Re: IDS with support for multiple ruleset providers

[Stefan Schantl <stefan.schantl@ipfire.org>]

[-- Attachment #1: Type: text/plain, Size: 3758 bytes --]

Good morning Adolf,

thanks for re-testing and reporting this issue.

After digging through the code I finally found why the file permission
on your test system was different to mine.

In the if clause, the ownership of the file only would be changed if
ruleset changes had been made, which of course is wrong here.

I'll upload a new testversion very soon.

Once again, a big thanks for testing and pointing this out.

Best regards,

-Stefan

> Hi Stefan,
> 
> I copied the new tarfile to my ipfire vm testbed machine and
> extracted it and ran the converter script. No errors. I then used the
> wui page to add a new provider to the list then selected to customize
> the rules and ticked the box for the added rules. Then I pressed
> apply and got a blank white screen again.
> 
> 
> The error log has the following:-
> 
> Smartmatch is experimental at /srv/web/ipfire/cgi-bin/ids.cgi line
> 288.
> Smartmatch is experimental at /srv/web/ipfire/cgi-bin/ids.cgi line
> 288.
> Smartmatch is experimental at /srv/web/ipfire/cgi-bin/ids.cgi line
> 288.
> Smartmatch is experimental at /srv/web/ipfire/cgi-bin/ids.cgi line
> 288.
> Smartmatch is experimental at /srv/web/ipfire/cgi-bin/ids.cgi line
> 288.
> Smartmatch is experimental at /srv/web/ipfire/cgi-bin/ids.cgi line
> 288.
> Could not open /var/ipfire/suricata/oinkmaster-provider-
> includes.conf. Permission denied
> 
> 
> ls- hal of /var/ipfire/suricata shows the following
> 
> drwxr-xr-x  2 nobody nobody 4.0K Apr 10 22:47 .
> drwxr-xr-x 49 root   root   4.0K Apr  5 08:20 ..
> -rw-r--r--  1 nobody nobody    0 Dec 14 19:05 ignored
> -rw-r--r--  1 root   root    21K Apr  1 20:00 oinkmaster.conf
> -rw-r--r--  1 nobody nobody   61 Apr 10 14:40 oinkmaster-modify-
> sids.conf
> -rw-r--r--  1 root   root      0 Apr 10 14:54 oinkmaster-provider-
> includes.conf
> -rw-r--r--  1 nobody nobody   55 Apr 10 22:47 providers-settings
> -rw-r--r--  1 root   root   6.0K Apr  5 07:13 ruleset-sources
> -rw-r--r--  1 nobody nobody  102 Apr 10 14:54 settings
> -rw-r--r--  1 nobody nobody  140 Apr 10 22:41 suricata-dns-
> servers.yaml
> -rw-r--r--  1 nobody nobody  125 Apr 10 14:54 suricata-emerging-used-
> rulefiles.yaml
> -rw-r--r--  1 nobody nobody  159 Apr 10 22:41 suricata-homenet.yaml
> -rw-r--r--  1 nobody nobody   98 Apr 10 14:40 suricata-http-
> ports.yaml
> -rw-r--r--  1 nobody nobody   95 Apr 10 14:54 suricata-static-
> included-rulefiles.yaml
> -rw-r--r--  1 nobody nobody   76 Apr 10 22:47 suricata-urlhaus-used-
> rulefiles.yaml
> -rw-r--r--  1 nobody nobody  214 Apr 10 14:54 suricata-used-
> providers.yaml
> 
> Three of the files are owned root:root while all the others are
> nobody:nobody
> 
> 
> The above was with extracting and applying the updated tar file on
> top of IPFire after running the last version.
> 
> I will do a fresh clone of my IPFire vm and then repeat the tar
> extraction and convert and see if that gives any difference.
> 
> 
> Regards,
> 
> Adolf
> 
> On 10/04/2021 20:25, Stefan Schantl wrote:
> > Hello list followers,
> > 
> > after getting a lot of feedback and bug reports I'm happy to
> > announce the third test version for the new IDS system.
> > 
> > https://people.ipfire.org/~stevee/ids-multiple-providers/ids-multiple-providers-003.tar.gz
> > 
> > If you just join testing, please omit the installation instructions
> > from the initial Mail from this list.
> > 
> > The converter script now works as expected and runs very smooth.
> > 
> > As usual please post your feedback and opinions to this list and
> > any
> > remain bugs to our bugtracker. (https://bugzilla.ipfire.org)
> > 
> > A big thanks in advance,
> > 
> > -Stefan
> >