Bug 12948 - CU170 Customizing of Snort/VRT IDS rulesets broken
Summary: CU170 Customizing of Snort/VRT IDS rulesets broken
Status: CLOSED FIXED
Alias: None
Product: IPFire
Classification: Unclassified
Component: --- (show other bugs)
Version: 2
Hardware: unspecified Unspecified
: - Unknown - Minor Usability
Assignee: Assigned to nobody - feel free to grab it and work on it
QA Contact:
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2022-10-05 21:30 UTC by ChrisK
Modified: 2023-04-18 16:36 UTC (History)
3 users (show)

See Also:


Attachments
empty ruleset box (8.62 KB, image/png)
2022-10-05 21:30 UTC, ChrisK
Details
screenshot of greyed out selector (13.38 KB, image/png)
2023-01-12 06:48 UTC, ChrisK
Details

Note You need to log in before you can comment on or make changes to this bug.
Description ChrisK 2022-10-05 21:30:56 UTC
Created attachment 1102 [details]
empty ruleset box

With the "Snort/VRT GPLv2 Community Rules", the button "Customize ruleset" loads a page with a completely empty box (see attachment).

Tried on upgraded system (CU 168 to 170) and fresh installed 170.
Comment 1 Adolf Belka 2022-10-05 21:49:21 UTC
Effect confirmed on my IPFire system. This is running Emerging Threats and Abuse.ch and after adding Snort Community selecting the ruleset to customise only had the rules from Emerging Threats and Abuse.ch available. There were no entries for Snort Community, although it was in the table of selected providers.
Comment 2 Adolf Belka 2022-10-06 08:04:31 UTC
It has been reported in the forum that this issue was already in place in CU169

https://community.ipfire.org/t/core-170-customizing-of-ids-rulesets-broken/8709
Comment 3 Adolf Belka 2022-10-06 20:34:09 UTC
Did some testing back through earlier IPFire Core Updates.

The Community Rules were shown in CU164 but were no longer shown in CU165 onwards.
Comment 4 ChrisK 2023-01-11 07:12:36 UTC
Are there any plans when this will be fixed?

It's a pity to be forced to disable IPS completely when there's just one or two problematic rules and one just can't disable them separately any more.

@Adolf Belka: If it's broken sind CU165, did you yet find any commit(s) that are responsible for the regression?
Comment 5 Adolf Belka 2023-01-11 09:57:51 UTC
(In reply to ChrisK from comment #4)
> Are there any plans when this will be fixed?
>
There are 439 open bugs in IPFire Bugzilla and there are around 7 developers names that come up regularly in the assigned to name.
The developer who would normally deal with this has other personal commitments currently which means they are not very active currently.

 
> It's a pity to be forced to disable IPS completely when there's just one or
> two problematic rules and one just can't disable them separately any more.
> 
When I tested it I ended up with the rulesets visible from Emerging Threats and Abuse.ch but nothing from Snort Community although it was listed in the Providers table on the top level IPS WUI page.

@ChrisK are you able to see the rulesets from any ot the other providers if you select them.
We need to check if my confirmation of the problem is actually the same as what you are experiencing. I understood that you only could not see any rulesets from Snort Community but all the other non-subscription rulesets, such as Emerging Threats etc, were able to be visible and selected.
Is this the case or not?


> @Adolf Belka: If it's broken sind CU165, did you yet find any commit(s) that
> are responsible for the regression?
There were definitely commits related to IPS code in CU165 but I am definitely not knowledgeable enough in the coding to be able to figure out if anything might be causing a problem.
Comment 6 ChrisK 2023-01-12 06:48:16 UTC
Created attachment 1132 [details]
screenshot of greyed out selector
Comment 7 ChrisK 2023-01-12 06:50:02 UTC
Hi Adolf,

thanks for your reply.
I'd like to test what you wrote, unfortunately another(?) bug prevents this (see screenshot "greyed out"). I can not change to anything other than SNORT.
Maybe this is connected to the initial problem?
The screenshot is from my staging devices running CU 172.
Comment 8 ChrisK 2023-01-12 07:04:40 UTC
Forget my last comment, it was before my first morning coffee. It seems I did not add more providers than SNORT on my staging device, hence the unselectable selector ;-)

Yes, if I add other providers than the default SNORT, one can tweak the ruleset-settings. So I can confirm that the bug must be somehow SNORT-related.
Comment 9 Adolf Belka 2023-01-12 13:14:45 UTC
Thanks for the feedback @ChrisK

So my result is the same as yours.

I have just tested out all the providers that I am able to. This excludes the providers where you have to pay to get the rulesets.

I added the following providers and in each case an entry was visible in the Customize Ruleset section.

etnetera aggressive blacklist rules
OISF Traffic ID rules
PT Attack Detection Team rules
Talos VRT rules - registered users (I registered for them).
Travis Green - Hunting rules

Snort Community rules is the only one that ends up not showing anything in the Customize Ruleset table. So there is something very specific to that ruleset provider.

The Talos VRT rules for registered users requires an Oinkcode to be provided and this detection worked indicating that the problem is not with Snort/Talos generically.

When I can get some more time I will try and see if I can have a look through the IPS code, specifically related to the Snort Community provider, to see if I can spot anything very obvious.
Comment 10 Stefan Schantl 2023-03-07 12:38:50 UTC
Fix has been sent to the develoment mailing list:

https://patchwork.ipfire.org/project/ipfire/patch/20230307123809.8181-1-stefan.schantl@ipfire.org/
Comment 13 Adolf Belka 2023-03-21 21:49:48 UTC
Tested CU174 Testing on my vm testbed and can co0nfirm that the SNORT/VRT Community Rules can now be selected.

This confirms that the fix has been effective.
Comment 14 ChrisK 2023-03-22 06:38:16 UTC
+1
Customizing rules for SNORT finally works again in CU174 here for me.