From mboxrd@z Thu Jan 1 00:00:00 1970 From: Adolf Belka To: development@lists.ipfire.org Subject: Re: IDS with support for multiple ruleset providers Date: Sun, 11 Apr 2021 12:18:36 +0200 Message-ID: In-Reply-To: <98ce3c42-e304-dd1a-732a-2cc08be21d08@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============1242199651359594332==" List-Id: --===============1242199651359594332== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hi Stefan, I did a bit more testing. I added the snort community rules set. I then went to customise and left the = snort rules unchecked then pressed apply. I then disabled the snort rules from the main page and on the customise page = the snort rules were no longer showing. I then enabled the snort rules on the first page and then went to customise b= ut the snort rules still were not showing. I deleted the snort ruleset provider on the first page and then added them ba= ck and now the snort ruleset was shown again on the customise page. I then checked the snort ruleset and applied it and then entered customise ag= ain and unchecked the snort ruleset and applied it. When I went back into cus= tomise the snort ruleset was checked again. So once checked I could not unche= ck it and keep it that why by pressing apply. I then deleted the snort ruleset provider from the first page. Then the rules= et was gone from the customise page. Then I added the snort ruleset provider back in but then got an error message= saying that the snort ruleset provider was already selected. I then pressed = back and came back to the main page with no snort ruleset provider but also w= ith the page=C2=A0 only showing down to the Ruleset Settings table. There was= nothing else after that. The httpd/error_log showed the following Smartmatch is experimental at /srv/web/ipfire/cgi-bin/ids.cgi line 288. Smartmatch is experimental at /srv/web/ipfire/cgi-bin/ids.cgi line 288. Can't call method "mtime" on an undefined value at /var/ipfire/ids-functions.= pl line 1512 Reloading the IPFire browser page and going back to the IDS main page gives t= he same result with the additional two lines in the log Smartmatch is experimental at /srv/web/ipfire/cgi-bin/ids.cgi line 288. Can't call method "mtime" on an undefined value at /var/ipfire/ids-functions.= pl line 1512. Sorry for breaking it again. If any of my steps are not clear let me know and= I will clarify where necessary. Regards, Adolf. On 11/04/2021 11:49, Adolf Belka wrote: > Hi Stefan, > > I have installed the new version from scratch in my ipfire vm testbed. I fo= llowed "all" the instructions this time :-) > > I was able to add additional providers and then go and select the rules I w= anted and had no problems at all. > > Looks like all fixed. I will do further evaluation of it over the next few = days and let you know how things go for me. > > Regards, > > Adolf. > > On 11/04/2021 10:46, Stefan Schantl wrote: >> Hello again, >> >> I've tested and uploaded the fourth test verstion. >> >> https://people.ipfire.org/~stevee/ids-multiple-providers/ids-multiple-prov= iders-004.tar.gz >> >> This time the ownership of all files are correct at my test system. >> >> (Tested with ruleset changes and without) >> >> Best regards, >> >> -Stefan >> >>> Best regards, >>> >>> -Stefan >>> >>>> Hi Stefan, >>>> >>>> I copied the new tarfile to my ipfire vm testbed machine and >>>> extracted it and ran the converter script. No errors. I then used >>>> the >>>> wui page to add a new provider to the list then selected to >>>> customize >>>> the rules and ticked the box for the added rules. Then I pressed >>>> apply and got a blank white screen again. >>>> >>>> >>>> The error log has the following:- >>>> >>>> Smartmatch is experimental at /srv/web/ipfire/cgi-bin/ids.cgi line >>>> 288. >>>> Smartmatch is experimental at /srv/web/ipfire/cgi-bin/ids.cgi line >>>> 288. >>>> Smartmatch is experimental at /srv/web/ipfire/cgi-bin/ids.cgi line >>>> 288. >>>> Smartmatch is experimental at /srv/web/ipfire/cgi-bin/ids.cgi line >>>> 288. >>>> Smartmatch is experimental at /srv/web/ipfire/cgi-bin/ids.cgi line >>>> 288. >>>> Smartmatch is experimental at /srv/web/ipfire/cgi-bin/ids.cgi line >>>> 288. >>>> Could not open /var/ipfire/suricata/oinkmaster-provider- >>>> includes.conf. Permission denied >>>> >>>> >>>> ls- hal of /var/ipfire/suricata shows the following >>>> >>>> drwxr-xr-x=C2=A0 2 nobody nobody 4.0K Apr 10 22:47 . >>>> drwxr-xr-x 49 root=C2=A0=C2=A0 root=C2=A0=C2=A0 4.0K Apr=C2=A0 5 08:20 .. >>>> -rw-r--r--=C2=A0 1 nobody nobody=C2=A0=C2=A0=C2=A0 0 Dec 14 19:05 ignored >>>> -rw-r--r--=C2=A0 1 root=C2=A0=C2=A0 root=C2=A0=C2=A0=C2=A0 21K Apr=C2=A0= 1 20:00 oinkmaster.conf >>>> -rw-r--r--=C2=A0 1 nobody nobody=C2=A0=C2=A0 61 Apr 10 14:40 oinkmaster-= modify- >>>> sids.conf >>>> -rw-r--r--=C2=A0 1 root=C2=A0=C2=A0 root=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 0= Apr 10 14:54 oinkmaster-provider- >>>> includes.conf >>>> -rw-r--r--=C2=A0 1 nobody nobody=C2=A0=C2=A0 55 Apr 10 22:47 providers-s= ettings >>>> -rw-r--r--=C2=A0 1 root=C2=A0=C2=A0 root=C2=A0=C2=A0 6.0K Apr=C2=A0 5 07= :13 ruleset-sources >>>> -rw-r--r--=C2=A0 1 nobody nobody=C2=A0 102 Apr 10 14:54 settings >>>> -rw-r--r--=C2=A0 1 nobody nobody=C2=A0 140 Apr 10 22:41 suricata-dns- >>>> servers.yaml >>>> -rw-r--r--=C2=A0 1 nobody nobody=C2=A0 125 Apr 10 14:54 suricata-emergin= g- >>>> used- >>>> rulefiles.yaml >>>> -rw-r--r--=C2=A0 1 nobody nobody=C2=A0 159 Apr 10 22:41 suricata-homenet= .yaml >>>> -rw-r--r--=C2=A0 1 nobody nobody=C2=A0=C2=A0 98 Apr 10 14:40 suricata-ht= tp- >>>> ports.yaml >>>> -rw-r--r--=C2=A0 1 nobody nobody=C2=A0=C2=A0 95 Apr 10 14:54 suricata-st= atic- >>>> included-rulefiles.yaml >>>> -rw-r--r--=C2=A0 1 nobody nobody=C2=A0=C2=A0 76 Apr 10 22:47 suricata-ur= lhaus- >>>> used- >>>> rulefiles.yaml >>>> -rw-r--r--=C2=A0 1 nobody nobody=C2=A0 214 Apr 10 14:54 suricata-used- >>>> providers.yaml >>>> >>>> Three of the files are owned root:root while all the others are >>>> nobody:nobody >>>> >>>> >>>> The above was with extracting and applying the updated tar file on >>>> top of IPFire after running the last version. >>>> >>>> I will do a fresh clone of my IPFire vm and then repeat the tar >>>> extraction and convert and see if that gives any difference. >>>> >>>> >>>> Regards, >>>> >>>> Adolf >>>> >>>> On 10/04/2021 20:25, Stefan Schantl wrote: >>>>> Hello list followers, >>>>> >>>>> after getting a lot of feedback and bug reports I'm happy to >>>>> announce the third test version for the new IDS system. >>>>> >>>>> https://people.ipfire.org/~stevee/ids-multiple-providers/ids-multiple-p= roviders-003.tar.gz >>>>> >>>>> If you just join testing, please omit the installation >>>>> instructions >>>>> from the initial Mail from this list. >>>>> >>>>> The converter script now works as expected and runs very smooth. >>>>> >>>>> As usual please post your feedback and opinions to this list and >>>>> any >>>>> remain bugs to our bugtracker. (https://bugzilla.ipfire.org) >>>>> >>>>> A big thanks in advance, >>>>> >>>>> -Stefan >>>>> >> --===============1242199651359594332==--