Bug 11884 - Unable to update IDS classification file correctly
Summary: Unable to update IDS classification file correctly
Status: CLOSED FIXED
Alias: None
Product: IPFire
Classification: Unclassified
Component: --- (show other bugs)
Version: 2
Hardware: all Other
: - Unknown - - Unknown -
Assignee: Stefan Schantl
QA Contact:
URL:
Keywords:
Depends on:
Blocks: SURICATA2.0
  Show dependency treegraph
 
Reported: 2018-09-28 19:13 UTC by Tim
Modified: 2022-04-22 04:05 UTC (History)
4 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Tim 2018-09-28 19:13:12 UTC
Both Snort and Suricata read the classification.config file to convert the classtype in the rules to a priority.  This file is included in the rules directory and should be updated by oinkmaster.

Oinkmaster looks for the file in the rules directory of the downloaded tarball, however the Talos VRT rules put this file in the etc directory.  This means that the file is not updated when Talos VRT changes it.

Talos VRT have added some new classtypes to this file; they don't seem to be using the new values at the moment, but when they do Snort (and presumably Suricata) will fail to parse the rule files.  If the correct classification.config file is put into the rules directory, it will be overwritten with the incorrect one if an update of the Emerging Threats rules is carried out.

A workaround would be to put a suitable classification.config in the /etc/snort directory and modify snort.conf to point to it.

Long term IPFire should be able to update the file from the downloads; note that this means merging classification files from different sources so as to handle future differences.

Unfortunately, the problem is in the upstream Oinkmaster and rule sources so I can't see any easy way to handle this.
Comment 1 Stefan Schantl 2022-04-22 04:05:40 UTC
Fixed and shipped with the new IDS multiple providers feature in Core update 165.