Since updating to core 168, I see that my IPS rules have stopped updating. I observed them previously updating daily.
In trying to diagnose what’s happening, I went looking for a cron entry, which I can longer find on core 168. Did the mechanism for IPS updates change? Is there something I need to do to recreate the cron entry?
I tried updating the rules manually, which worked, but didn’t cause it to start updating automatically/regularly. I also tried disabling and re-enabling “automatic updates” but no change. What else can I try?
Per the blog
Intrusion Prevention System improvements
Stefan contributed a patch series for notably improving the IPS, particularly when it comes to handling of ruleset providers. While many of the changes are done under the hood, the following are visible to the web interface:
- Monitoring mode can now be enabled for each ruleset provider individually. This makes baselining and testing much less of a hassle, since newly introduced IPS ruleset providers can now first be used for logging only, without risking disruptions or unintended side-effects.
- Parsing and restructuring changed or updated rulesets has been improved and is now faster by orders of magnitude.
- The downloader will now automatically check whether a ruleset has been updated on its providers’ server by checking the
ETag HTTP header. This allows us to drop the update interval selection; every IPS ruleset will now updated automatically on the appropriate interval.
OK. But it shows that the rules have not been updated since 2022-06-16 08:54:36, and yet I know that the rule provider is updating them.
So again - how to debug?
Check that the addition into the fcrontab occurred. The entry should be at lines 65 and 66.
The entry is
65 # Perform a surciata rules update every 12 hours.
66 @ 12h [ -f "/var/ipfire/red/active" ] && /usr/local/bin/update-ids-ruleset >/dev/null 2>&1
If it is not there then something went wrong when you carried out the CU168 upgrade.
I have those lines in my fcrontab and the rules are being updated regularly.
Do you have Automatic Updates selected for each of the Providers in the Ruleset Settings table?
Thanks! It’s there. Let me try to execute it manually and see what happens…
I was able to execute /usr/local/bin/update-ids-ruleset manually, but it did not output anything, nor as far as I can tell did it send anything to the log. It just paused then exited.
OK, I take that back. I grep’d for oinkmaster and I see this:
Jun 21 15:17:29 ipfire oinkmaster: Performing update for subscripted.
Jun 21 15:17:30 ipfire oinkmaster: Skipping subscripted - The ruleset is up-to-date
So it apparently thinks there is no update. I will see if I can dig any deeper…
My two ruleset providers are EmergingThreats.net and Abuse.ch
I don’t have any subscribed rulesets so I can’t test that.
And… digging more deeply, it looks like the Talos rules haven’t actually been modified since 6/16. So this is my mistake Thanks for the help debugging, and apologies for the false alarm. I will revisit once the rule provider updates the rules and hopefully everything updates fine…
And… to close the loop, the rules were updated by the provider since I last posted and they have also been picked up by my ipfire automatically. So it seems like everything is working as intended, at least for me. Thanks again.