From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: IDS with support for multiple ruleset providers Date: Wed, 14 Apr 2021 10:12:03 +0100 Message-ID: In-Reply-To: <7c83c6eda08cd01138181dc56c089d66e8d11af5.camel@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============1162259927177472872==" List-Id: --===============1162259927177472872== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable > On 13 Apr 2021, at 19:57, Stefan Schantl wrot= e: >=20 > Hello Adolf, >=20 > thanks you very much for your huge effort in testing this and providing > this very detailed feedback. >=20 > While reading through your single steps it feels sometimes near to get > a knot inside my brain.... >=20 >> Hi Stefan, >>=20 >> I did a bit more testing. >>=20 >> I added the snort community rules set. I then went to customise and >> left the snort rules unchecked then pressed apply. >>=20 >> I then disabled the snort rules from the main page and on the >> customise page the snort rules were no longer showing. >=20 > Workes as designed. >=20 >>=20 >> I then enabled the snort rules on the first page and then went to >> customise but the snort rules still were not showing. >=20 > Very good catch - Fixed. >=20 >>=20 >> I deleted the snort ruleset provider on the first page and then added >> them back and now the snort ruleset was shown again on the customise >> page. >=20 > OK. >=20 >>=20 >> I then checked the snort ruleset and applied it and then entered >> customise again and unchecked the snort ruleset and applied it. When >> I went back into customise the snort ruleset was checked again. So >> once checked I could not uncheck it and keep it that why by pressing >> apply. >>=20 >=20 > Confirmed. Thanks for finding this. >=20 >> I then deleted the snort ruleset provider from the first page. Then >> the ruleset was gone from the customise page. >>=20 >> Then I added the snort ruleset provider back in but then got an error >> message saying that the snort ruleset provider was already selected. >> I then pressed back and came back to the main page with no snort >> ruleset provider but also with the page only showing down to the >> Ruleset Settings table. There was nothing else after that. >>=20 >> The httpd/error_log showed the following >>=20 >> Smartmatch is experimental at /srv/web/ipfire/cgi-bin/ids.cgi line >> 288. >> Smartmatch is experimental at /srv/web/ipfire/cgi-bin/ids.cgi line >> 288. >> Can't call method "mtime" on an undefined value at /var/ipfire/ids- >> functions.pl line 1512 >>=20 >> Reloading the IPFire browser page and going back to the IDS main page >> gives the same result with the additional two lines in the log >>=20 >> Smartmatch is experimental at /srv/web/ipfire/cgi-bin/ids.cgi line >> 288. >> Can't call method "mtime" on an undefined value at /var/ipfire/ids- >> functions.pl line 1512. >>=20 >=20 > Sorry I'm unable to reproduce this - maybe a download error? Might be. You do not check if stat() was successful and continue working with= the result: https://git.ipfire.org/?p=3Dpeople/stevee/ipfire-2.x.git;a=3Dblob;f=3Dconfi= g/cfgroot/ids-functions.pl;h=3D7e7ad46b53ee1481d1c56f436ff0ee2636e767ce;hb=3D= de30329f3b089302969d5f79709855b57605df57#l1498 Just check if stat() returned something useful before continuing. >>=20 >> Sorry for breaking it again. If any of my steps are not clear let me >> know and I will clarify where necessary. >=20 > Hey, this is why we do testing - each found bug until release is a good > bug! :) -Michael >=20 >>=20 >>=20 >> Regards, >>=20 >> Adolf. >>=20 >>=20 >> On 11/04/2021 11:49, Adolf Belka wrote: >>> Hi Stefan, >>>=20 >>> I have installed the new version from scratch in my ipfire vm >>> testbed. I followed "all" the instructions this time :-) >>>=20 >>> I was able to add additional providers and then go and select the >>> rules I wanted and had no problems at all. >>>=20 >>> Looks like all fixed. I will do further evaluation of it over the >>> next few days and let you know how things go for me. >>>=20 >>> Regards, >>>=20 >>> Adolf. >>>=20 >>> On 11/04/2021 10:46, Stefan Schantl wrote: >>>> Hello again, >>>>=20 >>>> I've tested and uploaded the fourth test verstion. >>>>=20 >>>> https://people.ipfire.org/~stevee/ids-multiple-providers/ids-multiple-pr= oviders-004.tar.gz >>>>=20 >>>> This time the ownership of all files are correct at my test >>>> system. >>>>=20 >>>> (Tested with ruleset changes and without) >>>>=20 >>>> Best regards, >>>>=20 >>>> -Stefan >>>>=20 >>>>> Best regards, >>>>>=20 >>>>> -Stefan >>>>>=20 >>>>>> Hi Stefan, >>>>>>=20 >>>>>> I copied the new tarfile to my ipfire vm testbed machine and >>>>>> extracted it and ran the converter script. No errors. I then >>>>>> used >>>>>> the >>>>>> wui page to add a new provider to the list then selected to >>>>>> customize >>>>>> the rules and ticked the box for the added rules. Then I >>>>>> pressed >>>>>> apply and got a blank white screen again. >>>>>>=20 >>>>>>=20 >>>>>> The error log has the following:- >>>>>>=20 >>>>>> Smartmatch is experimental at /srv/web/ipfire/cgi-bin/ids.cgi=20 >>>>>> line >>>>>> 288. >>>>>> Smartmatch is experimental at /srv/web/ipfire/cgi-bin/ids.cgi=20 >>>>>> line >>>>>> 288. >>>>>> Smartmatch is experimental at /srv/web/ipfire/cgi-bin/ids.cgi=20 >>>>>> line >>>>>> 288. >>>>>> Smartmatch is experimental at /srv/web/ipfire/cgi-bin/ids.cgi=20 >>>>>> line >>>>>> 288. >>>>>> Smartmatch is experimental at /srv/web/ipfire/cgi-bin/ids.cgi=20 >>>>>> line >>>>>> 288. >>>>>> Smartmatch is experimental at /srv/web/ipfire/cgi-bin/ids.cgi=20 >>>>>> line >>>>>> 288. >>>>>> Could not open /var/ipfire/suricata/oinkmaster-provider- >>>>>> includes.conf. Permission denied >>>>>>=20 >>>>>>=20 >>>>>> ls- hal of /var/ipfire/suricata shows the following >>>>>>=20 >>>>>> drwxr-xr-x 2 nobody nobody 4.0K Apr 10 22:47 . >>>>>> drwxr-xr-x 49 root root 4.0K Apr 5 08:20 .. >>>>>> -rw-r--r-- 1 nobody nobody 0 Dec 14 19:05 ignored >>>>>> -rw-r--r-- 1 root root 21K Apr 1 20:00 oinkmaster.conf >>>>>> -rw-r--r-- 1 nobody nobody 61 Apr 10 14:40 oinkmaster- >>>>>> modify- >>>>>> sids.conf >>>>>> -rw-r--r-- 1 root root 0 Apr 10 14:54 oinkmaster- >>>>>> provider- >>>>>> includes.conf >>>>>> -rw-r--r-- 1 nobody nobody 55 Apr 10 22:47 providers- >>>>>> settings >>>>>> -rw-r--r-- 1 root root 6.0K Apr 5 07:13 ruleset-sources >>>>>> -rw-r--r-- 1 nobody nobody 102 Apr 10 14:54 settings >>>>>> -rw-r--r-- 1 nobody nobody 140 Apr 10 22:41 suricata-dns- >>>>>> servers.yaml >>>>>> -rw-r--r-- 1 nobody nobody 125 Apr 10 14:54 suricata- >>>>>> emerging- >>>>>> used- >>>>>> rulefiles.yaml >>>>>> -rw-r--r-- 1 nobody nobody 159 Apr 10 22:41 suricata- >>>>>> homenet.yaml >>>>>> -rw-r--r-- 1 nobody nobody 98 Apr 10 14:40 suricata-http- >>>>>> ports.yaml >>>>>> -rw-r--r-- 1 nobody nobody 95 Apr 10 14:54 suricata- >>>>>> static- >>>>>> included-rulefiles.yaml >>>>>> -rw-r--r-- 1 nobody nobody 76 Apr 10 22:47 suricata- >>>>>> urlhaus- >>>>>> used- >>>>>> rulefiles.yaml >>>>>> -rw-r--r-- 1 nobody nobody 214 Apr 10 14:54 suricata-used- >>>>>> providers.yaml >>>>>>=20 >>>>>> Three of the files are owned root:root while all the others >>>>>> are >>>>>> nobody:nobody >>>>>>=20 >>>>>>=20 >>>>>> The above was with extracting and applying the updated tar >>>>>> file on >>>>>> top of IPFire after running the last version. >>>>>>=20 >>>>>> I will do a fresh clone of my IPFire vm and then repeat the >>>>>> tar >>>>>> extraction and convert and see if that gives any difference. >>>>>>=20 >>>>>>=20 >>>>>> Regards, >>>>>>=20 >>>>>> Adolf >>>>>>=20 >>>>>> On 10/04/2021 20:25, Stefan Schantl wrote: >>>>>>> Hello list followers, >>>>>>>=20 >>>>>>> after getting a lot of feedback and bug reports I'm happy >>>>>>> to >>>>>>> announce the third test version for the new IDS system. >>>>>>>=20 >>>>>>> https://people.ipfire.org/~stevee/ids-multiple-providers/ids-multiple= -providers-003.tar.gz >>>>>>>=20 >>>>>>> If you just join testing, please omit the installation >>>>>>> instructions >>>>>>> from the initial Mail from this list. >>>>>>>=20 >>>>>>> The converter script now works as expected and runs very >>>>>>> smooth. >>>>>>>=20 >>>>>>> As usual please post your feedback and opinions to this >>>>>>> list and >>>>>>> any >>>>>>> remain bugs to our bugtracker. (https://bugzilla.ipfire.org >>>>>>> ) >>>>>>>=20 >>>>>>> A big thanks in advance, >>>>>>>=20 >>>>>>> -Stefan --===============1162259927177472872==--