Re: IDS with support for multiple ruleset providers

public inbox for development@lists.ipfire.org
 help / color / mirror / Atom feed

From: Stefan Schantl <stefan.schantl@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: IDS with support for multiple ruleset providers
Date: Sun, 11 Apr 2021 08:59:49 +0200	[thread overview]
Message-ID: <df0d8a053162a5299121bd6b5901cafce192f5fe.camel@ipfire.org> (raw)
In-Reply-To: <048dd4a8-cf03-c898-eee3-ca2bf545b677@ipfire.org>

[-- Attachment #1: Type: text/plain, Size: 4774 bytes --]

Good morning Adolf,

you missed to update the language cache after extracting the archive,
so the language strings are missing and the WUI infinite loops here.

Best regards,

-Stefan
 
> Hi Stefan,
> 
> I did a fresh install of the latest tar file and ran the convert
> script. It ran for a bit longer than in the past and then stopped
> with no errors.
> 
> I then went to the WUI page and it showed "Downloading and unpacking
> new ruleset. Please wait until all operations have completed
> successfully..."
> 
> It is still showing that message after more than 5 minutes and the
> error log has a large number of the following lines in it:-
> 
> Smartmatch is experimental at /srv/web/ipfire/cgi-bin/ids.cgi line
> 288.
> Smartmatch is experimental at /srv/web/ipfire/cgi-bin/ids.cgi line
> 288.
> Smartmatch is experimental at /srv/web/ipfire/cgi-bin/ids.cgi line
> 288.
> Smartmatch is experimental at /srv/web/ipfire/cgi-bin/ids.cgi line
> 288.
> 
> The number of lines keeps increasing with time so it seems something
> is in a loop. So this time I never even got to see the IDS WUI page.
> Reloading the IPFire browser and re-selecting IDS gives the same
> message.
> 
> 
> Regards,
> 
> Adolf.
> 
> On 10/04/2021 22:56, Adolf Belka wrote:
> > Hi Stefan,
> > 
> > I copied the new tarfile to my ipfire vm testbed machine and
> > extracted it and ran the converter script. No errors. I then used
> > the wui page to add a new provider to the list then selected to
> > customize the rules and ticked the box for the added rules. Then I
> > pressed apply and got a blank white screen again.
> > 
> > 
> > The error log has the following:-
> > 
> > Smartmatch is experimental at /srv/web/ipfire/cgi-bin/ids.cgi line
> > 288.
> > Smartmatch is experimental at /srv/web/ipfire/cgi-bin/ids.cgi line
> > 288.
> > Smartmatch is experimental at /srv/web/ipfire/cgi-bin/ids.cgi line
> > 288.
> > Smartmatch is experimental at /srv/web/ipfire/cgi-bin/ids.cgi line
> > 288.
> > Smartmatch is experimental at /srv/web/ipfire/cgi-bin/ids.cgi line
> > 288.
> > Smartmatch is experimental at /srv/web/ipfire/cgi-bin/ids.cgi line
> > 288.
> > Could not open /var/ipfire/suricata/oinkmaster-provider-
> > includes.conf. Permission denied
> > 
> > 
> > ls- hal of /var/ipfire/suricata shows the following
> > 
> > drwxr-xr-x  2 nobody nobody 4.0K Apr 10 22:47 .
> > drwxr-xr-x 49 root   root   4.0K Apr  5 08:20 ..
> > -rw-r--r--  1 nobody nobody    0 Dec 14 19:05 ignored
> > -rw-r--r--  1 root   root    21K Apr  1 20:00 oinkmaster.conf
> > -rw-r--r--  1 nobody nobody   61 Apr 10 14:40 oinkmaster-modify-
> > sids.conf
> > -rw-r--r--  1 root   root      0 Apr 10 14:54 oinkmaster-provider-
> > includes.conf
> > -rw-r--r--  1 nobody nobody   55 Apr 10 22:47 providers-settings
> > -rw-r--r--  1 root   root   6.0K Apr  5 07:13 ruleset-sources
> > -rw-r--r--  1 nobody nobody  102 Apr 10 14:54 settings
> > -rw-r--r--  1 nobody nobody  140 Apr 10 22:41 suricata-dns-
> > servers.yaml
> > -rw-r--r--  1 nobody nobody  125 Apr 10 14:54 suricata-emerging-
> > used-rulefiles.yaml
> > -rw-r--r--  1 nobody nobody  159 Apr 10 22:41 suricata-homenet.yaml
> > -rw-r--r--  1 nobody nobody   98 Apr 10 14:40 suricata-http-
> > ports.yaml
> > -rw-r--r--  1 nobody nobody   95 Apr 10 14:54 suricata-static-
> > included-rulefiles.yaml
> > -rw-r--r--  1 nobody nobody   76 Apr 10 22:47 suricata-urlhaus-
> > used-rulefiles.yaml
> > -rw-r--r--  1 nobody nobody  214 Apr 10 14:54 suricata-used-
> > providers.yaml
> > 
> > Three of the files are owned root:root while all the others are
> > nobody:nobody
> > 
> > 
> > The above was with extracting and applying the updated tar file on
> > top of IPFire after running the last version.
> > 
> > I will do a fresh clone of my IPFire vm and then repeat the tar
> > extraction and convert and see if that gives any difference.
> > 
> > 
> > Regards,
> > 
> > Adolf
> > 
> > On 10/04/2021 20:25, Stefan Schantl wrote:
> > > Hello list followers,
> > > 
> > > after getting a lot of feedback and bug reports I'm happy to
> > > announce the third test version for the new IDS system.
> > > 
> > > https://people.ipfire.org/~stevee/ids-multiple-providers/ids-multiple-providers-003.tar.gz
> > > 
> > > If you just join testing, please omit the installation
> > > instructions
> > > from the initial Mail from this list.
> > > 
> > > The converter script now works as expected and runs very smooth.
> > > 
> > > As usual please post your feedback and opinions to this list and
> > > any
> > > remain bugs to our bugtracker. (https://bugzilla.ipfire.org)
> > > 
> > > A big thanks in advance,
> > > 
> > > -Stefan
> > >

next prev parent reply	other threads:[~2021-04-11  6:59 UTC|newest]

Thread overview: 21+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-04-09 19:27 Stefan Schantl
2021-04-10 13:01 ` Michael Tremer
2021-04-10 17:15   ` Stefan Schantl
2021-04-10 13:06 ` Adolf Belka
2021-04-10 13:15   ` Adolf Belka
2021-04-10 17:18   ` Stefan Schantl
2021-04-10 18:25 ` Stefan Schantl
2021-04-10 20:56   ` Adolf Belka
2021-04-10 21:17     ` Adolf Belka
2021-04-11  6:59       ` Stefan Schantl [this message]
2021-04-11  7:07     ` Stefan Schantl
2021-04-11  8:46       ` Stefan Schantl
2021-04-11  9:49         ` Adolf Belka
2021-04-11 10:18           ` Adolf Belka
2021-04-11 12:27             ` Michael Tremer
2021-04-13 18:57             ` Stefan Schantl
2021-04-14  9:12               ` Michael Tremer
2021-04-14 19:01                 ` Stefan Schantl
2021-04-14 19:16               ` Stefan Schantl
2021-04-14 19:25                 ` Stefan Schantl
2021-04-15 11:08                 ` Michael Tremer

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=df0d8a053162a5299121bd6b5901cafce192f5fe.camel@ipfire.org \
    --to=stefan.schantl@ipfire.org \
    --cc=development@lists.ipfire.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox