IPS Ruleset automatic update - how to set time

Does anyone know if it is possible to configure the time when the IPS ruleset is updated? I am using ET community rules and daily updates.

Also, can someone give me some commands to test if the service is working and to force an update if needed?

1 Like

The script that runs the updates has a link to it in the /etc/fcron.daily/ directory.

The fcron.daily directory is run every day at 01:25 in the morning. This is defined in the fcrontab.

You could change this in the fcrontab but then that change would apply to everything in the fcron.daily directory.
Also when a Core Update is done you risk it being reverted back, and definitely if fcron is updated in the future.

2 Likes

Ok - that’s great - thanks.

briand Also, can someone give me some commands to test if the service is working and to force an update if needed?

I had the same question as I activated suricata IDS today on my small PC Engines APU2 system. If you set emerging-attack_response.rules to status active on RED you can test the IDS safely by doing a “curl http://testmynids.org/uid/index.html” on the ipfire system (ssh). I found that hint in doc 2. Quickstart guide — Suricata 8.0.0-dev documentation. This triggers a message in file /var/log/suricata/fast.log, which instantly becomes visible in the IPS Log Viewer, too (see screenshot attached). Hope, that helps - or did you mean the update service itself?

2 Likes

Hi - thanks - that’s very useful and I will use it. However, as you say, I was wondering how to force an update of the IPS ruleset. The reason is that my network actually disconnects the internet at certain times of the day. However now knowing that the update happens at 1:25am I have modified the network configuration. thanks again for your help.

1 Like

This didn’t work for me, I looked in fast.log, and IPS Log Viewer,
and don’t see GPL ATTACK_RESPONSE triggered.

Just wondering why :rofl:

1 Like

I just tried it and it worked fine for me.

Did you select the emerging-attack_response.rules entry in the Emergingthreats.net Community Rules and also press the Apply button at the bottom of the table.

1 Like

I tried the curl test using cu 159.
Detection also worked for me, but the IPS log showed a different response …

NAME: ET POLICY curl User-Agent Outbound
Type: Attempted Information Leak
Priority: 2
SID: 2013028

Response text looks to me as if another rule is triggered, which suppresses any use of curl because of possible information leak. So it works just fine.