IPS from WebUI, blank page of ruleset swi

I enabled IPS and chose a ruleset provider without any real knowledge of which to pick. After I read up I decided to change it.

First, I tried to add the one I chose but that resulted in a blank page…

I logged in in another browser window and I tried to delete the existing one, and got the same result.

Anyone know what’s going on? I did see an earlier post on this, but my scenario is a bit different… IPS is up and running, I just wanted to change the ruleset. I can see that deleting the only ruleset may be a problem, but if that is the case, the web interface should provide feedback. Either an error page explaining that you have to have at least one active ruleset, or at least a grayed out delete button with a mouseover explanation.

In any case, a blank page is never an acceptable way to respond to a user’s mistake.

This shouldn’t be happening and suggests something has got corrupted or there is a bug of some sort.

To investigate that we need some more information.

Which ruleset provider did you select first…

Did you get a blank page when you tried to select a provider or did the blank page show up when you pressed the “Customize ruleset” button.

With enough detail we can then try and duplicate what you did and if it is a structural bug in IPFire we will end up with the same result. If it turns out not to be reproducible then it suggests some other issue occurred causing a corruption or something.

I just deleted both the ruleset providers from my IPS and did not end up with a blank page. I ended up with


The IPS is shown with it shown to be running but no enable buttons present, so without any rulesets then no interfaces can be selected.

So you can definitely have the IPS page with no ruleset providers selected.

I then selected my two ruleset providers again and got the following


which is back to where I started with and without any blank page.

So at least with my two selected providers I could not reproduce your problem.

If we know the sequence of steps you took and with which provider(s) then they can be followed to see if that can reproduce your result.

2 Likes

Hello,

Thank you very much! I will post my steps with screenshots shortly.

Initial state:

Click Add Provider

Chose “EmergingThreats Community Rules”

Clicked “Add”

Blank screen results

Okay, you basically have the same as me with the only difference is that you have selected the abuse.ch provider first followed by the Emerging Threats Community provider while my setup was with Emerging threats first followed by abuse.ch.

I have followed your order and got the following.

then selected Add Provider

then selected Emerging threats community

the pressed Add and got a screen with a message saying Applying selections. The screen was present for short enough that I could not take a screenshot but after that screen it went straight to

So I am not able to reproduce your problem by following your steps.

We need to look for some other information.

Can you show the results from running the following command from the console

ls -hal /var/ipfire/suricata/

This will show the files involved with the suricata IPS system and their ownerships and permissions to see if there is something incorrect with them.

Sorry for the late reply!

I will run that tomorrow afternoon (EST) and let you know.

Thanks again!

Scott

Got it done tonight… here is the output.

1 Like

All of that looks correct for an IPS with no providers chosen. The ownerships and permissions are all correct.

As the browser page goes blank, maybe we can see something from the logs.

Can you copy and paste the last section of the output of

less /var/log/httpd/error_log

I think the relevant error message from the log file is

Unable to write to file /var/ipfire/suricata/providers-settings at /var/ipfire/general-functions.pl line 928

Are there any additional lines before or after the one you have written that might give some more detail?

If that is the only line related to this then it is basically saying that IPFire tried to open the file /var/ipfire/suricate/providers-settings and it was unable to do so. I checked the code for that section of general-functions and that fail message at that line only occurs if it is unable to open that file, which should not be a problem normally. Something looks to have got corrupted.

From your earlier photo of the directory listing providers-settings has the right ownership and permissions - nobody:nobody and 644
If the file can’t be opened then there must be some other problem. such as an immutable bit or other extended attribute having been set.

What do you get if you run
lsattr /var/ipfire/suricata/

Also if you run
nano /var/ipfire/suricata/providers-settings

does the file open successfully.

If it opens do you have a message such as


at the bottom of the edit window? I got this to show by running the command as an unprivileged user.
These might still open successfully because you are doing it as root rather than as nobody but it would be good to have it confirmed.

lsattr yields all dashes except one e at position 15

The file opens with the same unwritable message you posted

That means that no extended attributes have been set for the file.

If you opened the file as root then the unwritable message means that root is not allowed to write to that file, which should not happen.

Just to confirm, you are accessing the console commands as root and not as some unprivileged user?

Somewhere in your installation some permissions or ownerships have got corrupted to cause this to happen for root.

Please provide the outputs for the following commands

ls -hal /var/ipfire/general-functions.pl
ls -hal /var/ipfire/ids-functions.pl

Also run
touch /var/ipfire/suricata/testing
which will create an empty file in that directory called testing and owned by root. Then try and open that file with nano and see if it shows the unwritable message or not.

Could you also show the results from
ls -hal /srv/web/ipfire/cgi-bin/ids.cgi

1 Like

I am running the commands on the console as root.

Did you see the DM I sent you?

I’ll run those commands in a bit

Thank you!

The touch command came back saying that you have a read-only file system. That means that the whole root filesystem can only be read and nothing can be written to it so any write attempt by any page of the IPFire WUI (Web User Interface) would fail.

If I remember correctly from other posts you have done a fresh install of IPFire.

Either something crashed during the install, but then I would expect there should have seen some sort of error message during the installation, or you have had some hardware problem that has caused the kernel to put the partition into a safe read-only mode.

I would suggest that you do a fresh install and see if everything works okay then.

In a separate message you also asked

The driver for that hardware is included in the kernel since kernel 3.17 and we are now on kernel 6.1.61 and it is installed in the IPFire system. It is not loaded by default, as not everyone needs to have it loaded, but the kernel should automatically load it when the hardware is detected.
It could be that the hardware is not flagging itself correctly to IPFire during the install.
The only way to change the driver to be installed by default is to build a complete IPFire yourself with the changes to the kernel to load that driver by default.

If you want to use raid then I would suggest connecting your disk drives to the normal drive connectors on the motherboard. Then when you run the installation the drives will be seen and you can select the two drives and IPFire will create a software raid system for you.
https://www.ipfire.org/docs/installation/step3#raid-array-installation.

3 Likes

Actually, I did the install off an ISO backup I created using the Web interface.

I will do a fresh install., thank you very much for all your help.

I put the RAID question in a PM because it was off-topic… thanks again for your help!

@bonnietwin
I get also a blank page no matter what I change and save, but the changes are taken over, I just have to load another cgi page before, then I can use ids.cgi again.
I can add new provider, I can costumize the ruleset, but if i press save–> blank page.

I have tried the given commands, but there seems to be no error, here are some examples:
]# ls -hal /var/ipfire/suricata/

total 76K
drwxr-xr-x 2 nobody nobody 4.0K Dec 30 15:25 .
drwxr-xr-x 56 root root 4.0K Dec 22 14:57 …
-rw-r–r-- 1 nobody nobody 34 Dec 30 15:29 community-used-rulesfiles
-rw-r–r-- 1 nobody nobody 121 Jan 12 09:23 etags
-rw-r–r-- 1 nobody nobody 0 Nov 24 22:11 ignored
-rw-r–r-- 1 nobody nobody 129 May 2 2022 oinkmaster-provider-includes.conf
-rw-r–r-- 1 nobody nobody 37 Dec 30 15:29 oisf_trafficid-used-rulesfiles
-rw-r–r-- 1 nobody nobody 177 Dec 30 15:25 providers-settings
-rw-r–r-- 1 root root 5.4K Aug 4 13:35 ruleset-sources
-rw-r–r-- 1 nobody nobody 52 Jan 15 21:57 settings
-rw-r–r-- 1 nobody nobody 15 Dec 30 15:29 subscripted-modifications
-rw-r–r-- 1 nobody nobody 2.5K Dec 30 15:29 subscripted-used-rulesfiles
-rw-r–r-- 1 nobody nobody 166 Jan 15 21:57 suricata-dns-servers.yaml
-rw-r–r-- 1 nobody nobody 152 Jan 15 21:57 suricata-homenet.yaml
-rw-r–r-- 1 nobody nobody 102 Jan 15 21:57 suricata-http-ports.yaml
-rw-r–r-- 1 nobody nobody 142 Apr 7 2023 suricata-service-ports.yaml
-rw-r–r-- 1 nobody nobody 4.6K Dec 30 15:29 suricata-used-rulesfiles.yaml
-rw-r–r-- 1 nobody nobody 29 Dec 30 15:29 tgreen-used-rulesfiles

]#less /var/log/httpd/error_log #additional lines added

[Sun Jan 14 00:01:00.032460 2024] [mpm_event:notice] [pid 3305:tid 128462654075072] AH00489: Apache/2.4.58 (Unix) OpenSSL/3.1.4 configured – resuming normal operations
[Sun Jan 14 00:01:00.032487 2024] [core:notice] [pid 3305:tid 128462654075072] AH00094: Command line: ‘/usr/sbin/httpd’
Error: ipv4: FIB table does not exist.
Undefined subroutine &IDS::generate_service_ports_file called at /srv/web/ipfire/cgi-bin/ids.cgi line 588.

]# lsattr /var/ipfire/suricata/

--------------e------- /var/ipfire/suricata/suricata-service-ports.yaml
--------------e------- /var/ipfire/suricata/providers-settings
--------------e------- /var/ipfire/suricata/suricata-dns-servers.yaml
--------------e------- /var/ipfire/suricata/ruleset-sources
--------------e------- /var/ipfire/suricata/settings
--------------e------- /var/ipfire/suricata/oisf_trafficid-used-rulesfiles
--------------e------- /var/ipfire/suricata/subscripted-modifications
--------------e------- /var/ipfire/suricata/ignored
--------------e------- /var/ipfire/suricata/suricata-http-ports.yaml
--------------e------- /var/ipfire/suricata/etags
--------------e------- /var/ipfire/suricata/community-used-rulesfiles
--------------e------- /var/ipfire/suricata/suricata-used-rulesfiles.yaml
--------------e------- /var/ipfire/suricata/suricata-homenet.yaml
--------------e------- /var/ipfire/suricata/subscripted-used-rulesfiles
--------------e------- /var/ipfire/suricata/tgreen-used-rulesfiles
--------------e------- /var/ipfire/suricata/oinkmaster-provider-includes.conf

Yes opened successfully

I had no crashed during install, but kernel error with wrong cpu settings freezes my ipfire and i had an error after reboot in the file system , but it could be repaired and was now checked for the second time booting.

So what else can give a blank page of ips.cgi?

How should I proceed further?

This is causing the problem you are experiencing. Your copy of ids.cgi is trying to run the subroutine IDS::generate_service_ports_file at line 588 but that subroutine does not exist in ids.cgi or anywhere else in IPFire.

In ids.cgi line 588 should be

     if(&IDS::ids_is_running()) {

so it looks like you have a modified ids.cgi file running on your system.

The sha1sum of ids.cgi should be

751af55c30d317f51e0da268c3f503baccad39eb /srv/web/ipfire/cgi-bin/ids.cgi

If the sha1sum hash for the copy of ids.cgi on your system is different then your copy of ids.cgi has been modified.

1 Like

this is in line 590… so I have 2 lines more…

where can i get a correct copy of ids.cgi and how do i get them integrated into the system?

Edit:
I did the edit of ids.cgi here → Tor and IPS conflict --SURICATA Rulset where does it come from? - #18 by stevee
but the original is gone and the patched one gives me a cleaner ips log.
Edit2:
After some research in the mailing list, i found an updated tar file.
After installing this second patch, the ids.cgi page save like it should.
Thank you for the hint @bonnietwin

I did a fresh install from the latest ISO download and everything is working as expected. Thank you very verry much for all your help! Your support is better than Microsoft!