Bug 11263

Summary: ids.cgi does not include in snort.conf all /etc/snort/rules/*.rules files
Product: IPFire Reporter: Horace Michael (aka H&M) <horace.michael>
Component: ---Assignee: Stefan Schantl <stefan.schantl>
Status: CLOSED FIXED QA Contact:
Severity: Minor Usability    
Priority: Will affect an average number of users CC: michael.tremer, peter.mueller
Version: 2Keywords: Security
Hardware: all   
OS: All   
Bug Depends on:    
Bug Blocks: 11542, 11801    

Description Horace Michael (aka H&M) 2016-11-17 09:18:19 UTC
Hi,

Summary: ids.cgi does not include in snort.conf all /etc/snort/rules/*.rules files

How to reproduce:
1. manually removed all *.rules files from /etc/snort/rules
2. Download rules using interface (ids.cgi)
3. Check /etc/snort/rules/*.rules vs. "include" lines in snort.conf

Script to check and expose differences:

cd /etc/snort/rules
ls  -1 *.rules  > rules.list
cat  /etc/snort/snort.conf |grep "\.rules" |grep include | sed -r 's/#include\ \$RULE_PATH\///g' > snort.conf.list
diff rules.list snort.conf.list
 
 17d16
< dos.rules
39d37
< info.rules
45d42
< multimedia.rules
60d56
< policy.rules
62a59
> policy.rules
84d80
< rpc.rules
86,87d81
< scada.rules
< scan.rules
97d90
< shellcode.rules
99d91
< snmp.rules
102,104d93
< sql.rules
< telnet.rules
< tftp.rules
106d94
< voip.rules


Did also manual checks: dos.rules file exists in /etc/snort.rules folder but is not included/referred inside snort.conf.

Best Regards,
Horace
Comment 1 Peter Müller 2017-11-08 16:18:20 UTC
Can you confirm this is still valid?
Comment 2 Horace Michael (aka H&M) 2017-11-08 20:02:42 UTC
Yes, bug is still present.

Here is today test: 2 missing files

cd /etc/snort/rules
rm *.rules
rm: remove regular file 'alienvault.rules'? n
rm: remove regular file 'app-detect.rules'? y
rm: remove regular file 'attack-responses.rules'? y
rm: remove regular file 'backdoor.rules'? y
rm: remove regular file 'bad-traffic.rules'? y
rm: remove regular file 'blacklist.rules'? y
rm: remove regular file 'botnet-cnc.rules'? y
rm: remove regular file 'browser-chrome.rules'? y
rm: remove regular file 'browser-firefox.rules'? y
rm: remove regular file 'browser-ie.rules'? y
rm: remove regular file 'browser-other.rules'? y
rm: remove regular file 'browser-plugins.rules'? y
rm: remove regular file 'browser-webkit.rules'? y
rm: remove regular file 'chat.rules'? y
rm: remove regular file 'content-replace.rules'? y
rm: remove regular file 'ddos.rules'? y
rm: remove regular file 'dns.rules'? y
rm: remove regular file 'dos.rules'? y
rm: remove regular file 'emerging-activex.rules'? y
rm: remove regular file 'emerging-attack_response.rules'? y
rm: remove regular file 'emerging-botcc.portgrouped.rules'? y
rm: remove regular file 'emerging-botcc.rules'? y
rm: remove regular file 'emerging-chat.rules'? y
rm: remove regular file 'emerging-ciarmy.rules'? y
rm: remove regular file 'emerging-compromised.rules'? y
rm: remove regular file 'emerging-current_events.rules'? y
rm: remove regular file 'emerging-deleted.rules'? y
rm: remove regular file 'emerging-dns.rules'? y
rm: remove regular file 'emerging-dos.rules'? y
rm: remove regular file 'emerging-drop.rules'? y
rm: remove regular file 'emerging-dshield.rules'? y
rm: remove regular file 'emerging-exploit.rules'? y
rm: remove regular file 'emerging-ftp.rules'? y
rm: remove regular file 'emerging-games.rules'? y
rm: remove regular file 'emerging-icmp_info.rules'? y
rm: remove regular file 'emerging-icmp.rules'? y
rm: remove regular file 'emerging-imap.rules'? y
rm: remove regular file 'emerging-inappropriate.rules'? y
rm: remove regular file 'emerging-info.rules'? y
rm: remove regular file 'emerging-malware.rules'? y
rm: remove regular file 'emerging-misc.rules'? y
rm: remove regular file 'emerging-mobile_malware.rules'? y
rm: remove regular file 'emerging-netbios.rules'? y
rm: remove regular file 'emerging-p2p.rules'? y
rm: remove regular file 'emerging-policy.rules'? y
rm: remove regular file 'emerging-pop3.rules'? y
rm: remove regular file 'emerging-rbn-malvertisers.rules'? y
rm: remove regular file 'emerging-rbn.rules'? y
rm: remove regular file 'emerging-rpc.rules'? y
rm: remove regular file 'emerging-scada.rules'? y
rm: remove regular file 'emerging-scan.rules'? y
rm: remove regular file 'emerging-shellcode.rules'? y
rm: remove regular file 'emerging-smtp.rules'? y
rm: remove regular file 'emerging-snmp.rules'? y
rm: remove regular file 'emerging-sql.rules'? y
rm: remove regular file 'emerging-telnet.rules'? y
rm: remove regular file 'emerging-tftp.rules'? y
rm: remove regular file 'emerging-tor.rules'? y
rm: remove regular file 'emerging-trojan.rules'? y
rm: remove regular file 'emerging-user_agents.rules'? y
rm: remove regular file 'emerging-voip.rules'? y
rm: remove regular file 'emerging-web_client.rules'? y
rm: remove regular file 'emerging-web_server.rules'? y
rm: remove regular file 'emerging-web_specific_apps.rules'? y
rm: remove regular file 'emerging-worm.rules'? y
rm: remove regular file 'experimental.rules'? y
rm: remove regular file 'exploit-kit.rules'? y
rm: remove regular file 'exploit.rules'? y
rm: remove regular file 'file-executable.rules'? y
rm: remove regular file 'file-flash.rules'? y
rm: remove regular file 'file-identify.rules'? y
rm: remove regular file 'file-image.rules'? y
rm: remove regular file 'file-java.rules'? y
rm: remove regular file 'file-multimedia.rules'? y
rm: remove regular file 'file-office.rules'? y
rm: remove regular file 'file-other.rules'? y
rm: remove regular file 'file-pdf.rules'? y
rm: remove regular file 'finger.rules'? y
rm: remove regular file 'ftp.rules'? y
rm: remove regular file 'icmp-info.rules'? y
rm: remove regular file 'icmp.rules'? y
rm: remove regular file 'imap.rules'? y
rm: remove regular file 'indicator-compromise.rules'? y
rm: remove regular file 'indicator-obfuscation.rules'? y
rm: remove regular file 'indicator-scan.rules'? y
rm: remove regular file 'indicator-shellcode.rules'? y
rm: remove regular file 'info.rules'? y
rm: remove regular file 'malware-backdoor.rules'? y
rm: remove regular file 'malware-cnc.rules'? y
rm: remove regular file 'malware-other.rules'? y
rm: remove regular file 'malware-tools.rules'? y
rm: remove regular file 'misc.rules'? y
rm: remove regular file 'multimedia.rules'? y
rm: remove regular file 'mysql.rules'? y
rm: remove regular file 'netbios.rules'? y
rm: remove regular file 'nntp.rules'? y
rm: remove regular file 'oracle.rules'? y
rm: remove regular file 'os-linux.rules'? y
rm: remove regular file 'os-mobile.rules'? y
rm: remove regular file 'os-other.rules'? y
rm: remove regular file 'os-solaris.rules'? y
rm: remove regular file 'os-windows.rules'? y
rm: remove regular file 'other-ids.rules'? y
rm: remove regular file 'p2p.rules'? y
rm: remove regular file 'phishing-spam.rules'? y
rm: remove regular file 'policy-multimedia.rules'? y
rm: remove regular file 'policy-other.rules'? y
rm: remove regular file 'policy.rules'? y
rm: remove regular file 'policy-social.rules'? y
rm: remove regular file 'policy-spam.rules'? y
rm: remove regular file 'pop2.rules'? y
rm: remove regular file 'pop3.rules'? y
rm: remove regular file 'protocol-dns.rules'? y
rm: remove regular file 'protocol-finger.rules'? y
rm: remove regular file 'protocol-ftp.rules'? y
rm: remove regular file 'protocol-icmp.rules'? y
rm: remove regular file 'protocol-imap.rules'? y
rm: remove regular file 'protocol-nntp.rules'? y
rm: remove regular file 'protocol-other.rules'? y
rm: remove regular file 'protocol-pop.rules'? y
rm: remove regular file 'protocol-rpc.rules'? y
rm: remove regular file 'protocol-scada.rules'? y
rm: remove regular file 'protocol-services.rules'? y
rm: remove regular file 'protocol-snmp.rules'? y
rm: remove regular file 'protocol-telnet.rules'? y
rm: remove regular file 'protocol-tftp.rules'? y
rm: remove regular file 'protocol-voip.rules'? y
rm: remove regular file 'pua-adware.rules'? y
rm: remove regular file 'pua-other.rules'? y
rm: remove regular file 'pua-p2p.rules'? y
rm: remove regular file 'pua-toolbars.rules'? y
rm: remove regular file 'rpc.rules'? y
rm: remove regular file 'rservices.rules'? y
rm: remove regular file 'scada.rules'? y
rm: remove regular file 'scan.rules'? y
rm: remove regular file 'server-apache.rules'? y
rm: remove regular file 'server-iis.rules'? y
rm: remove regular file 'server-mail.rules'? y
rm: remove regular file 'server-mssql.rules'? y
rm: remove regular file 'server-mysql.rules'? y
rm: remove regular file 'server-oracle.rules'? y
rm: remove regular file 'server-other.rules'? y
rm: remove regular file 'server-samba.rules'? y
rm: remove regular file 'server-webapp.rules'? y
rm: remove regular file 'shellcode.rules'? y
rm: remove regular file 'smtp.rules'? y
rm: remove regular file 'snmp.rules'? y
rm: remove regular file 'specific-threats.rules'? y
rm: remove regular file 'spyware-put.rules'? y
rm: remove regular file 'sql.rules'? y
rm: remove regular file 'telnet.rules'? y
rm: remove regular file 'tftp.rules'? y
rm: remove regular file 'virus.rules'? y
rm: remove regular file 'voip.rules'? y
rm: remove regular file 'web-activex.rules'? y
rm: remove regular file 'web-attacks.rules'? y
rm: remove regular file 'web-cgi.rules'? y
rm: remove regular file 'web-client.rules'? y
rm: remove regular file 'web-coldfusion.rules'? y
rm: remove regular file 'web-frontpage.rules'? y
rm: remove regular file 'web-iis.rules'? y
rm: remove regular file 'web-misc.rules'? y
rm: remove regular file 'web-php.rules'? y
rm: remove regular file 'x11.rules'? y


-- I used the ids.cgi to download EmerginThreats rules and Snort VRT for registered users rules

Then, the diff:


 ls  -1 *.rules  > rules.list
cat  /etc/snort/snort.conf |grep "\.rules" |grep include |sed -r 's/#include\ \$RULE_PATH\///g' > snort.conf.list
diff rules.list snort.conf.list
1,2c1
< alienvault.rules
< app-detect.rules
---
> include $RULE_PATH/alienvault.rules
4,18d2
< backdoor.rules
< bad-traffic.rules
< blacklist.rules
< botnet-cnc.rules
< browser-chrome.rules
< browser-firefox.rules
< browser-ie.rules
< browser-other.rules
< browser-plugins.rules
< browser-webkit.rules
< chat.rules
< content-replace.rules
< ddos.rules
< dns.rules
< dos.rules
35d18
< emerging-icmp_info.rules
36a20
> emerging-icmp_info.rules
65a50,62
> app-detect.rules
> backdoor.rules
> bad-traffic.rules
> blacklist.rules
> botnet-cnc.rules
> browser-chrome.rules
> browser-firefox.rules
> browser-ie.rules
> browser-other.rules
> browser-plugins.rules
> browser-webkit.rules
> content-replace.rules
> ddos.rules
68d64
< exploit.rules
79d74
< ftp.rules
81,82d75
< icmp.rules
< imap.rules
87d79
< info.rules
92,93d83
< misc.rules
< multimedia.rules
95d84
< netbios.rules
104d92
< p2p.rules
108d95
< policy.rules
112d98
< pop3.rules
132d117
< rpc.rules
134,135d118
< scada.rules
< scan.rules
145,147d127
< shellcode.rules
< smtp.rules
< snmp.rules
150,152d129
< sql.rules
< telnet.rules
< tftp.rules
154d130
< voip.rules
Comment 3 Horace Michael (aka H&M) 2017-11-08 20:34:20 UTC
I had to manually add this .rules files to snort.conf


64a68
> exploit.rules
74a79
> ftp.rules
75a81,82
> icmp.rules
> imap.rules
79a87
> info.rules
83a92,93
> misc.rules
> multimedia.rules
98a109
> pop3.rules
117a129
> rpc.rules
118a131,132
> scada.rules
> scan.rules
127a142,144
> shellcode.rules
> smtp.rules
> snmp.rules
129a147,149
> sql.rules
> telnet.rules
> tftp.rules
130a151
> voip.rules
Comment 4 Peter Müller 2018-07-11 18:20:54 UTC
Perhaps this is occures if more than one source for IDS files is used. I am "only" using the ET ruleset here, and all files are included properly.

The IDS CGI needs to be extended for fixing this.
Comment 5 Michael Tremer 2018-07-11 18:22:40 UTC
On Wed, 2018-07-11 at 16:20 +0000, IPFire Bugzilla wrote:
> Comment # 4 on bug 11263 from Peter Müller
> The IDS CGI needs to be extended for fixing this.

Can you provide some detail?
Comment 6 Stefan Schantl 2018-08-30 10:48:12 UTC
Fixed with the following commits:

https://git.ipfire.org/?p=people/stevee/ipfire-2.x.git;a=commit;h=3da6e01bcf1aefd1e495f64d251d0e39a94a4fdc

https://git.ipfire.org/?p=people/stevee/ipfire-2.x.git;a=commit;h=298723b9db481a07056377278a501d4a643c7a93

The fixes are part of the moving to suricata and will be shipped when everything is done.
Comment 7 Michael Tremer 2018-08-30 10:52:04 UTC
You cannot close any bugs where the fix is not shipped, yet.

https://wiki.ipfire.org/devel/bugzilla/workflow