Hi Stefan, On 10/04/2021 15:06, Adolf Belka wrote: > Hi Stefan, > > I tested this on my vm testbed. > > On 09/04/2021 21:27, Stefan Schantl wrote: >> Hello Development Team and list followers, >> >> there are a lot of different vendors out there which offers different >> IDS rules for suricata. Some of them offers a complete set of rules and >> other ones some very specialized rules for different tasks. >> >> Unfortunately it only was possible to select only one ruleset provider >> at the same time, so it usually wasn't an option to use one of them and >> keep a lot of traffic uninspected by the IDS. >> >> Today I'm very happy to announce a testing version of a reworked >> Intrusion Detection System which supports the usage of multiple >> different providers and rulesets at the same time. >> >> In total up to 15 different ruleset providers now can be used and mixed >> together to fit your personal requirements. They easily can be managed >> and configured via the WUI. Of course each one individually can be >> disabled or re-enabled at each time. >> >> The section for customizing the entire ruleset has been moved to a >> subpage, which allows to enable a certain amount of ruleset files or >> enabling / disabling single rules inside them. >> >> This helps to speed up the CGI if you want to mange your whitelist, >> manage your ruleset providers or change basic settings of your IDS. >> >> If you liked this short introduction, please help us testing to get >> this cool stuff as soon as possible into the core distribution and to >> find bugs or other improvements. >> >> The test versions and some screenshots can be found here: >> >> https://people.ipfire.org/~stevee/ids-multiple-providers/ >> >> To join testing, please download the latest tarball and place it on >> your IPFire test machine. >> >> Execute the archive by using "tar -xvf ids-multiple-providers- >> XXX.tar.gz - C /" on your local console or via SSH remote session. >> bash: /usr/sbin/convert-ids-multiple-providers: Permission denied > Extracting the archive worked with no problems. >> The next steps would be to regenerate the language cache by executing >> "update-langs-cache" and to launch "convert-ids-multiple-providers". > > update-lang-cache worked fine. When tried to run convert-ids-multiple-providers I got the message > > bash: /usr/sbin/convert-ids-multiple-providers: Permission denied > > I was running the command as root so I checked the file and it was not set as executable. I changed this and it then ran but came back with the following error message > > Can't locate /var/ipfire/ids-functions.pl1 at /usr/sbin/convert-ids-multiple-providers line 25 > > I edited the .pl1 to .pl and re-ran the converter and it completed without any further error message. > > > I then had the new WUI IDS page. > > > I selected an additional provider, OISF, and it was added to the list of providers. I then selected customise rules and I selected the oisf ruleset and pressed apply. I just got a white screen with nothing happening. I then reloaded IPFire in the browser again and OISF provider was still listed but on the rules page it was not selected. Tried again and same thing happened. I then pressed the delete button to remove the OISF provider from the list and I get the message "The ruleset changes are being applied. Please wait until all opersations have completed successfully..." That message has not changed since I started writing this email. I then reloaded IPFire in the browser and OISF had been removed from the list. > > Here are the error messages from my httpd/error_log file Smartmatch is experimental at /srv/web/ipfire/cgi-bin/ids.cgi line 288. Could not write to /var/ipfire/suricata/oinkmaster-provider-includes.conf. Permission denied Smartmatch is experimental at /srv/web/ipfire/cgi-bin/ids.cgi line 288 Adolf > Regards, > > Adolf > >> The converter will convert all your existing settings into the new >> format and also will take care about your used rules and their >> settings. >> >> As usual, please report back any kind of feedback on this list and >> submit any found bugs to our bugtracker (https://bugs.ipfire.org). >> >> Thanks in advance, >> >> -Stefan >> >>