Since I updated to core 169. Emerging threats rules are not updating
When I force update I get error on top of the page
Error messages
emerging - No update required - The ruleset is up to date.
IPFire 2.27 (x86_64) - Core Update 169
Using rules: ET Community, Abuse.ch SSLBL Blacklist Rules
These are the only errors I see in the System Log- IPS
[ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol "dnp3" cannot be used in a si gnature. Either detection for this protocol is not yet supported OR detection h as been disabled for protocol through the yaml option app-layer.protocols.dnp3.d etection-enabled
suricata: [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert dnp3 an y any -> any any (msg:"SURICATA DNP3 Request flood detected"; app-layer-ev ent:dnp3.flooded; classtype:protocol-command-decode; sid:2270000; rev:2;)" from file /usr/share/suricata/rules/dnp3-events.rules at line 7
suricata: [ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol "dnp3" cannot be used in a si gnature. Either detection for this protocol is not yet supported OR detection h as been disabled for protocol through the yaml option app-layer.protocols.dnp3.d etection-enabled
after I forced update for the ET-Community, I got around 30000 errors in the system log.
[ERRCODE: SC_ERR_INVALID_SIGNATURE
or
[ERRCODE: SC_ERR_DUPLICATE_SIG(176)]
Automatic or forced Update for the Abusech SSL list seems to work fine,
That may be because there has been no update since 2022-07-20 23:57:47 which is the last update status I have for my system. What date do you have for your last update?
Abuse.ch was last updated on 2022-07-21 14:48:19
My CU169 was done back on July 12th so Emerging Threats has certainly been updated since then.
I suspect that there is no update since 21st July because Emerging Threats have not issued one.
Working OK here.
I upgraded several systems to C169 last week and IPS rules have updated normally several times.
Using ET Community Rules. Latest update on all is 2022-07-21 15:31:36 There is more log noise from Suricata default protocol rules since C169 as mentioned elsewhere.
Do you also get see countless errors in the System log
Abuse SSL list is updating fine, I removed it since,
The ET Community is more important, and I don’t see any updates in the log since around 2022-07-15
The Proofpoint Emerging threats link you have shows an update for 21st July. My last update was for 20th July and that was updated on my system automatically yesterday at 23:31.
If your system is still at the version from 15th July then there is some problem with the update process.
In CU168 the update was changed from being daily or weekly, selected by the user, to being checked twice per day and having a process to see if the file had changed. If not then no update is done.
This check is in the fcrontab.
If you run fcrontab -e
from the console command line then you should find the following at lines 65 & 66
# Perform a surciata rules update every 12 hours.
@ 12h [ -f "/var/ipfire/red/active" ] && /usr/local/bin/update-ids-ruleset >/dev/null 2>&1
As long as red is active this will run the update-ids-ruleset script.