From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: IDS with support for multiple ruleset providers Date: Sun, 11 Apr 2021 13:27:17 +0100 Message-ID: <355C04C9-1A84-409E-BF0C-145A7BCE5FE6@ipfire.org> In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============3444763771843702936==" List-Id: --===============3444763771843702936== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hello, > On 11 Apr 2021, at 11:18, Adolf Belka wrote: >=20 > Hi Stefan, >=20 > I did a bit more testing. >=20 > I added the snort community rules set. I then went to customise and left th= e snort rules unchecked then pressed apply. >=20 > I then disabled the snort rules from the main page and on the customise pag= e the snort rules were no longer showing. >=20 > I then enabled the snort rules on the first page and then went to customise= but the snort rules still were not showing. >=20 > I deleted the snort ruleset provider on the first page and then added them = back and now the snort ruleset was shown again on the customise page. >=20 > I then checked the snort ruleset and applied it and then entered customise = again and unchecked the snort ruleset and applied it. When I went back into c= ustomise the snort ruleset was checked again. So once checked I could not unc= heck it and keep it that why by pressing apply. >=20 > I then deleted the snort ruleset provider from the first page. Then the rul= eset was gone from the customise page. >=20 > Then I added the snort ruleset provider back in but then got an error messa= ge saying that the snort ruleset provider was already selected. I then presse= d back and came back to the main page with no snort ruleset provider but also= with the page only showing down to the Ruleset Settings table. There was no= thing else after that. >=20 > The httpd/error_log showed the following >=20 > Smartmatch is experimental at /srv/web/ipfire/cgi-bin/ids.cgi line 288. > Smartmatch is experimental at /srv/web/ipfire/cgi-bin/ids.cgi line 288. > Can't call method "mtime" on an undefined value at /var/ipfire/ids-function= s.pl line 1512 >=20 > Reloading the IPFire browser page and going back to the IDS main page gives= the same result with the additional two lines in the log >=20 > Smartmatch is experimental at /srv/web/ipfire/cgi-bin/ids.cgi line 288. > Can't call method "mtime" on an undefined value at /var/ipfire/ids-function= s.pl line 1512. >=20 >=20 > Sorry for breaking it again. If any of my steps are not clear let me know a= nd I will clarify where necessary. This is absolutely the idea here. Clicking all the buttons as fast as we can = until it breaks :) -Michael > Regards, >=20 > Adolf. >=20 >=20 > On 11/04/2021 11:49, Adolf Belka wrote: >> Hi Stefan, >>=20 >> I have installed the new version from scratch in my ipfire vm testbed. I f= ollowed "all" the instructions this time :-) >>=20 >> I was able to add additional providers and then go and select the rules I = wanted and had no problems at all. >>=20 >> Looks like all fixed. I will do further evaluation of it over the next few= days and let you know how things go for me. >>=20 >> Regards, >>=20 >> Adolf. >>=20 >> On 11/04/2021 10:46, Stefan Schantl wrote: >>> Hello again, >>>=20 >>> I've tested and uploaded the fourth test verstion. >>>=20 >>> https://people.ipfire.org/~stevee/ids-multiple-providers/ids-multiple-pro= viders-004.tar.gz >>>=20 >>> This time the ownership of all files are correct at my test system. >>>=20 >>> (Tested with ruleset changes and without) >>>=20 >>> Best regards, >>>=20 >>> -Stefan >>>=20 >>>> Best regards, >>>>=20 >>>> -Stefan >>>>=20 >>>>> Hi Stefan, >>>>>=20 >>>>> I copied the new tarfile to my ipfire vm testbed machine and >>>>> extracted it and ran the converter script. No errors. I then used >>>>> the >>>>> wui page to add a new provider to the list then selected to >>>>> customize >>>>> the rules and ticked the box for the added rules. Then I pressed >>>>> apply and got a blank white screen again. >>>>>=20 >>>>>=20 >>>>> The error log has the following:- >>>>>=20 >>>>> Smartmatch is experimental at /srv/web/ipfire/cgi-bin/ids.cgi line >>>>> 288. >>>>> Smartmatch is experimental at /srv/web/ipfire/cgi-bin/ids.cgi line >>>>> 288. >>>>> Smartmatch is experimental at /srv/web/ipfire/cgi-bin/ids.cgi line >>>>> 288. >>>>> Smartmatch is experimental at /srv/web/ipfire/cgi-bin/ids.cgi line >>>>> 288. >>>>> Smartmatch is experimental at /srv/web/ipfire/cgi-bin/ids.cgi line >>>>> 288. >>>>> Smartmatch is experimental at /srv/web/ipfire/cgi-bin/ids.cgi line >>>>> 288. >>>>> Could not open /var/ipfire/suricata/oinkmaster-provider- >>>>> includes.conf. Permission denied >>>>>=20 >>>>>=20 >>>>> ls- hal of /var/ipfire/suricata shows the following >>>>>=20 >>>>> drwxr-xr-x 2 nobody nobody 4.0K Apr 10 22:47 . >>>>> drwxr-xr-x 49 root root 4.0K Apr 5 08:20 .. >>>>> -rw-r--r-- 1 nobody nobody 0 Dec 14 19:05 ignored >>>>> -rw-r--r-- 1 root root 21K Apr 1 20:00 oinkmaster.conf >>>>> -rw-r--r-- 1 nobody nobody 61 Apr 10 14:40 oinkmaster-modify- >>>>> sids.conf >>>>> -rw-r--r-- 1 root root 0 Apr 10 14:54 oinkmaster-provider- >>>>> includes.conf >>>>> -rw-r--r-- 1 nobody nobody 55 Apr 10 22:47 providers-settings >>>>> -rw-r--r-- 1 root root 6.0K Apr 5 07:13 ruleset-sources >>>>> -rw-r--r-- 1 nobody nobody 102 Apr 10 14:54 settings >>>>> -rw-r--r-- 1 nobody nobody 140 Apr 10 22:41 suricata-dns- >>>>> servers.yaml >>>>> -rw-r--r-- 1 nobody nobody 125 Apr 10 14:54 suricata-emerging- >>>>> used- >>>>> rulefiles.yaml >>>>> -rw-r--r-- 1 nobody nobody 159 Apr 10 22:41 suricata-homenet.yaml >>>>> -rw-r--r-- 1 nobody nobody 98 Apr 10 14:40 suricata-http- >>>>> ports.yaml >>>>> -rw-r--r-- 1 nobody nobody 95 Apr 10 14:54 suricata-static- >>>>> included-rulefiles.yaml >>>>> -rw-r--r-- 1 nobody nobody 76 Apr 10 22:47 suricata-urlhaus- >>>>> used- >>>>> rulefiles.yaml >>>>> -rw-r--r-- 1 nobody nobody 214 Apr 10 14:54 suricata-used- >>>>> providers.yaml >>>>>=20 >>>>> Three of the files are owned root:root while all the others are >>>>> nobody:nobody >>>>>=20 >>>>>=20 >>>>> The above was with extracting and applying the updated tar file on >>>>> top of IPFire after running the last version. >>>>>=20 >>>>> I will do a fresh clone of my IPFire vm and then repeat the tar >>>>> extraction and convert and see if that gives any difference. >>>>>=20 >>>>>=20 >>>>> Regards, >>>>>=20 >>>>> Adolf >>>>>=20 >>>>> On 10/04/2021 20:25, Stefan Schantl wrote: >>>>>> Hello list followers, >>>>>>=20 >>>>>> after getting a lot of feedback and bug reports I'm happy to >>>>>> announce the third test version for the new IDS system. >>>>>>=20 >>>>>> https://people.ipfire.org/~stevee/ids-multiple-providers/ids-multiple-= providers-003.tar.gz >>>>>>=20 >>>>>> If you just join testing, please omit the installation >>>>>> instructions >>>>>> from the initial Mail from this list. >>>>>>=20 >>>>>> The converter script now works as expected and runs very smooth. >>>>>>=20 >>>>>> As usual please post your feedback and opinions to this list and >>>>>> any >>>>>> remain bugs to our bugtracker. (https://bugzilla.ipfire.org) >>>>>>=20 >>>>>> A big thanks in advance, >>>>>>=20 >>>>>> -Stefan >>>>>>=20 >>>=20 --===============3444763771843702936==--