From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: IDS with support for multiple ruleset providers Date: Thu, 15 Apr 2021 12:08:57 +0100 Message-ID: In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============4711733047505397647==" List-Id: --===============4711733047505397647== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable > On 14 Apr 2021, at 20:16, Stefan Schantl wrot= e: >=20 > Am Dienstag, den 13.04.2021, 20:57 +0200 schrieb Stefan Schantl: >> Hello Adolf, >>=20 >> thanks you very much for your huge effort in testing this and >> providing >> this very detailed feedback. >>=20 >> While reading through your single steps it feels sometimes near to >> get >> a knot inside my brain.... >>=20 >>> Hi Stefan, >>>=20 >>> I did a bit more testing. >>>=20 >>> I added the snort community rules set. I then went to customise and >>> left the snort rules unchecked then pressed apply. >>>=20 >>> I then disabled the snort rules from the main page and on the >>> customise page the snort rules were no longer showing. >>=20 >> Workes as designed. >>=20 >>> I then enabled the snort rules on the first page and then went to >>> customise but the snort rules still were not showing. >>=20 >> Very good catch - Fixed. >>=20 >>> I deleted the snort ruleset provider on the first page and then >>> added >>> them back and now the snort ruleset was shown again on the >>> customise >>> page. >>=20 >> OK. >>=20 >>> I then checked the snort ruleset and applied it and then entered >>> customise again and unchecked the snort ruleset and applied it. >>> When >>> I went back into customise the snort ruleset was checked again. So >>> once checked I could not uncheck it and keep it that why by >>> pressing >>> apply. >>>=20 >>=20 >> Confirmed. Thanks for finding this. >=20 > Fixed by commit: >=20 > https://git.ipfire.org/?p=3Dpeople/stevee/ipfire-2.x.git;a=3Dcommit;h=3D79c= c92267f1811beab84ae190fc1c3724a67e5f4 >=20 >>=20 >>> I then deleted the snort ruleset provider from the first page. Then >>> the ruleset was gone from the customise page. >>>=20 >>> Then I added the snort ruleset provider back in but then got an >>> error >>> message saying that the snort ruleset provider was already >>> selected. >>> I then pressed back and came back to the main page with no snort >>> ruleset provider but also with the page only showing down to the >>> Ruleset Settings table. There was nothing else after that. >>>=20 >>> The httpd/error_log showed the following >>>=20 >>> Smartmatch is experimental at /srv/web/ipfire/cgi-bin/ids.cgi line >>> 288. >>> Smartmatch is experimental at /srv/web/ipfire/cgi-bin/ids.cgi line >>> 288. >>> Can't call method "mtime" on an undefined value at /var/ipfire/ids- >>> functions.pl line 1512 >>>=20 >>> Reloading the IPFire browser page and going back to the IDS main >>> page >>> gives the same result with the additional two lines in the log >>>=20 >>> Smartmatch is experimental at /srv/web/ipfire/cgi-bin/ids.cgi line >>> 288. >>> Can't call method "mtime" on an undefined value at /var/ipfire/ids- >>> functions.pl line 1512. >>>=20 >>=20 >> Sorry I'm unable to reproduce this - maybe a download error? >=20 > Fixed by=20 > https://git.ipfire.org/?p=3Dpeople/stevee/ipfire-2.x.git;a=3Dcommit;h=3D7cf= 0ecadc14c2a8f6a711ff3ff3dfa2c0a516fb5 > and > https://git.ipfire.org/?p=3Dpeople/stevee/ipfire-2.x.git;a=3Dcommit;h=3De59= b8178e0cb4098904a8c0f591639d92a1f625e I do not think that the second patch fixes the problem. You are still using t= he return value of stat() here: my $mtime =3D $stat->mtime; This might be set to =E2=80=9Cundefined=E2=80=9D and localtime() and strftime= () might return undefined as well, but you could simply return =E2=80=9CN/A= =E2=80=9D just after calling stat. >=20 >>=20 >>> Sorry for breaking it again. If any of my steps are not clear let >>> me >>> know and I will clarify where necessary. >>=20 >> Hey, this is why we do testing - each found bug until release is a >> good >> bug! >>=20 >>>=20 >>> Regards, >>>=20 >>> Adolf. >>>=20 >>>=20 >>> On 11/04/2021 11:49, Adolf Belka wrote: >>>> Hi Stefan, >>>>=20 >>>> I have installed the new version from scratch in my ipfire vm >>>> testbed. I followed "all" the instructions this time :-) >>>>=20 >>>> I was able to add additional providers and then go and select the >>>> rules I wanted and had no problems at all. >>>>=20 >>>> Looks like all fixed. I will do further evaluation of it over the >>>> next few days and let you know how things go for me. >>>>=20 >>>> Regards, >>>>=20 >>>> Adolf. >>>>=20 >>>> On 11/04/2021 10:46, Stefan Schantl wrote: >>>>> Hello again, >>>>>=20 >>>>> I've tested and uploaded the fourth test verstion. >>>>>=20 >>>>> https://people.ipfire.org/~stevee/ids-multiple-providers/ids-multiple-p= roviders-004.tar.gz >>>>>=20 >>>>> This time the ownership of all files are correct at my test >>>>> system. >>>>>=20 >>>>> (Tested with ruleset changes and without) >>>>>=20 >>>>> Best regards, >>>>>=20 >>>>> -Stefan >>>>>=20 >>>>>> Best regards, >>>>>>=20 >>>>>> -Stefan >>>>>>=20 >>>>>>> Hi Stefan, >>>>>>>=20 >>>>>>> I copied the new tarfile to my ipfire vm testbed machine >>>>>>> and >>>>>>> extracted it and ran the converter script. No errors. I >>>>>>> then >>>>>>> used >>>>>>> the >>>>>>> wui page to add a new provider to the list then selected to >>>>>>> customize >>>>>>> the rules and ticked the box for the added rules. Then I >>>>>>> pressed >>>>>>> apply and got a blank white screen again. >>>>>>>=20 >>>>>>>=20 >>>>>>> The error log has the following:- >>>>>>>=20 >>>>>>> Smartmatch is experimental at /srv/web/ipfire/cgi- >>>>>>> bin/ids.cgi=20 >>>>>>> line >>>>>>> 288. >>>>>>> Smartmatch is experimental at /srv/web/ipfire/cgi- >>>>>>> bin/ids.cgi=20 >>>>>>> line >>>>>>> 288. >>>>>>> Smartmatch is experimental at /srv/web/ipfire/cgi- >>>>>>> bin/ids.cgi=20 >>>>>>> line >>>>>>> 288. >>>>>>> Smartmatch is experimental at /srv/web/ipfire/cgi- >>>>>>> bin/ids.cgi=20 >>>>>>> line >>>>>>> 288. >>>>>>> Smartmatch is experimental at /srv/web/ipfire/cgi- >>>>>>> bin/ids.cgi=20 >>>>>>> line >>>>>>> 288. >>>>>>> Smartmatch is experimental at /srv/web/ipfire/cgi- >>>>>>> bin/ids.cgi=20 >>>>>>> line >>>>>>> 288. >>>>>>> Could not open /var/ipfire/suricata/oinkmaster-provider- >>>>>>> includes.conf. Permission denied >>>>>>>=20 >>>>>>>=20 >>>>>>> ls- hal of /var/ipfire/suricata shows the following >>>>>>>=20 >>>>>>> drwxr-xr-x 2 nobody nobody 4.0K Apr 10 22:47 . >>>>>>> drwxr-xr-x 49 root root 4.0K Apr 5 08:20 .. >>>>>>> -rw-r--r-- 1 nobody nobody 0 Dec 14 19:05 ignored >>>>>>> -rw-r--r-- 1 root root 21K Apr 1 20:00 >>>>>>> oinkmaster.conf >>>>>>> -rw-r--r-- 1 nobody nobody 61 Apr 10 14:40 oinkmaster- >>>>>>> modify- >>>>>>> sids.conf >>>>>>> -rw-r--r-- 1 root root 0 Apr 10 14:54 oinkmaster- >>>>>>> provider- >>>>>>> includes.conf >>>>>>> -rw-r--r-- 1 nobody nobody 55 Apr 10 22:47 providers- >>>>>>> settings >>>>>>> -rw-r--r-- 1 root root 6.0K Apr 5 07:13 ruleset- >>>>>>> sources >>>>>>> -rw-r--r-- 1 nobody nobody 102 Apr 10 14:54 settings >>>>>>> -rw-r--r-- 1 nobody nobody 140 Apr 10 22:41 suricata-dns- >>>>>>> servers.yaml >>>>>>> -rw-r--r-- 1 nobody nobody 125 Apr 10 14:54 suricata- >>>>>>> emerging- >>>>>>> used- >>>>>>> rulefiles.yaml >>>>>>> -rw-r--r-- 1 nobody nobody 159 Apr 10 22:41 suricata- >>>>>>> homenet.yaml >>>>>>> -rw-r--r-- 1 nobody nobody 98 Apr 10 14:40 suricata- >>>>>>> http- >>>>>>> ports.yaml >>>>>>> -rw-r--r-- 1 nobody nobody 95 Apr 10 14:54 suricata- >>>>>>> static- >>>>>>> included-rulefiles.yaml >>>>>>> -rw-r--r-- 1 nobody nobody 76 Apr 10 22:47 suricata- >>>>>>> urlhaus- >>>>>>> used- >>>>>>> rulefiles.yaml >>>>>>> -rw-r--r-- 1 nobody nobody 214 Apr 10 14:54 suricata- >>>>>>> used- >>>>>>> providers.yaml >>>>>>>=20 >>>>>>> Three of the files are owned root:root while all the others >>>>>>> are >>>>>>> nobody:nobody >>>>>>>=20 >>>>>>>=20 >>>>>>> The above was with extracting and applying the updated tar >>>>>>> file on >>>>>>> top of IPFire after running the last version. >>>>>>>=20 >>>>>>> I will do a fresh clone of my IPFire vm and then repeat the >>>>>>> tar >>>>>>> extraction and convert and see if that gives any >>>>>>> difference. >>>>>>>=20 >>>>>>>=20 >>>>>>> Regards, >>>>>>>=20 >>>>>>> Adolf >>>>>>>=20 >>>>>>> On 10/04/2021 20:25, Stefan Schantl wrote: >>>>>>>> Hello list followers, >>>>>>>>=20 >>>>>>>> after getting a lot of feedback and bug reports I'm happy >>>>>>>> to >>>>>>>> announce the third test version for the new IDS system. >>>>>>>>=20 >>>>>>>> https://people.ipfire.org/~stevee/ids-multiple-providers/ids-multipl= e-providers-003.tar.gz >>>>>>>>=20 >>>>>>>> If you just join testing, please omit the installation >>>>>>>> instructions >>>>>>>> from the initial Mail from this list. >>>>>>>>=20 >>>>>>>> The converter script now works as expected and runs very >>>>>>>> smooth. >>>>>>>>=20 >>>>>>>> As usual please post your feedback and opinions to this >>>>>>>> list and >>>>>>>> any >>>>>>>> remain bugs to our bugtracker. ( >>>>>>>> https://bugzilla.ipfire.org >>>>>>>> ) >>>>>>>>=20 >>>>>>>> A big thanks in advance, >>>>>>>>=20 >>>>>>>> -Stefan --===============4711733047505397647==--