I don’t know out of the box the location of this file. However the problem is solved and that’s why I don’t think the file is still not correct.
I only use the “Emergingthreats.net Community-Regelsatz”
That was the point. I’ve created a standard configuration for ipfire that’s used to be restored (as backup) on new installations. So did I with this new setup. IPS is enabled on red with this ruleset. When I restored my default config, the ruleset was there and checked as active. But suricata came up with this error. So I removed and added the ruleset multiple times, but never checked the rules within this ruleset. However even checked as active, the ruleset was empty. So I checked and unchecked the ruleset. After that the rules appeared, but were not checked as supposed to be (in the backup). I checked some rules and restarted suricata.
Tataa! Now it works again. So something went wrong with the restore of the backup for suricata or there’s something wrong with the restoration of suricata in principal. That checkbox issue is not new to me. I’ve encountered that problem in the past with the webproxy. However in the meanwhile this has been fixed .
I’m getting still warnings as in previous builds, so nothing new, but I still wonder and since it looks like I don’t speak the programmers language I have no idea what’s that supposed to mean and if it’s important and should be checked/solved.
| 12:59:07 | suricata: | rule reload starting |
|---|---|---|
| 12:59:07 | suricata: | Including configuration file /var/ipfire/suricata/suricata-homenet.yaml. |
| 12:59:07 | suricata: | Including configuration file /var/ipfire/suricata/suricata-dns-servers.yaml. |
| 12:59:07 | suricata: | Including configuration file /var/ipfire/suricata/suricata-http-ports.yaml. |
| 12:59:07 | suricata: | Including configuration file /var/ipfire/suricata/suricata-used-rulesfiles.yaml. |
| 12:59:14 | suricata: | 27 rule files processed. 11958 rules successfully loaded, 0 rules failed |
| 12:59:14 | suricata: | Threshold config parsed: 0 rule(s) found |
| 12:59:14 | suricata: | 11958 signatures processed. 1 are IP-only rules, 2041 are inspecting packet payl oad, 9720 inspect application layer, 105 are decoder event only |
| 12:59:14 | suricata: | [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit ‘is_proto_irc’ is checked but not set. Checked in 2002029 and 4 other sigs |
| 12:59:14 | suricata: | [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit ‘ET.http.javaclient.vulnerable’ is che cked but not set. Checked in 2013036 and 0 other sigs |
| 12:59:14 | suricata: | [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit ‘ET.ELFDownload’ is checked but not se t. Checked in 2019896 and 0 other sigs |
| 12:59:14 | suricata: | [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit ‘et.DocVBAProject’ is checked but not set. Checked in 2020170 and 0 other sigs |
| 12:59:14 | suricata: | [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit ‘ET.MSSQL’ is checked but not set. Che cked in 2020569 and 0 other sigs |
| 12:59:14 | suricata: | [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit ‘ET.wininet.UA’ is checked but not set . Checked in 2021312 and 0 other sigs |
| 12:59:14 | suricata: | [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit ‘et.MS.XMLHTTP.ip.request’ is checked but not set. Checked in 2022050 and 1 other sigs |
| 12:59:14 | suricata: | [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit ‘et.MS.XMLHTTP.no.exe.request’ is chec ked but not set. Checked in 2022053 and 0 other sigs |
| 12:59:14 | suricata: | [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit ‘et.MCOFF’ is checked but not set. Che cked in 2022303 and 0 other sigs |
| 12:59:14 | suricata: | [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit ‘et.MS.WinHttpRequest.no.exe.request’ is checked but not set. Checked in 2022653 and 0 other sigs |
| 12:59:14 | suricata: | [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit ‘ET.http.binary’ is checked but not se t. Checked in 2023741 and 2 other sigs |
| 12:59:14 | suricata: | [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit ‘ET.armwget’ is checked but not set. C hecked in 2024242 and 0 other sigs |
| 12:59:14 | suricata: | [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit ‘et.IE7.NoRef.NoCookie’ is checked but not set. Checked in 2023671 and 7 other sigs |
| 12:59:14 | suricata: | [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit ‘ET.smb.binary’ is checked but not set . Checked in 2027402 and 4 other sigs |
| 12:59:14 | suricata: | [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit ‘ET.Socks5.OnionReq’ is checked but no t set. Checked in 2027704 and 0 other sigs |
| 12:59:14 | suricata: | [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit ‘ET.http.javaclient’ is checked but no t set. Checked in 2015657 and 0 other sigs |
| 12:59:14 | suricata: | [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit ‘ET.autoit.ua’ is checked but not set. Checked in 2019165 and 0 other sigs |
| 12:59:14 | suricata: | [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit ‘min.gethttp’ is checked but not set. Checked in 2023711 and 0 other sigs |
| 12:59:14 | suricata: | [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit ‘ET.tcpraw.png’ is checked but not set . Checked in 2035477 and 0 other sigs |
| 12:59:14 | suricata: | [ERRCODE: SC_WARN_FLOWBIT(306)] - flowbit ‘ET.telnet.busybox’ is checked but not set. Checked in 2023019 and 2 other sigs |
| 13:00:13 | suricata: | cleaning up signature grouping structure… complete |
| 13:00:13 | suricata: | rule reload complete |
| 13:00:13 | suricata: | Signature(s) loaded, Detect thread(s) activated. |