Snort/VRT ruleset

Security Intrusion Prevention
1

I try to add Snort/VRT GPLv2 Community Rules to my IPS.

After adding, the entry appears in the Ruleset Settings, but when I want to Customize the ruleset it is not there.
The file community-used-rulesfiles in /var/ipfire/suricata is 0 bytes. When I try to Force update the rulset, it says the ruleset is already up to date.
Someone else experiences this as well?

2

A bug was raised on this in October 2022.

https://bugzilla.ipfire.org/show_bug.cgi?id=12948

A fix for this was committed on 11th March and is in CU174 Testing at the moment.

https://git.ipfire.org/?p=ipfire-2.x.git;a=commit;h=c35974f87dbdd91ffe70f03a07217308545447d7

1 Like
3

Ah, thanks. Didn’t read the links yet, was still testing. Will read them in a minute.
Just found out Etnetera Aggressive Blacklist Rules don’t appear in the ruleset as well. So not Snort related.
I have Talos VRT rules with subscription and Emergingthreats.net Community Rules successfully installed.
Now I hope my findings will be reflected in the links you mentioned. :slight_smile:

4

I have just checked the CU174 Testing on my vm testbed and have confirmed that the fix is verified.

You will only see it if you are running CU174 Testing.

If you are still on CU173 Stable then you will need to wait for CU174 Testing to complete its testing and update phases and to be released as the next Stable version.

I have just tested out the Etnetera Rules and can confirm that these do not get shown when customise Ruleset is selected.

This will not be fixed by the bug I provided a link to as only SNORT/VRT Community Rules was mentioned in that bug.

You should raise a bug about this problem.
https://wiki.ipfire.org/devel/bugzilla
https://bugzilla.ipfire.org/

Your IPFire People email address and password will act as the credentials to log on to the IPFire Bugzilla.

5

Thanks, will do.
To be sure, Etnetera rules don’t show on CU174 Testing as well, correct?

Edit: bug raised.

1 Like
6

Correct, that is what I confirmed a short time ago.

7

I can confirm that the Etnetera rules are working again.

I contacted the firm using their security email address and got a reply in 15 mins. Turns out they had applied a global redirect to their website and it had also been incorrectly applied to the ruleset feed.

They have fixed this and I have confirmed it on my systems, that you can again see the ruleset in the customize list option.

3 Likes
8

Just installed the Etnetera rules, great.

Thanks @bonnietwin for doing the works here! (finding out what the root cause was and making someone fix it).
And also thanks to Etnetera for fixing it right away.

Regards,
Edwin,