12804 – IPS Rules disappear once rules modified for 2nd time

Bug 12804 - IPS Rules disappear once rules modified for 2nd time

Summary: IPS Rules disappear once rules modified for 2nd time

Status:	CLOSED NOTABUG

Alias:	None

Product:	IPFire
Classification:	Unclassified
Component:	--- (show other bugs)
Version:	2
Hardware:	unspecified Linux

Importance:	- Unknown - Major Usability
Assignee:	Stefan Schantl
QA Contact:

URL:
Keywords:

Depends on:
Blocks:

Reported:	2022-03-16 17:07 UTC by velifire
Modified:	2022-04-04 10:07 UTC (History)
CC List:	2 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description velifire 2022-03-16 17:07:27 UTC

Problem
=============================
IPS Rules disappear once rules modified for 2nd time. 


Steps to repro
==============================
1. On the IPS section choose "add provider"
2. Select "Emergingthreads-community" and press "add"

   - all revelant rules appear /var/lib/suricata
   - there is no ids_tmp directory under /tmp

3. Click "customise ruleset"
   
   - rules appear not selected

4. Select rules and select "apply"

   - "perf -w oinkmaster.pl" runs
   - oinkmaster logs report


16:54:28	oinkmaster[8947]:	
16:54:28	oinkmaster[8947]:	-> emerging-worm.rules
16:54:28	oinkmaster[8947]:	-> emerging-web_specific_apps.rules
16:54:28	oinkmaster[8947]:	-> emerging-web_server.rules
16:54:28	oinkmaster[8947]:	-> emerging-web_client.rules
16:54:28	oinkmaster[8947]:	-> emerging-voip.rules
16:54:28	oinkmaster[8947]:	-> emerging-user_agents.rules
16:54:28	oinkmaster[8947]:	-> emerging-tor.rules
16:54:28	oinkmaster[8947]:	-> emerging-threatview_CS_c2.rules
16:54:28	oinkmaster[8947]:	-> emerging-tftp.rules
16:54:28	oinkmaster[8947]:	-> emerging-telnet.rules
16:54:28	oinkmaster[8947]:	-> emerging-sql.rules
16:54:28	oinkmaster[8947]:	-> emerging-snmp.rules
16:54:28	oinkmaster[8947]:	-> emerging-smtp.rules
16:54:28	oinkmaster[8947]:	-> emerging-shellcode.rules
16:54:28	oinkmaster[8947]:	-> emerging-scan.rules
16:54:28	oinkmaster[8947]:	-> emerging-scada.rules
16:54:28	oinkmaster[8947]:	-> emerging-rpc.rules
16:54:28	oinkmaster[8947]:	-> emerging-pop3.rules
16:54:28	oinkmaster[8947]:	-> emerging-policy.rules
16:54:28	oinkmaster[8947]:	-> emerging-phishing.rules
16:54:28	oinkmaster[8947]:	-> emerging-p2p.rules
16:54:28	oinkmaster[8947]:	-> emerging-netbios.rules
16:54:28	oinkmaster[8947]:	-> emerging-mobile_malware.rules
16:54:28	oinkmaster[8947]:	-> emerging-misc.rules
16:54:28	oinkmaster[8947]:	-> emerging-malware.rules
16:54:28	oinkmaster[8947]:	-> emerging-ja3.rules
16:54:28	oinkmaster[8947]:	-> emerging-info.rules
16:54:28	oinkmaster[8947]:	-> emerging-inappropriate.rules
16:54:28	oinkmaster[8947]:	-> emerging-imap.rules
16:54:28	oinkmaster[8947]:	-> emerging-icmp_info.rules
16:54:28	oinkmaster[8947]:	-> emerging-icmp.rules
16:54:28	oinkmaster[8947]:	-> emerging-hunting.rules
16:54:28	oinkmaster[8947]:	-> emerging-games.rules
16:54:28	oinkmaster[8947]:	-> emerging-ftp.rules
16:54:28	oinkmaster[8947]:	-> emerging-exploit_kit.rules
16:54:28	oinkmaster[8947]:	-> emerging-exploit.rules
16:54:28	oinkmaster[8947]:	-> emerging-dshield.rules
16:54:28	oinkmaster[8947]:	-> emerging-drop.rules
16:54:28	oinkmaster[8947]:	-> emerging-dos.rules
16:54:28	oinkmaster[8947]:	-> emerging-dns.rules
16:54:28	oinkmaster[8947]:	-> emerging-deleted.rules
16:54:28	oinkmaster[8947]:	-> emerging-current_events.rules
16:54:28	oinkmaster[8947]:	-> emerging-compromised.rules
16:54:28	oinkmaster[8947]:	-> emerging-coinminer.rules
16:54:28	oinkmaster[8947]:	-> emerging-ciarmy.rules
16:54:28	oinkmaster[8947]:	-> emerging-chat.rules
16:54:28	oinkmaster[8947]:	-> emerging-botcc.rules
16:54:28	oinkmaster[8947]:	-> emerging-botcc.portgrouped.rules
16:54:28	oinkmaster[8947]:	-> emerging-attack_response.rules
16:54:28	oinkmaster[8947]:	-> emerging-adware_pup.rules
16:54:28	oinkmaster[8947]:	-> emerging-activex.rules
16:54:28	oinkmaster[8947]:	-> emerging-3coresec.rules
16:54:28	oinkmaster[8947]:	
16:54:28	oinkmaster[8947]:	[+] Added files (consider updating your snort.conf to include them if needed): [ +]
16:54:28	oinkmaster[8947]:	
16:54:28	oinkmaster[8947]:	None.
16:54:28	oinkmaster[8947]:	[*] Non-rule line modifications: [*]
16:54:28	oinkmaster[8947]:	
16:54:28	oinkmaster[8947]:	None.
16:54:28	oinkmaster[8947]:	[*] Rules modifications: [*]
16:54:28	oinkmaster[8947]:	
16:54:28	oinkmaster[8947]:	[***] Results from Oinkmaster started 20220316 16:54:28 [***]
16:54:28	oinkmaster[8947]:	
16:54:28	oinkmaster[8947]:	Updating local rules files... done.
16:54:27	oinkmaster[8947]:	Comparing new files to the old ones... done.
16:54:27	oinkmaster[8947]:	Setting up rules structures... done.
16:54:15	oinkmaster[8947]:	Processing downloaded rules... disabled 0, enabled 0, modified 35833, total=3525 2
16:51:52	oinkmaster[8947]:	Setting up rules structures... done.
16:51:39	oinkmaster[8947]:	Copying rules from /tmp/ids_tmp/rules... 52 files copied.
16:51:39	oinkmaster[8947]:	Loading /var/ipfire/suricata/oinkmaster-modify-sids.conf
16:51:39	oinkmaster[8947]:	Loading /var/ipfire/suricata/oinkmaster-provider-includes.conf
16:51:39	oinkmaster[8947]:	Loading /var/ipfire/suricata/oinkmaster.conf
16:47:29	oinkmaster[8525]:	<ERROR> Downloading ruleset for provider: emerging.

    - perf script completes/finishes
    - UI continues reporting "The ruleset changes are being applied. Please wait until all operations have completed successfully..."

5. Ignore spining message and go back select the "IPS Menu" and subsequently "customise ruleset" once again

    - the list of rules will appear with the last selection in place

6. Select few more rules and click "apply"

   - the oinkmaster perl script is running
   - all rules disappear from under /var/lib/suricata
   - oinkmaster log fills with pages of ...

17:02:25	oinkmaster[9961]:	WARNING: duplicate SID in downloaded archive, SID=2035359, only keeping rule wit h highest 'rev'
17:02:25	oinkmaster[9961]:	
17:02:25	oinkmaster[9961]:	WARNING: duplicate SID in downloaded archive, SID=2028832, only keeping rule wit h highest 'rev'
17:02:25	oinkmaster[9961]:	
17:02:25	oinkmaster[9961]:	WARNING: duplicate SID in downloaded archive, SID=2033396, only keeping rule wit h highest 'rev'
17:02:25	oinkmaster[9961]:	
17:02:25	oinkmaster[9961]:	WARNING: duplicate SID in downloaded archive, SID=2033395, only keeping rule wit h highest 'rev'

   - after a while the perl script stops
   - the UI keeps showing "The ruleset changes are being applied. Please wait until all operations have completed successfully..."
  
7. Repeat step 5

   - Rules have disappeared and are not available
   - /var/lib/suricata is still empty
   - the /tmp folder contains ids_tmp/rules
   - the is no lock file under the /tmp folder


Expected
================
- rules are available for selection to be modified
- Spinning message disappears once process completes

Comment 1 velifire 2022-04-01 09:31:50 UTC

I cannot replicate this problem anymore under 166

not sure what has changed

Comment 2 Michael Tremer 2022-04-04 10:07:18 UTC

(In reply to velifire from comment #1)
> I cannot replicate this problem anymore under 166
> 
> not sure what has changed

Thank you for letting us know.