From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: IDS with support for multiple ruleset providers Date: Sat, 10 Apr 2021 14:01:36 +0100 Message-ID: <8C32ADE0-E57C-4A61-B543-58FBF793EA34@ipfire.org> In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============5383158696934665611==" List-Id: --===============5383158696934665611== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hello, I just tried to install this on my c156 test system and I have found the foll= owing issues: The converter script was not executable: [root(a)fw01 ~]# convert-ids-multiple-providers -bash: /usr/sbin/convert-ids-multiple-providers: Permission denied But that could be easily fixed: [root(a)fw01 ~]# chmod a+x /usr/sbin/convert-ids-multiple-providers But then it fails with another error; probably a typo: [root(a)fw01 ~]# convert-ids-multiple-providers Can't locate /var/ipfire/ids-functions.pl1 at /usr/sbin/convert-ids-multiple-= providers line 25. Fixing that gives me this: [root(a)fw01 ~]# convert-ids-multiple-providers Could not write to /var/ipfire/suricata/oinkmaster-emerging-modified-sids.con= f. No such file or directory Creating that file makes the converter exit without any errors: [root(a)fw01 ~]# touch /var/ipfire/suricata/oinkmaster-emerging-modified-sids= .conf [root(a)fw01 ~]# convert-ids-multiple-providers [root(a)fw01 ~]# But it didn=E2=80=99t convert anything and the file is empty. However, the CGI loads and shows the new functionality. Clicking the checkbox to disable a ruleset shows this: Smartmatch is experimental at /srv/web/ipfire/cgi-bin/ids.cgi line 288. Smartmatch is experimental at /srv/web/ipfire/cgi-bin/ids.cgi line 288. Smartmatch is experimental at /srv/web/ipfire/cgi-bin/ids.cgi line 288. Could not write to /var/ipfire/suricata/suricata-used-providers.yaml. Permiss= ion denied That file exists but is owned by root: -rw-r--r-- 1 root root 0 Apr 10 13:42 suricata-used-providers.yaml Changing permissions to nobody:nobody brings me one step further: Could not write to /var/ipfire/suricata/oinkmaster-provider-includes.conf. Pe= rmission denied After fixing the ownership, I can enable and disable the rule provider. However, when I click =E2=80=9Ccustomise ruleset=E2=80=9D, no rules are selec= ted which suggests that the converter did not work correctly. I could also add a new provider and found it confusing that no categories are= enabled automatically. It could happen, that you add a couple of providers, = but then there are still no rules enabled. That would be potentially dangerou= s. Thoughts on this? Apart from that, this seems to work solidly even with the new perl release. -Michael > On 9 Apr 2021, at 20:27, Stefan Schantl wrote: >=20 > Hello Development Team and list followers, >=20 > there are a lot of different vendors out there which offers different > IDS rules for suricata. Some of them offers a complete set of rules and > other ones some very specialized rules for different tasks. >=20 > Unfortunately it only was possible to select only one ruleset provider > at the same time, so it usually wasn't an option to use one of them and > keep a lot of traffic uninspected by the IDS. >=20 > Today I'm very happy to announce a testing version of a reworked > Intrusion Detection System which supports the usage of multiple > different providers and rulesets at the same time. >=20 > In total up to 15 different ruleset providers now can be used and mixed > together to fit your personal requirements. They easily can be managed > and configured via the WUI. Of course each one individually can be > disabled or re-enabled at each time. >=20 > The section for customizing the entire ruleset has been moved to a > subpage, which allows to enable a certain amount of ruleset files or > enabling / disabling single rules inside them. >=20 > This helps to speed up the CGI if you want to mange your whitelist, > manage your ruleset providers or change basic settings of your IDS.=20 >=20 > If you liked this short introduction, please help us testing to get > this cool stuff as soon as possible into the core distribution and to > find bugs or other improvements. >=20 > The test versions and some screenshots can be found here: >=20 > https://people.ipfire.org/~stevee/ids-multiple-providers/ >=20 > To join testing, please download the latest tarball and place it on > your IPFire test machine. >=20 > Execute the archive by using "tar -xvf ids-multiple-providers- > XXX.tar.gz - C /" on your local console or via SSH remote session. >=20 > The next steps would be to regenerate the language cache by executing > "update-langs-cache" and to launch "convert-ids-multiple-providers". >=20 > The converter will convert all your existing settings into the new > format and also will take care about your used rules and their > settings. >=20 > As usual, please report back any kind of feedback on this list and > submit any found bugs to our bugtracker (https://bugs.ipfire.org). >=20 > Thanks in advance, >=20 > -Stefan >=20 >=20 --===============5383158696934665611==--