Enabling Talos IPS rules cause trouble after upgrading to Core Update 164

Just gzip it and upload it here. It should be small enough then.

Here we go:

fast.log.tar.gz (1.2 MB)

1 Like

I had the best idea in the morning to update during work, UI died quite soon during the update, checked from terminal that reboot was required, reboots did not help.

Recovered from fresh backup ISO (finally got disaster recovery tested).

I have IPS in use also.

Meanwhile i wiped and reinstalled core update 163. thank’s to the team that there will be made a backup of the system just before any upgrade. that really helps.

Interesting that disabling the “registered-malware-cnc.ruled” did not help for all. Maybe there are multiple simultaneous errors with IPFire DNS handling and IDS rule set?

Meanwhile I dug a bit deeper into disabling individual rules. By unchecking only these rules in the “registered-malware-cnc.rules” set my system is still running:

“MALWARE-CNC FF-RAT outbound connection attempt” (there are 4 rules with exactly this name)
“MALWARE-CNC TRUFFLEHUNTER SFVRT-1045 attack attempt” (there are 3 rules with exactly this name)

As far as I found these are the only rules wich have multiple identical names. Maybe that causes the trouble?

EDIT: Sorry, I was a bit fast. After running several minutes, my web-GUI stopped again when only these few rules were disabled. Will continue to check…

I also ran into similar problems after updating to ver. 164.

However, I still had access to the webgui with some issues:

  • System->Home took took 4-5 minutes to load
  • Network->Domain Name System took 10 minutes+ (using UDP protocol) - and “Check DNS Server” never completed. *)

I still had internet access - but very slow. Some sites worked - others timed out.

The new Firewall function “Drop packets from and to hostile networks (listed at Spamhaus DROP, etc.)” not activated.

I was just about to restore to my 163 backup, but opening a SSH session to my IPFire I noticed that speedtest would time out.

I then looked at this community stream and first tried disabling all IPS rulesets.
But that made no difference.
I then disabled IPS and now speedtest worked and internet access were back to normal and the IPFire webgui had not delays.

I’ve had a look at my /var/log/suricata/fast.log file.
And it up until to point where I disabled IPS it looked “the same” as the file already uploaded here by Mike 175de

*)
“Use ISP-assigned DNS servers” unchecked
ISP DNS servers added manually along with DNS’ at Google Public Free DNS, Lightning Wire Labs Germany and Censurfridns.dk

Perhaps the storm of IPS events could be related to: Bug 12794

Just to help finding the problem: I upgraded to 164 12 hours ago and I have no problems. I have activated Intrusion Prevention on RED and GREEN and set the ruleset to “Snort/VRT GPLv2 community ruleset”. Web GUI works fine, speed is very good.

5 Likes

I just tired “Snort/VRT GPLv2 community ruleset" and – as with @alain – it worked just fine. I then switched to the “Talos VRT rules for Registered user” – this resulted in the storm of IPS events as seen by others above.

I can confirm that switching to another ruleset snort indeed solches the problem. Also with the Spamhouse Firewall Option.

Greets

I can confirm the problem (the IPS event storm) still exists when using either:

  • Talos VRT rules for registered user
  • Talos VRT rules with subscription

Edit: When running with c164

I run cu163 with rules from Talos and ET in same time (I have a custom script that downloads both and activates all).
Firewall drop XD also activated

No problems here.

Yep, no problem with c163 – the wheels fall off the Talos VRT Talos Registered/Subscribed rulesets with c164. See Bug 12794

3 Likes

Confirmed that Running Talos Registered or Subscribed rulesets crashes the webGUI and causes internet loss and being unable to log into firewall even via SSH. Switching to Snort/VRT GPLv2 community ruleset restores function to Firewall system.

1 Like

Unfortunately I didn’t check the forums here before upgrading to 164 last night. I had Talos Registered enabled and had the same loss of GUI and internet. I reinstalled from scratch, restored backup, got back to the GUI, then lost it again. Reinstalled again. :slight_smile: This time after restoring my backup, I went through and disabled IPS (still ignorant of the issue, it seemed like a good thing to try). I wasn’t thrilled about driving into work on a Sunday night, but it happens.

One tip: If you tick the Monitor Traffic Only box, you can keep any ruleset enabled and watch the hundreds of thousands of IPS hits flow in. At least this way you can see which ones are predominantly activating and on which systems.

1 Like

Hello,

I’m very sorry about those IDS troubles introduced with C164.

New installations of C164 are not affected and most of these issues appear when using the Talos rulesets (registered and/or subscribed) - so currently please do not use/disable these providers on updated systems.

Another problem affects the automatic update mechanism. For an unknown reason the new update script is not packed in the C164 update. So the old one from C163 or even older will fail and leaves the IDS in an locked and unuseable state. To workaround this issue please switch the “Automatic Rule Update” to “Disabled” for the moment.

All of this issues are already fixed and shipped with C165. We are looking forward to release this as fast as possible.

Best regards,

-Stefan

11 Likes

Great!
Humble question:
A hint about estimated release plans would help for local planning / decision making:
“Stay” or “Go” (with latest Testing iso from master).
Thanks a lot @ Kind regards!

Hi,

initially, we planned to release Core Update 165 later this week.

On my testing machine, I spotted a couple of issues with that update, and some of them are not yet solved or their root cause is still to be investigated. Therefore, I currently doubt the above ETA is realistic. :expressionless:

Thanks, and best regards,
Peter Müller

3 Likes

A post was split to a new topic: How to configure Serial to show a full view