Manual Update missing on core 164-TEST

The Manual Update button no longer appears on Intrusion Prevention of Core 164 TEST.

In previous versions, disabling the AutoUpdate feature and doing a SAVE would make visible the manual update radio button. This no longer happens on the test version of core 164.

Should i report this as a bug, or is it something specific to test versions ?

With the addition of multiple providers being able to be selected in the IPS, the manual update functionality has been moved in Core Update 164.

In the IPS menu page under ruleset settings, each provider entry now has a pencil symbol to allow editing of that entry and to update the ruleset. Press the pencil and a new page opens which has a Force ruleset update button. If you have an old version of the rules and don’t want to wait for the daily update to come round then just press this button and it will do an immediate update.

This setup means that you can force the ruleset update just of specific providers in your selection.

2 Likes

Thanks Adolf.
I found the ‘Force Ruleset Update’ button function as you indicated.

I clicked on it, as well as the ‘Update’ button (next to the ‘back’)

However, I seem to have lost the ability to customized the rules like on my previous core 161. Maybe the ruleset never loaded.

I use Emergingthreats.net Community Rules (as used on my core 161), and it shows as updated 2022-03-01 12:13:05 (local time), but when i click on the Customize Ruleset, there are no rules displayed to be customized.

I noticed also that the ‘Visit Provider Website’ takes me to ProofPoint.com site.

Did I miss something ?

Hmmm.
I have the Emerging Threats and the Abuse.ch rulesets selected on my vm testbed system.

When I press Customize Ruleset I get the Emerging Threats rules listed and I can change the selection and there is also a line for the Abuse.ch ruleset. The default for this ruleset is all rules selected.
I don’t know why you don’t get any options listed.

Yes, as far as I understand Proofpoint is the company behind the Emerging Threats rulesets. They have both an Open set of rules and a Pro set both of which are available in IPFire. The Pro set require a subscription code to be entered.

1 Like

Hi Adolf
I have done more experimenting.
I reverted back to my previous ipFire of core161 and the updates are working as usual, so it does not appear to be an ISP or internet connection issue.

Using core 164-TESTing, I did the following.
1-) added provider Abuse.ch SSLBL Blacklist Rules.
After that clicking the ‘Customize Ruleset’ that one provider did appear with a checkbox to the left unchecked. I clicked to check it ON.
There was a red SHOW above the update button. When clicked it displayed all the specific detailled rules with the option to enable and disable specific ones. The red SHOW now displayed HIDE. I did the HIDE and clicked UPDATE button.
When I clicked the ‘Customize Ruleset’, it no longer displayed that newly provided provider (nor my original one), thus I could no no longer edit the ruleset.

2-) I deleted both providers.
Then i added provider Emergingthreats.net Community Rules, and clicked the ‘Customize Ruleset’. This time it appeared. I clicked the left checkbox, and clicked on SHOW. The ruleset details were displayed, but nothing was checked. I checked them all, clicked HIDE, and clicked UPDATE.
When I went back to customize the ruleset, again no providers were shown.
Thus could not edit the ruleset after been customized the first time around.

3-) Deleted both providers, then added them again.
This time, the ‘Customize Ruleset’ displayed all the rules. None were checked so I checked them all and clicked update.
I again clicked ‘Customize Ruleset’ and again there was nothing to display.

Hi @rejjysail,

I don’t know what is causing your problems.

When I upgraded my vm from Core Update 163 to 164 Testing the Emerging Threats was successfully brought with it, with the selections I had previously made. I was able to change selections and save them and go back and view them. After adding the Abuse.ch list I still had all the emerging threats rules visible and all still showing the selections I had made and saved.

I suspect that something has gone a bit wrong in one of the settings files but I am not familiar enough with the Perl code for the IPS section to be able to figure out what might be causing this.

I think your best bet is to raise a bug on this and include stefan.schantl@ipfire.org to the bug. He is the core person involved with the IPS and should know what to ask you to check for to try and understand what has gone wrong on your system.

Your IPFire People email address and password work for access to the IPFire Bugzilla.
https://wiki.ipfire.org/devel/bugzilla
https://bugzilla.ipfire.org/

1 Like

Adolf,
We have a major difference in the you already had 163 and upgraded to 164 test, whereby I did a full install of 164 test from the .iso

It is very possible that a required file or permission, existing already from 163, is not created when doing a full 164 install.

I can raise the bug, but not sure which module I need to select.

@bonnietwin - I managed to submit bug
Bug id=12788

Ah, I didn’t realise that. I thought you had upgraded from 161 to 164 Testing.

I will try a 164 Testing install from the nightly iso on a vm and then restore my backup and see how it goes for me with that approach.

Edit:- In the nightlies for core164 there is an entry for 22 Feb and 26 Feb. I will go with evaluating the 26 Feb iso unless you indicate that it was the 22 Feb version that you used.

So I installed the 26th Feb core update 164 nightly .iso and got the same problem as you.

That is good news because it means your problem can be replicated.

Added my experiences into the bug report.

I continued and in a separate scenario I did an UPGRADE from a core 163 to TEST 164 (master/6e2e8f48) and like you i was now able to see the ruleset and modify it. However, I noticed that after the update had completed, the web page was still showing the rotating icon (updating) and never returned back to the main IPS screen.

BTW, the .iso I used had a MD5 of 8906cac7b3fd6b8080491e32d0fbc3ec.
I assume it’s the feb26 version.