Hi, Summary: ids.cgi does not include in snort.conf all /etc/snort/rules/*.rules files How to reproduce: 1. manually removed all *.rules files from /etc/snort/rules 2. Download rules using interface (ids.cgi) 3. Check /etc/snort/rules/*.rules vs. "include" lines in snort.conf Script to check and expose differences: cd /etc/snort/rules ls -1 *.rules > rules.list cat /etc/snort/snort.conf |grep "\.rules" |grep include | sed -r 's/#include\ \$RULE_PATH\///g' > snort.conf.list diff rules.list snort.conf.list 17d16 < dos.rules 39d37 < info.rules 45d42 < multimedia.rules 60d56 < policy.rules 62a59 > policy.rules 84d80 < rpc.rules 86,87d81 < scada.rules < scan.rules 97d90 < shellcode.rules 99d91 < snmp.rules 102,104d93 < sql.rules < telnet.rules < tftp.rules 106d94 < voip.rules Did also manual checks: dos.rules file exists in /etc/snort.rules folder but is not included/referred inside snort.conf. Best Regards, Horace
Can you confirm this is still valid?
Yes, bug is still present. Here is today test: 2 missing files cd /etc/snort/rules rm *.rules rm: remove regular file 'alienvault.rules'? n rm: remove regular file 'app-detect.rules'? y rm: remove regular file 'attack-responses.rules'? y rm: remove regular file 'backdoor.rules'? y rm: remove regular file 'bad-traffic.rules'? y rm: remove regular file 'blacklist.rules'? y rm: remove regular file 'botnet-cnc.rules'? y rm: remove regular file 'browser-chrome.rules'? y rm: remove regular file 'browser-firefox.rules'? y rm: remove regular file 'browser-ie.rules'? y rm: remove regular file 'browser-other.rules'? y rm: remove regular file 'browser-plugins.rules'? y rm: remove regular file 'browser-webkit.rules'? y rm: remove regular file 'chat.rules'? y rm: remove regular file 'content-replace.rules'? y rm: remove regular file 'ddos.rules'? y rm: remove regular file 'dns.rules'? y rm: remove regular file 'dos.rules'? y rm: remove regular file 'emerging-activex.rules'? y rm: remove regular file 'emerging-attack_response.rules'? y rm: remove regular file 'emerging-botcc.portgrouped.rules'? y rm: remove regular file 'emerging-botcc.rules'? y rm: remove regular file 'emerging-chat.rules'? y rm: remove regular file 'emerging-ciarmy.rules'? y rm: remove regular file 'emerging-compromised.rules'? y rm: remove regular file 'emerging-current_events.rules'? y rm: remove regular file 'emerging-deleted.rules'? y rm: remove regular file 'emerging-dns.rules'? y rm: remove regular file 'emerging-dos.rules'? y rm: remove regular file 'emerging-drop.rules'? y rm: remove regular file 'emerging-dshield.rules'? y rm: remove regular file 'emerging-exploit.rules'? y rm: remove regular file 'emerging-ftp.rules'? y rm: remove regular file 'emerging-games.rules'? y rm: remove regular file 'emerging-icmp_info.rules'? y rm: remove regular file 'emerging-icmp.rules'? y rm: remove regular file 'emerging-imap.rules'? y rm: remove regular file 'emerging-inappropriate.rules'? y rm: remove regular file 'emerging-info.rules'? y rm: remove regular file 'emerging-malware.rules'? y rm: remove regular file 'emerging-misc.rules'? y rm: remove regular file 'emerging-mobile_malware.rules'? y rm: remove regular file 'emerging-netbios.rules'? y rm: remove regular file 'emerging-p2p.rules'? y rm: remove regular file 'emerging-policy.rules'? y rm: remove regular file 'emerging-pop3.rules'? y rm: remove regular file 'emerging-rbn-malvertisers.rules'? y rm: remove regular file 'emerging-rbn.rules'? y rm: remove regular file 'emerging-rpc.rules'? y rm: remove regular file 'emerging-scada.rules'? y rm: remove regular file 'emerging-scan.rules'? y rm: remove regular file 'emerging-shellcode.rules'? y rm: remove regular file 'emerging-smtp.rules'? y rm: remove regular file 'emerging-snmp.rules'? y rm: remove regular file 'emerging-sql.rules'? y rm: remove regular file 'emerging-telnet.rules'? y rm: remove regular file 'emerging-tftp.rules'? y rm: remove regular file 'emerging-tor.rules'? y rm: remove regular file 'emerging-trojan.rules'? y rm: remove regular file 'emerging-user_agents.rules'? y rm: remove regular file 'emerging-voip.rules'? y rm: remove regular file 'emerging-web_client.rules'? y rm: remove regular file 'emerging-web_server.rules'? y rm: remove regular file 'emerging-web_specific_apps.rules'? y rm: remove regular file 'emerging-worm.rules'? y rm: remove regular file 'experimental.rules'? y rm: remove regular file 'exploit-kit.rules'? y rm: remove regular file 'exploit.rules'? y rm: remove regular file 'file-executable.rules'? y rm: remove regular file 'file-flash.rules'? y rm: remove regular file 'file-identify.rules'? y rm: remove regular file 'file-image.rules'? y rm: remove regular file 'file-java.rules'? y rm: remove regular file 'file-multimedia.rules'? y rm: remove regular file 'file-office.rules'? y rm: remove regular file 'file-other.rules'? y rm: remove regular file 'file-pdf.rules'? y rm: remove regular file 'finger.rules'? y rm: remove regular file 'ftp.rules'? y rm: remove regular file 'icmp-info.rules'? y rm: remove regular file 'icmp.rules'? y rm: remove regular file 'imap.rules'? y rm: remove regular file 'indicator-compromise.rules'? y rm: remove regular file 'indicator-obfuscation.rules'? y rm: remove regular file 'indicator-scan.rules'? y rm: remove regular file 'indicator-shellcode.rules'? y rm: remove regular file 'info.rules'? y rm: remove regular file 'malware-backdoor.rules'? y rm: remove regular file 'malware-cnc.rules'? y rm: remove regular file 'malware-other.rules'? y rm: remove regular file 'malware-tools.rules'? y rm: remove regular file 'misc.rules'? y rm: remove regular file 'multimedia.rules'? y rm: remove regular file 'mysql.rules'? y rm: remove regular file 'netbios.rules'? y rm: remove regular file 'nntp.rules'? y rm: remove regular file 'oracle.rules'? y rm: remove regular file 'os-linux.rules'? y rm: remove regular file 'os-mobile.rules'? y rm: remove regular file 'os-other.rules'? y rm: remove regular file 'os-solaris.rules'? y rm: remove regular file 'os-windows.rules'? y rm: remove regular file 'other-ids.rules'? y rm: remove regular file 'p2p.rules'? y rm: remove regular file 'phishing-spam.rules'? y rm: remove regular file 'policy-multimedia.rules'? y rm: remove regular file 'policy-other.rules'? y rm: remove regular file 'policy.rules'? y rm: remove regular file 'policy-social.rules'? y rm: remove regular file 'policy-spam.rules'? y rm: remove regular file 'pop2.rules'? y rm: remove regular file 'pop3.rules'? y rm: remove regular file 'protocol-dns.rules'? y rm: remove regular file 'protocol-finger.rules'? y rm: remove regular file 'protocol-ftp.rules'? y rm: remove regular file 'protocol-icmp.rules'? y rm: remove regular file 'protocol-imap.rules'? y rm: remove regular file 'protocol-nntp.rules'? y rm: remove regular file 'protocol-other.rules'? y rm: remove regular file 'protocol-pop.rules'? y rm: remove regular file 'protocol-rpc.rules'? y rm: remove regular file 'protocol-scada.rules'? y rm: remove regular file 'protocol-services.rules'? y rm: remove regular file 'protocol-snmp.rules'? y rm: remove regular file 'protocol-telnet.rules'? y rm: remove regular file 'protocol-tftp.rules'? y rm: remove regular file 'protocol-voip.rules'? y rm: remove regular file 'pua-adware.rules'? y rm: remove regular file 'pua-other.rules'? y rm: remove regular file 'pua-p2p.rules'? y rm: remove regular file 'pua-toolbars.rules'? y rm: remove regular file 'rpc.rules'? y rm: remove regular file 'rservices.rules'? y rm: remove regular file 'scada.rules'? y rm: remove regular file 'scan.rules'? y rm: remove regular file 'server-apache.rules'? y rm: remove regular file 'server-iis.rules'? y rm: remove regular file 'server-mail.rules'? y rm: remove regular file 'server-mssql.rules'? y rm: remove regular file 'server-mysql.rules'? y rm: remove regular file 'server-oracle.rules'? y rm: remove regular file 'server-other.rules'? y rm: remove regular file 'server-samba.rules'? y rm: remove regular file 'server-webapp.rules'? y rm: remove regular file 'shellcode.rules'? y rm: remove regular file 'smtp.rules'? y rm: remove regular file 'snmp.rules'? y rm: remove regular file 'specific-threats.rules'? y rm: remove regular file 'spyware-put.rules'? y rm: remove regular file 'sql.rules'? y rm: remove regular file 'telnet.rules'? y rm: remove regular file 'tftp.rules'? y rm: remove regular file 'virus.rules'? y rm: remove regular file 'voip.rules'? y rm: remove regular file 'web-activex.rules'? y rm: remove regular file 'web-attacks.rules'? y rm: remove regular file 'web-cgi.rules'? y rm: remove regular file 'web-client.rules'? y rm: remove regular file 'web-coldfusion.rules'? y rm: remove regular file 'web-frontpage.rules'? y rm: remove regular file 'web-iis.rules'? y rm: remove regular file 'web-misc.rules'? y rm: remove regular file 'web-php.rules'? y rm: remove regular file 'x11.rules'? y -- I used the ids.cgi to download EmerginThreats rules and Snort VRT for registered users rules Then, the diff: ls -1 *.rules > rules.list cat /etc/snort/snort.conf |grep "\.rules" |grep include |sed -r 's/#include\ \$RULE_PATH\///g' > snort.conf.list diff rules.list snort.conf.list 1,2c1 < alienvault.rules < app-detect.rules --- > include $RULE_PATH/alienvault.rules 4,18d2 < backdoor.rules < bad-traffic.rules < blacklist.rules < botnet-cnc.rules < browser-chrome.rules < browser-firefox.rules < browser-ie.rules < browser-other.rules < browser-plugins.rules < browser-webkit.rules < chat.rules < content-replace.rules < ddos.rules < dns.rules < dos.rules 35d18 < emerging-icmp_info.rules 36a20 > emerging-icmp_info.rules 65a50,62 > app-detect.rules > backdoor.rules > bad-traffic.rules > blacklist.rules > botnet-cnc.rules > browser-chrome.rules > browser-firefox.rules > browser-ie.rules > browser-other.rules > browser-plugins.rules > browser-webkit.rules > content-replace.rules > ddos.rules 68d64 < exploit.rules 79d74 < ftp.rules 81,82d75 < icmp.rules < imap.rules 87d79 < info.rules 92,93d83 < misc.rules < multimedia.rules 95d84 < netbios.rules 104d92 < p2p.rules 108d95 < policy.rules 112d98 < pop3.rules 132d117 < rpc.rules 134,135d118 < scada.rules < scan.rules 145,147d127 < shellcode.rules < smtp.rules < snmp.rules 150,152d129 < sql.rules < telnet.rules < tftp.rules 154d130 < voip.rules
I had to manually add this .rules files to snort.conf 64a68 > exploit.rules 74a79 > ftp.rules 75a81,82 > icmp.rules > imap.rules 79a87 > info.rules 83a92,93 > misc.rules > multimedia.rules 98a109 > pop3.rules 117a129 > rpc.rules 118a131,132 > scada.rules > scan.rules 127a142,144 > shellcode.rules > smtp.rules > snmp.rules 129a147,149 > sql.rules > telnet.rules > tftp.rules 130a151 > voip.rules
Perhaps this is occures if more than one source for IDS files is used. I am "only" using the ET ruleset here, and all files are included properly. The IDS CGI needs to be extended for fixing this.
On Wed, 2018-07-11 at 16:20 +0000, IPFire Bugzilla wrote: > Comment # 4 on bug 11263 from Peter Müller > The IDS CGI needs to be extended for fixing this. Can you provide some detail?
Fixed with the following commits: https://git.ipfire.org/?p=people/stevee/ipfire-2.x.git;a=commit;h=3da6e01bcf1aefd1e495f64d251d0e39a94a4fdc https://git.ipfire.org/?p=people/stevee/ipfire-2.x.git;a=commit;h=298723b9db481a07056377278a501d4a643c7a93 The fixes are part of the moving to suricata and will be shipped when everything is done.
You cannot close any bugs where the fix is not shipped, yet. https://wiki.ipfire.org/devel/bugzilla/workflow