I did’nt find any way to activate the Intrusion Prevention System (IPS) on IPFire 2.27. Here is a picture:
If I try to choose a ruleset - nothing happened. Who could help?
I did’nt find any way to activate the Intrusion Prevention System (IPS) on IPFire 2.27. Here is a picture:
If I try to choose a ruleset - nothing happened. Who could help?
Have you tried to add a provider first?
Eventually select one of the Community Rulesets and download the rules.
After that restart the IDS.
Silvio
A quick look into the source of the page showed, that you really can start IPS only with a provider selected.
The additional entries shown in the wiki are displayed with a selected ruleset only.
Yes, I tried to add a provider. After klicking “add” I see an empty white screen. But nothing happens.
Are there any messages in /var/log/httpd/error_log or /var/log/messages ?
I just tried to reproduce your situation.
Only difference: I had a ruleset already. But a manual update went through also.
I had exactly the same problem as the OP, when I try and add an IPS Provider, after clicking the “add” button, I get a white screen.
Following @bbitsch 's suggestion, I checked in /var/log/hjttpd/error_log and found the following:
[Fri Jun 10 11:12:22.644834 2022] [core:notice] [pid 16552:tid 129761122461568] AH00094: Command line: '/usr/sbin/httpd'
Unable to write to file /var/ipfire/suricata/providers-settings at /var/ipfire/general-functions.pl line 902.
Unable to write to file /var/ipfire/suricata/providers-settings at /var/ipfire/general-functions.pl line 902.
I had tried twice, with two different providers which probably explains the repeated error messages.
TIA
Googling the error message took me to this thread:
https://community.ipfire.org/t/ipfire-167-no-ruleset/7839 which had a slightly different problem, but the cause seems to have been the same.
It appears the wrong owner/group have been set for the file /var/ipfire/suricata/providers-settings
. On my system they were root:root when they should have been nobody:nobody
Running the following command from the SSH console logged in to my firewall fixed the problem for me:
chown nobody:nobody /var/ipfire/suricata/providers-settings