Re: IDS with support for multiple ruleset providers

[Adolf Belka <adolf.belka@ipfire.org>]

[-- Attachment #1: Type: text/plain, Size: 3836 bytes --]

Hi Stefan,

I tested this on my vm testbed.

On 09/04/2021 21:27, Stefan Schantl wrote:
> Hello Development Team and list followers,
>
> there are a lot of different vendors out there which offers different
> IDS rules for suricata. Some of them offers a complete set of rules and
> other ones some very specialized rules for different tasks.
>
> Unfortunately it only was possible to select only one ruleset provider
> at the same time, so it usually wasn't an option to use one of them and
> keep a lot of traffic uninspected by the IDS.
>
> Today I'm very happy to announce a testing version of a reworked
> Intrusion Detection System which supports the usage of multiple
> different providers and rulesets at the same time.
>
> In total up to 15 different ruleset providers now can be used and mixed
> together to fit your personal requirements. They easily can be managed
> and configured via the WUI. Of course each one individually can be
> disabled or re-enabled at each time.
>
> The section for customizing the entire ruleset has been moved to a
> subpage, which allows to enable a certain amount of ruleset files or
> enabling / disabling single rules inside them.
>
> This helps to speed up the CGI if you want to mange your whitelist,
> manage your ruleset providers or change basic settings of your IDS.
>
> If you liked this short introduction, please help us testing to get
> this cool stuff as soon as possible into the core distribution and to
> find bugs or other improvements.
>
> The test versions and some screenshots can be found here:
>
> https://people.ipfire.org/~stevee/ids-multiple-providers/
>
> To join testing, please download the latest tarball and place it on
> your IPFire test machine.
>
> Execute the archive by using "tar -xvf ids-multiple-providers-
> XXX.tar.gz - C /" on your local console or via SSH remote session.
> bash: /usr/sbin/convert-ids-multiple-providers: Permission denied
Extracting the archive worked with no problems.
> The next steps would be to regenerate the language cache by executing
> "update-langs-cache" and to launch "convert-ids-multiple-providers".

update-lang-cache worked fine. When tried to run convert-ids-multiple-providers I got the message

bash: /usr/sbin/convert-ids-multiple-providers: Permission denied

I was running the command as root so I checked the file and it was not set as executable. I changed this and it then ran but came back with the following error message

Can't locate /var/ipfire/ids-functions.pl1 at /usr/sbin/convert-ids-multiple-providers line 25

I edited the .pl1 to .pl and re-ran the converter and it completed without any further error message.


I then had the new WUI IDS page.


I selected an additional provider, OISF, and it was added to the list of providers. I then selected customise rules and I selected the oisf ruleset and pressed apply. I just got a white screen with nothing happening. I then reloaded IPFire in the browser again and OISF provider was still listed but on the rules page it was not selected. Tried again and same thing happened. I then pressed the delete button to remove the OISF provider from the list and I get the message "The ruleset changes are being applied. Please wait until all opersations have completed successfully..." That message has not changed since I started writing this email. I then reloaded IPFire in the browser and OISF had been removed from the list.


Regards,

Adolf

> The converter will convert all your existing settings into the new
> format and also will take care about your used rules and their
> settings.
>
> As usual, please report back any kind of feedback on this list and
> submit any found bugs to our bugtracker (https://bugs.ipfire.org).
>
> Thanks in advance,
>
> -Stefan
>
>