From mboxrd@z Thu Jan 1 00:00:00 1970 From: Stefan Schantl To: development@lists.ipfire.org Subject: Re: IDS with support for multiple ruleset providers Date: Wed, 14 Apr 2021 21:16:28 +0200 Message-ID: In-Reply-To: <7c83c6eda08cd01138181dc56c089d66e8d11af5.camel@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============5017895079561387758==" List-Id: --===============5017895079561387758== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Am Dienstag, den 13.04.2021, 20:57 +0200 schrieb Stefan Schantl: > Hello Adolf, >=20 > thanks you very much for your huge effort in testing this and > providing > this very detailed feedback. >=20 > While reading through your single steps it feels sometimes near to > get > a knot inside my brain.... >=20 > > Hi Stefan, > >=20 > > I did a bit more testing. > >=20 > > I added the snort community rules set. I then went to customise and > > left the snort rules unchecked then pressed apply. > >=20 > > I then disabled the snort rules from the main page and on the > > customise page the snort rules were no longer showing. >=20 > Workes as designed. >=20 > > I then enabled the snort rules on the first page and then went to > > customise but the snort rules still were not showing. >=20 > Very good catch - Fixed. >=20 > > I deleted the snort ruleset provider on the first page and then > > added > > them back and now the snort ruleset was shown again on the > > customise > > page. >=20 > OK. >=20 > > I then checked the snort ruleset and applied it and then entered > > customise again and unchecked the snort ruleset and applied it. > > When > > I went back into customise the snort ruleset was checked again. So > > once checked I could not uncheck it and keep it that why by > > pressing > > apply. > >=20 >=20 > Confirmed. Thanks for finding this. Fixed by commit: https://git.ipfire.org/?p=3Dpeople/stevee/ipfire-2.x.git;a=3Dcommit;h=3D79cc9= 2267f1811beab84ae190fc1c3724a67e5f4 >=20 > > I then deleted the snort ruleset provider from the first page. Then > > the ruleset was gone from the customise page. > >=20 > > Then I added the snort ruleset provider back in but then got an > > error > > message saying that the snort ruleset provider was already > > selected. > > I then pressed back and came back to the main page with no snort > > ruleset provider but also with the page only showing down to the > > Ruleset Settings table. There was nothing else after that. > >=20 > > The httpd/error_log showed the following > >=20 > > Smartmatch is experimental at /srv/web/ipfire/cgi-bin/ids.cgi line > > 288. > > Smartmatch is experimental at /srv/web/ipfire/cgi-bin/ids.cgi line > > 288. > > Can't call method "mtime" on an undefined value at /var/ipfire/ids- > > functions.pl line 1512 > >=20 > > Reloading the IPFire browser page and going back to the IDS main > > page > > gives the same result with the additional two lines in the log > >=20 > > Smartmatch is experimental at /srv/web/ipfire/cgi-bin/ids.cgi line > > 288. > > Can't call method "mtime" on an undefined value at /var/ipfire/ids- > > functions.pl line 1512. > >=20 >=20 > Sorry I'm unable to reproduce this - maybe a download error? Fixed by=20 https://git.ipfire.org/?p=3Dpeople/stevee/ipfire-2.x.git;a=3Dcommit;h=3D7cf0e= cadc14c2a8f6a711ff3ff3dfa2c0a516fb5 and https://git.ipfire.org/?p=3Dpeople/stevee/ipfire-2.x.git;a=3Dcommit;h=3De59b8= 178e0cb4098904a8c0f591639d92a1f625e >=20 > > Sorry for breaking it again. If any of my steps are not clear let > > me > > know and I will clarify where necessary. >=20 > Hey, this is why we do testing - each found bug until release is a > good > bug! >=20 > >=20 > > Regards, > >=20 > > Adolf. > >=20 > >=20 > > On 11/04/2021 11:49, Adolf Belka wrote: > > > Hi Stefan, > > >=20 > > > I have installed the new version from scratch in my ipfire vm > > > testbed. I followed "all" the instructions this time :-) > > >=20 > > > I was able to add additional providers and then go and select the > > > rules I wanted and had no problems at all. > > >=20 > > > Looks like all fixed. I will do further evaluation of it over the > > > next few days and let you know how things go for me. > > >=20 > > > Regards, > > >=20 > > > Adolf. > > >=20 > > > On 11/04/2021 10:46, Stefan Schantl wrote: > > > > Hello again, > > > >=20 > > > > I've tested and uploaded the fourth test verstion. > > > >=20 > > > > https://people.ipfire.org/~stevee/ids-multiple-providers/ids-multiple= -providers-004.tar.gz > > > >=20 > > > > This time the ownership of all files are correct at my test > > > > system. > > > >=20 > > > > (Tested with ruleset changes and without) > > > >=20 > > > > Best regards, > > > >=20 > > > > -Stefan > > > >=20 > > > > > Best regards, > > > > >=20 > > > > > -Stefan > > > > >=20 > > > > > > Hi Stefan, > > > > > >=20 > > > > > > I copied the new tarfile to my ipfire vm testbed machine > > > > > > and > > > > > > extracted it and ran the converter script. No errors. I > > > > > > then > > > > > > used > > > > > > the > > > > > > wui page to add a new provider to the list then selected to > > > > > > customize > > > > > > the rules and ticked the box for the added rules. Then I > > > > > > pressed > > > > > > apply and got a blank white screen again. > > > > > >=20 > > > > > >=20 > > > > > > The error log has the following:- > > > > > >=20 > > > > > > Smartmatch is experimental at /srv/web/ipfire/cgi- > > > > > > bin/ids.cgi=20 > > > > > > line > > > > > > 288. > > > > > > Smartmatch is experimental at /srv/web/ipfire/cgi- > > > > > > bin/ids.cgi=20 > > > > > > line > > > > > > 288. > > > > > > Smartmatch is experimental at /srv/web/ipfire/cgi- > > > > > > bin/ids.cgi=20 > > > > > > line > > > > > > 288. > > > > > > Smartmatch is experimental at /srv/web/ipfire/cgi- > > > > > > bin/ids.cgi=20 > > > > > > line > > > > > > 288. > > > > > > Smartmatch is experimental at /srv/web/ipfire/cgi- > > > > > > bin/ids.cgi=20 > > > > > > line > > > > > > 288. > > > > > > Smartmatch is experimental at /srv/web/ipfire/cgi- > > > > > > bin/ids.cgi=20 > > > > > > line > > > > > > 288. > > > > > > Could not open /var/ipfire/suricata/oinkmaster-provider- > > > > > > includes.conf. Permission denied > > > > > >=20 > > > > > >=20 > > > > > > ls- hal of /var/ipfire/suricata shows the following > > > > > >=20 > > > > > > drwxr-xr-x 2 nobody nobody 4.0K Apr 10 22:47 . > > > > > > drwxr-xr-x 49 root root 4.0K Apr 5 08:20 .. > > > > > > -rw-r--r-- 1 nobody nobody 0 Dec 14 19:05 ignored > > > > > > -rw-r--r-- 1 root root 21K Apr 1 20:00 > > > > > > oinkmaster.conf > > > > > > -rw-r--r-- 1 nobody nobody 61 Apr 10 14:40 oinkmaster- > > > > > > modify- > > > > > > sids.conf > > > > > > -rw-r--r-- 1 root root 0 Apr 10 14:54 oinkmaster- > > > > > > provider- > > > > > > includes.conf > > > > > > -rw-r--r-- 1 nobody nobody 55 Apr 10 22:47 providers- > > > > > > settings > > > > > > -rw-r--r-- 1 root root 6.0K Apr 5 07:13 ruleset- > > > > > > sources > > > > > > -rw-r--r-- 1 nobody nobody 102 Apr 10 14:54 settings > > > > > > -rw-r--r-- 1 nobody nobody 140 Apr 10 22:41 suricata-dns- > > > > > > servers.yaml > > > > > > -rw-r--r-- 1 nobody nobody 125 Apr 10 14:54 suricata- > > > > > > emerging- > > > > > > used- > > > > > > rulefiles.yaml > > > > > > -rw-r--r-- 1 nobody nobody 159 Apr 10 22:41 suricata- > > > > > > homenet.yaml > > > > > > -rw-r--r-- 1 nobody nobody 98 Apr 10 14:40 suricata- > > > > > > http- > > > > > > ports.yaml > > > > > > -rw-r--r-- 1 nobody nobody 95 Apr 10 14:54 suricata- > > > > > > static- > > > > > > included-rulefiles.yaml > > > > > > -rw-r--r-- 1 nobody nobody 76 Apr 10 22:47 suricata- > > > > > > urlhaus- > > > > > > used- > > > > > > rulefiles.yaml > > > > > > -rw-r--r-- 1 nobody nobody 214 Apr 10 14:54 suricata- > > > > > > used- > > > > > > providers.yaml > > > > > >=20 > > > > > > Three of the files are owned root:root while all the others > > > > > > are > > > > > > nobody:nobody > > > > > >=20 > > > > > >=20 > > > > > > The above was with extracting and applying the updated tar > > > > > > file on > > > > > > top of IPFire after running the last version. > > > > > >=20 > > > > > > I will do a fresh clone of my IPFire vm and then repeat the > > > > > > tar > > > > > > extraction and convert and see if that gives any > > > > > > difference. > > > > > >=20 > > > > > >=20 > > > > > > Regards, > > > > > >=20 > > > > > > Adolf > > > > > >=20 > > > > > > On 10/04/2021 20:25, Stefan Schantl wrote: > > > > > > > Hello list followers, > > > > > > >=20 > > > > > > > after getting a lot of feedback and bug reports I'm happy > > > > > > > to > > > > > > > announce the third test version for the new IDS system. > > > > > > >=20 > > > > > > > https://people.ipfire.org/~stevee/ids-multiple-providers/ids-mu= ltiple-providers-003.tar.gz > > > > > > >=20 > > > > > > > If you just join testing, please omit the installation > > > > > > > instructions > > > > > > > from the initial Mail from this list. > > > > > > >=20 > > > > > > > The converter script now works as expected and runs very > > > > > > > smooth. > > > > > > >=20 > > > > > > > As usual please post your feedback and opinions to this > > > > > > > list and > > > > > > > any > > > > > > > remain bugs to our bugtracker. ( > > > > > > > https://bugzilla.ipfire.org > > > > > > > ) > > > > > > >=20 > > > > > > > A big thanks in advance, > > > > > > >=20 > > > > > > > -Stefan > > > > > > >=20 --===============5017895079561387758==--