Re: IDS with support for multiple ruleset providers

[Adolf Belka <adolf.belka@ipfire.org>]

[-- Attachment #1: Type: text/plain, Size: 4296 bytes --]

Hi Stefan,

On 10/04/2021 15:06, Adolf Belka wrote:
> Hi Stefan,
>
> I tested this on my vm testbed.
>
> On 09/04/2021 21:27, Stefan Schantl wrote:
>> Hello Development Team and list followers,
>>
>> there are a lot of different vendors out there which offers different
>> IDS rules for suricata. Some of them offers a complete set of rules and
>> other ones some very specialized rules for different tasks.
>>
>> Unfortunately it only was possible to select only one ruleset provider
>> at the same time, so it usually wasn't an option to use one of them and
>> keep a lot of traffic uninspected by the IDS.
>>
>> Today I'm very happy to announce a testing version of a reworked
>> Intrusion Detection System which supports the usage of multiple
>> different providers and rulesets at the same time.
>>
>> In total up to 15 different ruleset providers now can be used and mixed
>> together to fit your personal requirements. They easily can be managed
>> and configured via the WUI. Of course each one individually can be
>> disabled or re-enabled at each time.
>>
>> The section for customizing the entire ruleset has been moved to a
>> subpage, which allows to enable a certain amount of ruleset files or
>> enabling / disabling single rules inside them.
>>
>> This helps to speed up the CGI if you want to mange your whitelist,
>> manage your ruleset providers or change basic settings of your IDS.
>>
>> If you liked this short introduction, please help us testing to get
>> this cool stuff as soon as possible into the core distribution and to
>> find bugs or other improvements.
>>
>> The test versions and some screenshots can be found here:
>>
>> https://people.ipfire.org/~stevee/ids-multiple-providers/
>>
>> To join testing, please download the latest tarball and place it on
>> your IPFire test machine.
>>
>> Execute the archive by using "tar -xvf ids-multiple-providers-
>> XXX.tar.gz - C /" on your local console or via SSH remote session.
>> bash: /usr/sbin/convert-ids-multiple-providers: Permission denied
> Extracting the archive worked with no problems.
>> The next steps would be to regenerate the language cache by executing
>> "update-langs-cache" and to launch "convert-ids-multiple-providers".
>
> update-lang-cache worked fine. When tried to run convert-ids-multiple-providers I got the message
>
> bash: /usr/sbin/convert-ids-multiple-providers: Permission denied
>
> I was running the command as root so I checked the file and it was not set as executable. I changed this and it then ran but came back with the following error message
>
> Can't locate /var/ipfire/ids-functions.pl1 at /usr/sbin/convert-ids-multiple-providers line 25
>
> I edited the .pl1 to .pl and re-ran the converter and it completed without any further error message.
>
>
> I then had the new WUI IDS page.
>
>
> I selected an additional provider, OISF, and it was added to the list of providers. I then selected customise rules and I selected the oisf ruleset and pressed apply. I just got a white screen with nothing happening. I then reloaded IPFire in the browser again and OISF provider was still listed but on the rules page it was not selected. Tried again and same thing happened. I then pressed the delete button to remove the OISF provider from the list and I get the message "The ruleset changes are being applied. Please wait until all opersations have completed successfully..." That message has not changed since I started writing this email. I then reloaded IPFire in the browser and OISF had been removed from the list.
>
>
Here are the error messages from my httpd/error_log file

Smartmatch is experimental at /srv/web/ipfire/cgi-bin/ids.cgi line 288.
Could not write to /var/ipfire/suricata/oinkmaster-provider-includes.conf. Permission denied
Smartmatch is experimental at /srv/web/ipfire/cgi-bin/ids.cgi line 288

Adolf

> Regards,
>
> Adolf
>
>> The converter will convert all your existing settings into the new
>> format and also will take care about your used rules and their
>> settings.
>>
>> As usual, please report back any kind of feedback on this list and
>> submit any found bugs to our bugtracker (https://bugs.ipfire.org).
>>
>> Thanks in advance,
>>
>> -Stefan
>>
>>