Bug 11884

Summary: Unable to update IDS classification file correctly
Product: IPFire Reporter: Tim <ipfb>
Component: ---Assignee: Stefan Schantl <stefan.schantl>
Status: CLOSED FIXED QA Contact:
Severity: - Unknown -    
Priority: - Unknown - CC: horace.michael, jneb1980, michael.tremer, peter.mueller
Version: 2   
Hardware: all   
OS: Other   
Bug Depends on:    
Bug Blocks: 12052    

Description Tim 2018-09-28 19:13:12 UTC 
Both Snort and Suricata read the classification.config file to convert the classtype in the rules to a priority.  This file is included in the rules directory and should be updated by oinkmaster.

Oinkmaster looks for the file in the rules directory of the downloaded tarball, however the Talos VRT rules put this file in the etc directory.  This means that the file is not updated when Talos VRT changes it.

Talos VRT have added some new classtypes to this file; they don't seem to be using the new values at the moment, but when they do Snort (and presumably Suricata) will fail to parse the rule files.  If the correct classification.config file is put into the rules directory, it will be overwritten with the incorrect one if an update of the Emerging Threats rules is carried out.

A workaround would be to put a suitable classification.config in the /etc/snort directory and modify snort.conf to point to it.

Long term IPFire should be able to update the file from the downloads; note that this means merging classification files from different sources so as to handle future differences.

Unfortunately, the problem is in the upstream Oinkmaster and rule sources so I can't see any easy way to handle this.
Comment 1 Stefan Schantl 2022-04-22 04:05:40 UTC 
Fixed and shipped with the new IDS multiple providers feature in Core update 165.