I enabled IPS and chose a ruleset provider without any real knowledge of which to pick. After I read up I decided to change it.
First, I tried to add the one I chose but that resulted in a blank page…
I logged in in another browser window and I tried to delete the existing one, and got the same result.
Anyone know what’s going on? I did see an earlier post on this, but my scenario is a bit different… IPS is up and running, I just wanted to change the ruleset. I can see that deleting the only ruleset may be a problem, but if that is the case, the web interface should provide feedback. Either an error page explaining that you have to have at least one active ruleset, or at least a grayed out delete button with a mouseover explanation.
In any case, a blank page is never an acceptable way to respond to a user’s mistake.
This shouldn’t be happening and suggests something has got corrupted or there is a bug of some sort.
To investigate that we need some more information.
Which ruleset provider did you select first…
Did you get a blank page when you tried to select a provider or did the blank page show up when you pressed the “Customize ruleset” button.
With enough detail we can then try and duplicate what you did and if it is a structural bug in IPFire we will end up with the same result. If it turns out not to be reproducible then it suggests some other issue occurred causing a corruption or something.
I just deleted both the ruleset providers from my IPS and did not end up with a blank page. I ended up with
Okay, you basically have the same as me with the only difference is that you have selected the abuse.ch provider first followed by the Emerging Threats Community provider while my setup was with Emerging threats first followed by abuse.ch.
the pressed Add and got a screen with a message saying Applying selections. The screen was present for short enough that I could not take a screenshot but after that screen it went straight to
Are there any additional lines before or after the one you have written that might give some more detail?
If that is the only line related to this then it is basically saying that IPFire tried to open the file /var/ipfire/suricate/providers-settings and it was unable to do so. I checked the code for that section of general-functions and that fail message at that line only occurs if it is unable to open that file, which should not be a problem normally. Something looks to have got corrupted.
From your earlier photo of the directory listing providers-settings has the right ownership and permissions - nobody:nobody and 644
If the file can’t be opened then there must be some other problem. such as an immutable bit or other extended attribute having been set.
What do you get if you run lsattr /var/ipfire/suricata/
Also if you run nano /var/ipfire/suricata/providers-settings
at the bottom of the edit window? I got this to show by running the command as an unprivileged user.
These might still open successfully because you are doing it as root rather than as nobody but it would be good to have it confirmed.
That means that no extended attributes have been set for the file.
If you opened the file as root then the unwritable message means that root is not allowed to write to that file, which should not happen.
Just to confirm, you are accessing the console commands as root and not as some unprivileged user?
Somewhere in your installation some permissions or ownerships have got corrupted to cause this to happen for root.
Please provide the outputs for the following commands
ls -hal /var/ipfire/general-functions.pl
ls -hal /var/ipfire/ids-functions.pl
Also run touch /var/ipfire/suricata/testing
which will create an empty file in that directory called testing and owned by root. Then try and open that file with nano and see if it shows the unwritable message or not.
Could you also show the results from ls -hal /srv/web/ipfire/cgi-bin/ids.cgi
The touch command came back saying that you have a read-only file system. That means that the whole root filesystem can only be read and nothing can be written to it so any write attempt by any page of the IPFire WUI (Web User Interface) would fail.
If I remember correctly from other posts you have done a fresh install of IPFire.
Either something crashed during the install, but then I would expect there should have seen some sort of error message during the installation, or you have had some hardware problem that has caused the kernel to put the partition into a safe read-only mode.
I would suggest that you do a fresh install and see if everything works okay then.
In a separate message you also asked
The driver for that hardware is included in the kernel since kernel 3.17 and we are now on kernel 6.1.61 and it is installed in the IPFire system. It is not loaded by default, as not everyone needs to have it loaded, but the kernel should automatically load it when the hardware is detected.
It could be that the hardware is not flagging itself correctly to IPFire during the install.
The only way to change the driver to be installed by default is to build a complete IPFire yourself with the changes to the kernel to load that driver by default.
If you want to use raid then I would suggest connecting your disk drives to the normal drive connectors on the motherboard. Then when you run the installation the drives will be seen and you can select the two drives and IPFire will create a software raid system for you. https://www.ipfire.org/docs/installation/step3#raid-array-installation.
@bonnietwin
I get also a blank page no matter what I change and save, but the changes are taken over, I just have to load another cgi page before, then I can use ids.cgi again.
I can add new provider, I can costumize the ruleset, but if i press save–> blank page.
I have tried the given commands, but there seems to be no error, here are some examples:
]# ls -hal /var/ipfire/suricata/
total 76K
drwxr-xr-x 2 nobody nobody 4.0K Dec 30 15:25 .
drwxr-xr-x 56 root root 4.0K Dec 22 14:57 …
-rw-r–r-- 1 nobody nobody 34 Dec 30 15:29 community-used-rulesfiles
-rw-r–r-- 1 nobody nobody 121 Jan 12 09:23 etags
-rw-r–r-- 1 nobody nobody 0 Nov 24 22:11 ignored
-rw-r–r-- 1 nobody nobody 129 May 2 2022 oinkmaster-provider-includes.conf
-rw-r–r-- 1 nobody nobody 37 Dec 30 15:29 oisf_trafficid-used-rulesfiles
-rw-r–r-- 1 nobody nobody 177 Dec 30 15:25 providers-settings
-rw-r–r-- 1 root root 5.4K Aug 4 13:35 ruleset-sources
-rw-r–r-- 1 nobody nobody 52 Jan 15 21:57 settings
-rw-r–r-- 1 nobody nobody 15 Dec 30 15:29 subscripted-modifications
-rw-r–r-- 1 nobody nobody 2.5K Dec 30 15:29 subscripted-used-rulesfiles
-rw-r–r-- 1 nobody nobody 166 Jan 15 21:57 suricata-dns-servers.yaml
-rw-r–r-- 1 nobody nobody 152 Jan 15 21:57 suricata-homenet.yaml
-rw-r–r-- 1 nobody nobody 102 Jan 15 21:57 suricata-http-ports.yaml
-rw-r–r-- 1 nobody nobody 142 Apr 7 2023 suricata-service-ports.yaml
-rw-r–r-- 1 nobody nobody 4.6K Dec 30 15:29 suricata-used-rulesfiles.yaml
-rw-r–r-- 1 nobody nobody 29 Dec 30 15:29 tgreen-used-rulesfiles
I had no crashed during install, but kernel error with wrong cpu settings freezes my ipfire and i had an error after reboot in the file system , but it could be repaired and was now checked for the second time booting.
This is causing the problem you are experiencing. Your copy of ids.cgi is trying to run the subroutine IDS::generate_service_ports_file at line 588 but that subroutine does not exist in ids.cgi or anywhere else in IPFire.
In ids.cgi line 588 should be
if(&IDS::ids_is_running()) {
so it looks like you have a modified ids.cgi file running on your system.
where can i get a correct copy of ids.cgi and how do i get them integrated into the system?
Edit:
I did the edit of ids.cgi here → Tor and IPS conflict --SURICATA Rulset where does it come from? - #18 by stevee
but the original is gone and the patched one gives me a cleaner ips log.
Edit2:
After some research in the mailing list, i found an updated tar file.
After installing this second patch, the ids.cgi page save like it should.
Thank you for the hint @bonnietwin
I did a fresh install from the latest ISO download and everything is working as expected. Thank you very verry much for all your help! Your support is better than Microsoft!
