From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail02.haj.ipfire.org (localhost [IPv6:::1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4gDWf65C62z303N for ; Mon, 11 May 2026 07:32:46 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature ECDSA (secp384r1 raw public key) server-digest SHA384 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mail01.haj.ipfire.org", Issuer "R12" (not verified)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4gDWf32z7fz2xPX for ; Mon, 11 May 2026 07:32:43 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4gDWf23NYBz28X for ; Mon, 11 May 2026 07:32:42 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1778484762; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=dd/BWoqkjUMwN017IZYvXWx7T+x3f+TLdYQtxaaVGOM=; b=VA1E7I6PtdUQ7Ic+C6vwyWi2Wo5o57eqVAG0MCTkjhL9xz0UuwYYU/IVgwI2o68zHVz6+7 gpg/GZR77V+y3duQ01no/i9Dq48BqUYGep7QsR76NVe7rB4HcFdLnlbzTBn3bSolGAjoPa SBC98AMxtdjGHykPalz+39mM2hgI8X0JvCLLzdvuPlSSwNJc/ogo3bT6zt5ESJ8mc1rwSF m59gLEWWb43SSCtJXwrLQ7Ew4ElYbFIGdgt+Ot2booEjqq+77d2ruGGcWN4pDnY22v41EK az0/lVFxlDdsHcC4oc12YrEPUk+XwRtynOst3WiB3Snxisrdz80wBamlSPd+Yg== DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1778484762; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=dd/BWoqkjUMwN017IZYvXWx7T+x3f+TLdYQtxaaVGOM=; b=cpg0T6AwrbZTrcv9aAuF3S60W98YhqBlyuYXPeF6+7+DdIkvwf/C0/7HIQUbChjSDvXt6r g01zScsxHVhCWzAw== Message-ID: Date: Mon, 11 May 2026 09:32:34 +0200 Precedence: list List-Id: List-Subscribe: , List-Unsubscribe: , List-Post: List-Help: Sender: Mail-Followup-To: MIME-Version: 1.0 Subject: Re: IDS / Snort/VRT GPLv2 Community-Rules : Error parsing signature... - but I can't deactivate specific rule(s) Content-Language: en-US To: development@lists.ipfire.org References: From: Matthias Fischer In-Reply-To: Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit On 11.05.2026 03:04, Jay Lubomirski wrote: > Hi Matthias, Hi Jay, tested. Seems to work. This was odd... Before I tested your patch, I checked '/var/ipfire/community-modifications', which contained the appropriate SID: '26470=disabled'. But no chance. After applying your patch, the file hasn't changed, but line 2581 in /var/lib/suricata/community-community.rules' now starts with a "#". => Works. Rule is unchecked and stays that way. Will test further... Thanks! Matthias > I've been using this patch to fix the can't uncheck a rule problem: > > # /var/ipfire/ids-functions.pl > # > --- ids-functions.pl.old > +++ ids-functions.pl.new > @@ -614,8 +614,8 @@ > # Check if the Provider is set so IPS mode. > if ($providers_mode{$provider} eq "IPS") { > # Replacements for sourcefire rules. > - $line =~ > s/^#\s*(?:alert|drop)(.+policy balanced-ips alert)/alert${1}/; > - $line =~ > s/^#\s*(?:alert|drop)(.+policy balanced-ips drop)/drop${1}/; > + $line =~ s/^(?:alert|drop)(.+policy > balanced-ips alert)/alert${1}/; > + $line =~ s/^(?:alert|drop)(.+policy > balanced-ips drop)/drop${1}/; > > # Replacements for generic rules. > $line =~ > s/^(#?)\s*(?:alert|drop)/${1}drop/; > > Can you see if that helps in your situation? > > Jay Lubomirski > > On Sat, May 9, 2026 at 12:12 PM Matthias Fischer < > matthias.fischer@ipfire.org> wrote: > >> Hi list, >> >> IDS is running with several rulesets, no seen problems, but one set >> always throws this error: >> >> ***SNIP*** >> [1433] -- error parsing signature "drop tcp $EXTERNAL_NET >> $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Zeus Spam >> 2013 dated zip/exe HTTP Response - potential malware download"; >> flow:to_client,established; content:"-2013.zip|0D 0A|"; >> fast_pattern:only; content:"-2013.zip|0D 0A|"; http_header; content:"-"; >> within:1; distance:-14; http_header; file_data; content:"-2013.exe"; >> content:"-"; within:1; distance:-14; metadata:impact_flag red, policy >> balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, >> ruleset community, service http; >> reference:url, >> www.virustotal.com/en/file/2eff3ee6ac7f5bf85e4ebcbe51974d0708cef666581ef1385c628233614b22c0/analysis/ >> ; >> classtype:trojan-activity; sid:26470; rev:2;)" from file >> /var/lib/suricata/community-community.rules at line 2581 >> ***SNAP*** >> >> Everything is working fine - except for this error message. >> >> So I tried to deactivate this rule - but I can't. Every time I uncheck >> this rule, it gets checked again. No chance. There are others — >> apparently not every rule — who also refuse to get unchecked. >> >> Can anyone confirm? >> >> Best >> Matthias >> >> >> >