Since updating to core 168, I see that my IPS rules have stopped updating. I observed them previously updating daily.
In trying to diagnose what’s happening, I went looking for a cron entry, which I can longer find on core 168. Did the mechanism for IPS updates change? Is there something I need to do to recreate the cron entry?
I tried updating the rules manually, which worked, but didn’t cause it to start updating automatically/regularly. I also tried disabling and re-enabling “automatic updates” but no change. What else can I try?
Stefan contributed a patch series for notably improving the IPS, particularly when it comes to handling of ruleset providers. While many of the changes are done under the hood, the following are visible to the web interface:
Monitoring mode can now be enabled for each ruleset provider individually. This makes baselining and testing much less of a hassle, since newly introduced IPS ruleset providers can now first be used for logging only, without risking disruptions or unintended side-effects.
Parsing and restructuring changed or updated rulesets has been improved and is now faster by orders of magnitude.
The downloader will now automatically check whether a ruleset has been updated on its providers’ server by checking the ETag HTTP header. This allows us to drop the update interval selection; every IPS ruleset will now updated automatically on the appropriate interval.
And… digging more deeply, it looks like the Talos rules haven’t actually been modified since 6/16. So this is my mistake Thanks for the help debugging, and apologies for the false alarm. I will revisit once the rule provider updates the rules and hopefully everything updates fine…
And… to close the loop, the rules were updated by the provider since I last posted and they have also been picked up by my ipfire automatically. So it seems like everything is working as intended, at least for me. Thanks again.