Hello Development Team and list followers,
there are a lot of different vendors out there which offers different IDS rules for suricata. Some of them offers a complete set of rules and other ones some very specialized rules for different tasks.
Unfortunately it only was possible to select only one ruleset provider at the same time, so it usually wasn't an option to use one of them and keep a lot of traffic uninspected by the IDS.
Today I'm very happy to announce a testing version of a reworked Intrusion Detection System which supports the usage of multiple different providers and rulesets at the same time.
In total up to 15 different ruleset providers now can be used and mixed together to fit your personal requirements. They easily can be managed and configured via the WUI. Of course each one individually can be disabled or re-enabled at each time.
The section for customizing the entire ruleset has been moved to a subpage, which allows to enable a certain amount of ruleset files or enabling / disabling single rules inside them.
This helps to speed up the CGI if you want to mange your whitelist, manage your ruleset providers or change basic settings of your IDS.
If you liked this short introduction, please help us testing to get this cool stuff as soon as possible into the core distribution and to find bugs or other improvements.
The test versions and some screenshots can be found here:
https://people.ipfire.org/~stevee/ids-multiple-providers/
To join testing, please download the latest tarball and place it on your IPFire test machine.
Execute the archive by using "tar -xvf ids-multiple-providers- XXX.tar.gz - C /" on your local console or via SSH remote session.
The next steps would be to regenerate the language cache by executing "update-langs-cache" and to launch "convert-ids-multiple-providers".
The converter will convert all your existing settings into the new format and also will take care about your used rules and their settings.
As usual, please report back any kind of feedback on this list and submit any found bugs to our bugtracker (https://bugs.ipfire.org).
Thanks in advance,
-Stefan