I changed the IPS settings to monitor only and all the other controls, etc. disappeared from the GUI and stopped the service. Not sure what happened. Restarting doesn’t help. Any ideas?
I’m still having trouble with getting IPS to work again. I was hoping the update would help me out, but that didn’t happen. When I turn the monitor traffic only option off (uncheck the button) to re-enable IPS, it breaks something. Even though IPFire says the daemon is running, all the rule categories and some of the other options disappear. The IPS logs are blank, and system log isn’t any help either. If I load the last backup, the categories and options re-appear with the monitor traffic only button checked. I’m trying to avoid a complete re-install because I’m not sure the configuration backups I have aren’t just going to break it again . Any ideas?
Edit: I am able to use the Emerging Threats and Snort community rules. It’s the Talos registered ruleset that’s giving me trouble. I noticed that the free space left on the main partition is down to about 1GB, 82% full. Could that be the cause?
Hi,
thank you for bringing this up again.
Unfortunately, I am unable to reproduce this behaviour on an IPFire machine running Core Update 157, using IPS in combination with the Emerging Threads community ruleset.
To rule out any broken or changed CGI file, could you check ids.cgi on your system having the same checksum?
$ ssh root@maverick -C "sha256sum /srv/web/ipfire/cgi-bin/ids.cgi"
976cd0b6b5bfaa0070874350f1efe3639fd60091c5c0957b9799d02e513e1632 /srv/web/ipfire/cgi-bin/ids.cgi
Thanks, and best regards,
Peter Müller
1 Like
I verified that the checksum matches. I can enable the Emergingthreats and Snort/VRT rulesets and those rules appear, but the Talos/VRT Registered rules still do not appear when I enable that ruleset. When I switch from another ruleset like Emergingthreats to Talos, the rules from the previous ruleset (i.e., Emergingthreats) persist. The Talos rules do not appear. If I reboot the firewall and leave it in that configuration (with the Talos ruleset enabled and the Emergingthreats rules displayed), the condition persists.
The other rulesets seem to work fine, so I can use those, but I prefer the Talos ruleset. Is there a way to reset or clear the rules?
Hi,
I suppose removing /var/ipfire/suricata/rules-settings should do the trick.
Either way, could you please file a bug at https://bugzilla.ipfire.org/ (your login credentials work there as well) for this so we won’t lose track of this again?
Thank you in advance, and best regards,
Peter Müller
Hi,
just realized i have the same problem IPS is not showing the correct control settings.
I’m running core161.
Would be nice if there is any update to this issue.
CHers Patrick
problem found:
Dec 15 13:32:22 alixfw oinkmaster[21893]: Copying file from /var/tmp/idsrules.tar.gz…
Dec 15 13:32:22 alixfw oinkmaster[21893]: /usr/local/bin/oinkmaster.pl: Error: unable to copy /var/tmp/idsrules.tar.gz to /var/tmp/oinkmaster.ChXhrgIBg_/url.GiyPgWsaa9/snortrules.tar.gz: Permission denied
solution:
/var/tmp/idsrules.tar.gz has wrong permission
-rw------- 1 root root 7374848 Oct 23 18:08 idsrules.tar.gz
remove /var/tmp/idsrules.tar.gz
choose correct ruleset in GUI and click save. >> issue solved.
This sounds like a download that has crashed for some reason.
2 Likes