(TARGET)_diff
 	@cp -f $(DIR_SRC)/lsalrnew $(DIR_SRC)/lsalr
-- 
2.30.2

[PATCH 3/7] suricata: Drop extra rootfiles

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 5402 bytes --]

These are all the same and not different from what is in
config/rootfiles/common/suricata.

Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
---
 config/rootfiles/common/aarch64/suricata | 28 ------------------------
 config/rootfiles/common/armv6l/suricata  | 28 ------------------------
 config/rootfiles/common/i586/suricata    | 28 ------------------------
 config/rootfiles/common/x86_64/suricata  | 28 ------------------------
 4 files changed, 112 deletions(-)
 delete mode 100644 config/rootfiles/common/aarch64/suricata
 delete mode 100644 config/rootfiles/common/armv6l/suricata
 delete mode 100644 config/rootfiles/common/i586/suricata
 delete mode 100644 config/rootfiles/common/x86_64/suricata

diff --git a/config/rootfiles/common/aarch64/suricata b/config/rootfiles/common/aarch64/suricata
deleted file mode 100644
index 32358483a..000000000
--- a/config/rootfiles/common/aarch64/suricata
+++ /dev/null
@@ -1,28 +0,0 @@
-etc/suricata
-etc/suricata/suricata.yaml
-#root/.cargo
-#root/.cargo/.package-cache
-usr/bin/suricata
-#usr/share/doc/suricata
-#usr/share/doc/suricata/AUTHORS
-#usr/share/doc/suricata/Basic_Setup.txt
-#usr/share/doc/suricata/GITGUIDE
-#usr/share/doc/suricata/INSTALL
-#usr/share/doc/suricata/INSTALL.PF_RING
-#usr/share/doc/suricata/INSTALL.WINDOWS
-#usr/share/doc/suricata/NEWS
-#usr/share/doc/suricata/README
-#usr/share/doc/suricata/Setting_up_IPSinline_for_Linux.txt
-#usr/share/doc/suricata/TODO
-#usr/share/doc/suricata/Third_Party_Installation_Guides.txt
-#usr/share/man/man1/suricata.1
-#usr/share/man/man1/suricatactl-filestore.1
-#usr/share/man/man1/suricatactl.1
-#usr/share/man/man1/suricatasc.1
-var/lib/suricata
-var/lib/suricata/classification.config
-var/lib/suricata/reference.config
-var/lib/suricata/threshold.config
-var/log/suricata
-#var/log/suricata/certs
-#var/log/suricata/files
diff --git a/config/rootfiles/common/armv6l/suricata b/config/rootfiles/common/armv6l/suricata
deleted file mode 100644
index 32358483a..000000000
--- a/config/rootfiles/common/armv6l/suricata
+++ /dev/null
@@ -1,28 +0,0 @@
-etc/suricata
-etc/suricata/suricata.yaml
-#root/.cargo
-#root/.cargo/.package-cache
-usr/bin/suricata
-#usr/share/doc/suricata
-#usr/share/doc/suricata/AUTHORS
-#usr/share/doc/suricata/Basic_Setup.txt
-#usr/share/doc/suricata/GITGUIDE
-#usr/share/doc/suricata/INSTALL
-#usr/share/doc/suricata/INSTALL.PF_RING
-#usr/share/doc/suricata/INSTALL.WINDOWS
-#usr/share/doc/suricata/NEWS
-#usr/share/doc/suricata/README
-#usr/share/doc/suricata/Setting_up_IPSinline_for_Linux.txt
-#usr/share/doc/suricata/TODO
-#usr/share/doc/suricata/Third_Party_Installation_Guides.txt
-#usr/share/man/man1/suricata.1
-#usr/share/man/man1/suricatactl-filestore.1
-#usr/share/man/man1/suricatactl.1
-#usr/share/man/man1/suricatasc.1
-var/lib/suricata
-var/lib/suricata/classification.config
-var/lib/suricata/reference.config
-var/lib/suricata/threshold.config
-var/log/suricata
-#var/log/suricata/certs
-#var/log/suricata/files
diff --git a/config/rootfiles/common/i586/suricata b/config/rootfiles/common/i586/suricata
deleted file mode 100644
index 32358483a..000000000
--- a/config/rootfiles/common/i586/suricata
+++ /dev/null
@@ -1,28 +0,0 @@
-etc/suricata
-etc/suricata/suricata.yaml
-#root/.cargo
-#root/.cargo/.package-cache
-usr/bin/suricata
-#usr/share/doc/suricata
-#usr/share/doc/suricata/AUTHORS
-#usr/share/doc/suricata/Basic_Setup.txt
-#usr/share/doc/suricata/GITGUIDE
-#usr/share/doc/suricata/INSTALL
-#usr/share/doc/suricata/INSTALL.PF_RING
-#usr/share/doc/suricata/INSTALL.WINDOWS
-#usr/share/doc/suricata/NEWS
-#usr/share/doc/suricata/README
-#usr/share/doc/suricata/Setting_up_IPSinline_for_Linux.txt
-#usr/share/doc/suricata/TODO
-#usr/share/doc/suricata/Third_Party_Installation_Guides.txt
-#usr/share/man/man1/suricata.1
-#usr/share/man/man1/suricatactl-filestore.1
-#usr/share/man/man1/suricatactl.1
-#usr/share/man/man1/suricatasc.1
-var/lib/suricata
-var/lib/suricata/classification.config
-var/lib/suricata/reference.config
-var/lib/suricata/threshold.config
-var/log/suricata
-#var/log/suricata/certs
-#var/log/suricata/files
diff --git a/config/rootfiles/common/x86_64/suricata b/config/rootfiles/common/x86_64/suricata
deleted file mode 100644
index 32358483a..000000000
--- a/config/rootfiles/common/x86_64/suricata
+++ /dev/null
@@ -1,28 +0,0 @@
-etc/suricata
-etc/suricata/suricata.yaml
-#root/.cargo
-#root/.cargo/.package-cache
-usr/bin/suricata
-#usr/share/doc/suricata
-#usr/share/doc/suricata/AUTHORS
-#usr/share/doc/suricata/Basic_Setup.txt
-#usr/share/doc/suricata/GITGUIDE
-#usr/share/doc/suricata/INSTALL
-#usr/share/doc/suricata/INSTALL.PF_RING
-#usr/share/doc/suricata/INSTALL.WINDOWS
-#usr/share/doc/suricata/NEWS
-#usr/share/doc/suricata/README
-#usr/share/doc/suricata/Setting_up_IPSinline_for_Linux.txt
-#usr/share/doc/suricata/TODO
-#usr/share/doc/suricata/Third_Party_Installation_Guides.txt
-#usr/share/man/man1/suricata.1
-#usr/share/man/man1/suricatactl-filestore.1
-#usr/share/man/man1/suricatactl.1
-#usr/share/man/man1/suricatasc.1
-var/lib/suricata
-var/lib/suricata/classification.config
-var/lib/suricata/reference.config
-var/lib/suricata/threshold.config
-var/log/suricata
-#var/log/suricata/certs
-#var/log/suricata/files
-- 
2.30.2

[PATCH 4/7] suricata: This package is supported on all architectures

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 601 bytes --]

There is no need to list them specifically.

Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
---
 lfs/suricata | 1 -
 1 file changed, 1 deletion(-)

diff --git a/lfs/suricata b/lfs/suricata
index bd57b829e..0a1dcf2b8 100644
--- a/lfs/suricata
+++ b/lfs/suricata
@@ -31,7 +31,6 @@ DL_FILE    = $(THISAPP).tar.gz
 DL_FROM    = $(URL_IPFIRE)
 DIR_APP    = $(DIR_SRC)/$(THISAPP)
 TARGET     = $(DIR_INFO)/$(THISAPP)
-SUP_ARCH   = x86_64 i586 aarch64 armv6l
 
 ###############################################################################
 # Top-level Rules
-- 
2.30.2

[PATCH 5/7] suricata: Load *.config files from default location

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 2075 bytes --]

Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
---
 config/rootfiles/common/suricata | 3 ---
 config/suricata/suricata.yaml    | 7 +++----
 lfs/suricata                     | 5 +----
 3 files changed, 4 insertions(+), 11 deletions(-)

diff --git a/config/rootfiles/common/suricata b/config/rootfiles/common/suricata
index 7c512b033..091245023 100644
--- a/config/rootfiles/common/suricata
+++ b/config/rootfiles/common/suricata
@@ -40,9 +40,6 @@ usr/share/suricata/
 #usr/share/suricata/rules/stream-events.rules
 #usr/share/suricata/rules/tls-events.rules
 var/lib/suricata
-var/lib/suricata/classification.config
-var/lib/suricata/reference.config
-var/lib/suricata/threshold.config
 var/log/suricata
 #var/log/suricata/certs
 #var/log/suricata/files
diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml
index 0ad36e705..ba56c6a75 100644
--- a/config/suricata/suricata.yaml
+++ b/config/suricata/suricata.yaml
@@ -69,10 +69,9 @@ rule-files:
     # Include enabled ruleset files from external file
     - !include: /var/ipfire/suricata/suricata-used-rulefiles.yaml
 
-classification-file: /var/lib/suricata/classification.config
-reference-config-file: /var/lib/suricata/reference.config
-threshold-file: /var/lib/suricata/threshold.config
-
+classification-file: /usr/share/suricata/classification.config
+reference-config-file: /usr/share/suricata/reference.config
+threshold-file: /usr/share/suricata/threshold.config
 
 ##
 ## Logging options.
diff --git a/lfs/suricata b/lfs/suricata
index 0a1dcf2b8..38289962f 100644
--- a/lfs/suricata
+++ b/lfs/suricata
@@ -100,10 +100,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 
 	# Move config files for references, threshold and classification
 	# to the rules directory.
-	mv /etc/suricata/*.config /var/lib/suricata
-
-	# Set correct permissions for the files.
-	chmod 644 /var/lib/suricata/*.config
+	rm -rfv /etc/suricata/*.config
 
 	# Set correct ownership for /var/lib/suricata and the
 	# contained files
-- 
2.30.2

[PATCH 6/7] IPS: Do not try to show rules when stat on rules tarball fails

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 1511 bytes --]

Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
---
 html/cgi-bin/ids.cgi | 16 +++++++++-------
 1 file changed, 9 insertions(+), 7 deletions(-)

diff --git a/html/cgi-bin/ids.cgi b/html/cgi-bin/ids.cgi
index 85c5ddd86..4e8b28fd8 100644
--- a/html/cgi-bin/ids.cgi
+++ b/html/cgi-bin/ids.cgi
@@ -1091,13 +1091,14 @@ if (%idsrules) {
 	# Call stat on the rulestarball.
 	my $stat = stat("$IDS::rulestarball");
 
-	# Get timestamp the file creation.
-	my $mtime = $stat->mtime;
+	if (defined $stat) {
+		# Get timestamp the file creation.
+		my $mtime = $stat->mtime;
 
-	# Convert into human read-able format.
-	my $rulesdate = strftime('%Y-%m-%d %H:%M:%S', localtime($mtime));
+		# Convert into human read-able format.
+		my $rulesdate = strftime('%Y-%m-%d %H:%M:%S', localtime($mtime));
 
-	&Header::openbox('100%', 'LEFT', "$Lang::tr{'intrusion detection system rules'} ($rulesdate)" );
+		&Header::openbox('100%', 'LEFT', "$Lang::tr{'intrusion detection system rules'} ($rulesdate)" );
 
 		print"<form method='POST' action='$ENV{'SCRIPT_NAME'}'>\n";
 
@@ -1189,7 +1190,7 @@ if (%idsrules) {
 		# Close display table
 		print "</table>";
 
-print <<END
+		print <<END
 <table width='100%'>
 <tr>
 	<td width='100%' align='right'><input type='submit' name='RULESET' value='$Lang::tr{'ids apply'}'></td>
@@ -1198,7 +1199,8 @@ print <<END
 </form>
 END
 ;
-	&Header::closebox();
+		&Header::closebox();
+	}
 }
 
 &Header::closebigbox();
-- 
2.30.2

[PATCH 7/7] suricata: Handle retransmitted SYN with TSval

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 3667 bytes --]

Read more in the patch.

Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
---
 lfs/suricata                                  |  1 +
 ...-Handle-retransmitted-SYN-with-TSval.patch | 55 +++++++++++++++++++
 2 files changed, 56 insertions(+)
 create mode 100644 src/patches/suricata-5.0-stream-tcp-Handle-retransmitted-SYN-with-TSval.patch

diff --git a/lfs/suricata b/lfs/suricata
index 38289962f..b54a038c3 100644
--- a/lfs/suricata
+++ b/lfs/suricata
@@ -70,6 +70,7 @@ $(subst %,%_MD5,$(objects)) :
 $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 	@$(PREBUILD)
 	@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE)
+	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/suricata-5.0-stream-tcp-Handle-retransmitted-SYN-with-TSval.patch
 	cd $(DIR_APP) && LDFLAGS="$(LDFLAGS)" ./configure \
 		--prefix=/usr \
 		--sysconfdir=/etc \
diff --git a/src/patches/suricata-5.0-stream-tcp-Handle-retransmitted-SYN-with-TSval.patch b/src/patches/suricata-5.0-stream-tcp-Handle-retransmitted-SYN-with-TSval.patch
new file mode 100644
index 000000000..fcea77cfa
--- /dev/null
+++ b/src/patches/suricata-5.0-stream-tcp-Handle-retransmitted-SYN-with-TSval.patch
@@ -0,0 +1,55 @@
+From 511648b3d7a4b5a5b4d55b92dffd63fcb23903a0 Mon Sep 17 00:00:00 2001
+From: Michael Tremer <michael.tremer(a)ipfire.org>
+Date: Fri, 19 Nov 2021 17:17:47 +0000
+Subject: [PATCH] stream: tcp: Handle retransmitted SYN with TSval
+
+For connections that use TCP timestamps for which the first SYN packet
+does not reach the server, any replies to retransmitted SYNs will be
+tropped.
+
+This is happening in StateSynSentValidateTimestamp, where the timestamp
+value in a SYN-ACK packet must match the one from the SYN packet.
+However, since the server never received the first SYN packet, it will
+respond with an updated timestamp from any of the following SYN packets.
+
+The timestamp value inside suricata is not being updated at any time
+which should happen. This patch fixes that problem.
+
+This problem was introduced in 9f0294fadca3dcc18c919424242a41e01f3e8318.
+
+Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
+---
+ src/stream-tcp.c | 17 +++++++++++++++++
+ 1 file changed, 17 insertions(+)
+
+diff --git a/src/stream-tcp.c b/src/stream-tcp.c
+index 1cff19fa5..af681760b 100644
+--- a/src/stream-tcp.c
++++ b/src/stream-tcp.c
+@@ -1643,6 +1643,23 @@ static int StreamTcpPacketStateSynSent(ThreadVars *tv, Packet *p,
+                     "ssn->client.last_ack %"PRIu32"", ssn,
+                     ssn->client.isn, ssn->client.next_seq,
+                     ssn->client.last_ack);
++        } else if (PKT_IS_TOSERVER(p)) {
++            /*
++	     * On retransmitted SYN packets, the timestamp value must be updated,
++	     * to avoid dropping any SYN+ACK packets that respond to a retransmitted SYN
++	     * with an updated timestamp in StateSynSentValidateTimestamp.
++	     */
++            if ((ssn->client.flags & STREAMTCP_STREAM_FLAG_TIMESTAMP) && TCP_HAS_TS(p)) {
++                uint32_t ts_val = TCP_GET_TSVAL(p);
++
++                // Check whether packets have been received in the correct order (only ever update)
++                if (ssn->client.last_ts < ts_val) {
++                    ssn->client.last_ts = ts_val;
++                    ssn->client.last_pkt_ts = p->ts.tv_sec;
++                }
++
++                SCLogDebug("ssn %p: Retransmitted SYN. Updated timestamp from packet %"PRIu64, ssn, p->pcap_cnt);
++            }
+         }
+ 
+         /** \todo check if it's correct or set event */
+-- 
+2.30.2
+
-- 
2.30.2

Re: [PATCH 5/7] suricata: Load *.config files from default location

[Stefan Schantl]

[-- Attachment #1: Type: text/plain, Size: 3075 bytes --]

Hello Michael,

thanks for working on suricata and cleaning / adjusting things.

This commit is very problematic, because it may breaks current
installations.

Currently after downloading a ruleset tarball of a certain provider,
oinkmaster is going to extract the tarball content(rules files and
*.config files) into the rules directory ("/var/lib/suricata") by
deleting the old rules files and overwriting the *.config files - so
they perfectly fits together.

When moving the config files to a new location, we have to take care
about that by moving these files after oinkmaster has launched to the
new location and we also have to take care about file permissions on
the new location.

So I would recommend to hold off this patch until we have a nice
solution for this.

Best regards,

-Stefan
> Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
> ---
>  config/rootfiles/common/suricata | 3 ---
>  config/suricata/suricata.yaml    | 7 +++----
>  lfs/suricata                     | 5 +----
>  3 files changed, 4 insertions(+), 11 deletions(-)
> 
> diff --git a/config/rootfiles/common/suricata
> b/config/rootfiles/common/suricata
> index 7c512b033..091245023 100644
> --- a/config/rootfiles/common/suricata
> +++ b/config/rootfiles/common/suricata
> @@ -40,9 +40,6 @@ usr/share/suricata/
>  #usr/share/suricata/rules/stream-events.rules
>  #usr/share/suricata/rules/tls-events.rules
>  var/lib/suricata
> -var/lib/suricata/classification.config
> -var/lib/suricata/reference.config
> -var/lib/suricata/threshold.config
>  var/log/suricata
>  #var/log/suricata/certs
>  #var/log/suricata/files
> diff --git a/config/suricata/suricata.yaml
> b/config/suricata/suricata.yaml
> index 0ad36e705..ba56c6a75 100644
> --- a/config/suricata/suricata.yaml
> +++ b/config/suricata/suricata.yaml
> @@ -69,10 +69,9 @@ rule-files:
>      # Include enabled ruleset files from external file
>      - !include: /var/ipfire/suricata/suricata-used-rulefiles.yaml
>  
> -classification-file: /var/lib/suricata/classification.config
> -reference-config-file: /var/lib/suricata/reference.config
> -threshold-file: /var/lib/suricata/threshold.config
> -
> +classification-file: /usr/share/suricata/classification.config
> +reference-config-file: /usr/share/suricata/reference.config
> +threshold-file: /usr/share/suricata/threshold.config
>  
>  ##
>  ## Logging options.
> diff --git a/lfs/suricata b/lfs/suricata
> index 0a1dcf2b8..38289962f 100644
> --- a/lfs/suricata
> +++ b/lfs/suricata
> @@ -100,10 +100,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
>  
>         # Move config files for references, threshold and
> classification
>         # to the rules directory.
> -       mv /etc/suricata/*.config /var/lib/suricata
> -
> -       # Set correct permissions for the files.
> -       chmod 644 /var/lib/suricata/*.config
> +       rm -rfv /etc/suricata/*.config
>  
>         # Set correct ownership for /var/lib/suricata and the
>         # contained files

Re: [PATCH 5/7] suricata: Load *.config files from default location

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 3360 bytes --]

Hello Stefan,

Thank you for your feedback.

> On 22 Nov 2021, at 04:21, Stefan Schantl <stefan.schantl(a)ipfire.org> wrote:
> 
> Hello Michael,
> 
> thanks for working on suricata and cleaning / adjusting things.
> 
> This commit is very problematic, because it may breaks current
> installations.
> 
> Currently after downloading a ruleset tarball of a certain provider,
> oinkmaster is going to extract the tarball content(rules files and
> *.config files) into the rules directory ("/var/lib/suricata") by
> deleting the old rules files and overwriting the *.config files - so
> they perfectly fits together.
> 
> When moving the config files to a new location, we have to take care
> about that by moving these files after oinkmaster has launched to the
> new location and we also have to take care about file permissions on
> the new location.
> 
> So I would recommend to hold off this patch until we have a nice
> solution for this.

Okay. I marked this patch as rejected on PW.

-Michael

> 
> Best regards,
> 
> -Stefan
>> Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
>> ---
>>  config/rootfiles/common/suricata | 3 ---
>>  config/suricata/suricata.yaml    | 7 +++----
>>  lfs/suricata                     | 5 +----
>>  3 files changed, 4 insertions(+), 11 deletions(-)
>> 
>> diff --git a/config/rootfiles/common/suricata
>> b/config/rootfiles/common/suricata
>> index 7c512b033..091245023 100644
>> --- a/config/rootfiles/common/suricata
>> +++ b/config/rootfiles/common/suricata
>> @@ -40,9 +40,6 @@ usr/share/suricata/
>>  #usr/share/suricata/rules/stream-events.rules
>>  #usr/share/suricata/rules/tls-events.rules
>>  var/lib/suricata
>> -var/lib/suricata/classification.config
>> -var/lib/suricata/reference.config
>> -var/lib/suricata/threshold.config
>>  var/log/suricata
>>  #var/log/suricata/certs
>>  #var/log/suricata/files
>> diff --git a/config/suricata/suricata.yaml
>> b/config/suricata/suricata.yaml
>> index 0ad36e705..ba56c6a75 100644
>> --- a/config/suricata/suricata.yaml
>> +++ b/config/suricata/suricata.yaml
>> @@ -69,10 +69,9 @@ rule-files:
>>      # Include enabled ruleset files from external file
>>      - !include: /var/ipfire/suricata/suricata-used-rulefiles.yaml
>>  
>> -classification-file: /var/lib/suricata/classification.config
>> -reference-config-file: /var/lib/suricata/reference.config
>> -threshold-file: /var/lib/suricata/threshold.config
>> -
>> +classification-file: /usr/share/suricata/classification.config
>> +reference-config-file: /usr/share/suricata/reference.config
>> +threshold-file: /usr/share/suricata/threshold.config
>>  
>>  ##
>>  ## Logging options.
>> diff --git a/lfs/suricata b/lfs/suricata
>> index 0a1dcf2b8..38289962f 100644
>> --- a/lfs/suricata
>> +++ b/lfs/suricata
>> @@ -100,10 +100,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
>>  
>>         # Move config files for references, threshold and
>> classification
>>         # to the rules directory.
>> -       mv /etc/suricata/*.config /var/lib/suricata
>> -
>> -       # Set correct permissions for the files.
>> -       chmod 644 /var/lib/suricata/*.config
>> +       rm -rfv /etc/suricata/*.config
>>  
>>         # Set correct ownership for /var/lib/suricata and the
>>         # contained files
> 
> 

Re: [PATCH 4/7] suricata: This package is supported on all architectures

[Arne Fitzenreiter]

[-- Attachment #1: Type: text/plain, Size: 739 bytes --]

Is rust now available on risc-v ?
You have introduces this.


Am 2021-11-19 18:44, schrieb Michael Tremer:
> There is no need to list them specifically.
> 
> Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
> ---
>  lfs/suricata | 1 -
>  1 file changed, 1 deletion(-)
> 
> diff --git a/lfs/suricata b/lfs/suricata
> index bd57b829e..0a1dcf2b8 100644
> --- a/lfs/suricata
> +++ b/lfs/suricata
> @@ -31,7 +31,6 @@ DL_FILE    = $(THISAPP).tar.gz
>  DL_FROM    = $(URL_IPFIRE)
>  DIR_APP    = $(DIR_SRC)/$(THISAPP)
>  TARGET     = $(DIR_INFO)/$(THISAPP)
> -SUP_ARCH   = x86_64 i586 aarch64 armv6l
> 
>  
> ###############################################################################
>  # Top-level Rules

Re: [PATCH 4/7] suricata: This package is supported on all architectures

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 914 bytes --]

Oh, no it isn’t.

In that case, never mind and just drop this patch :)

-Michael

> On 24 Nov 2021, at 14:54, Arne Fitzenreiter <arne_f(a)ipfire.org> wrote:
> 
> Is rust now available on risc-v ?
> You have introduces this.
> 
> 
> Am 2021-11-19 18:44, schrieb Michael Tremer:
>> There is no need to list them specifically.
>> Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
>> ---
>> lfs/suricata | 1 -
>> 1 file changed, 1 deletion(-)
>> diff --git a/lfs/suricata b/lfs/suricata
>> index bd57b829e..0a1dcf2b8 100644
>> --- a/lfs/suricata
>> +++ b/lfs/suricata
>> @@ -31,7 +31,6 @@ DL_FILE    = $(THISAPP).tar.gz
>> DL_FROM    = $(URL_IPFIRE)
>> DIR_APP    = $(DIR_SRC)/$(THISAPP)
>> TARGET     = $(DIR_INFO)/$(THISAPP)
>> -SUP_ARCH   = x86_64 i586 aarch64 armv6l
>> ###############################################################################
>> # Top-level Rules