OPNsense Forum

Archive => 20.7 Legacy Series => Topic started by: Fright on August 26, 2020, 12:05:45 pm

Title: [SOLVED] suricata: cant enable PT Research ruleset
Post by: Fright on August 26, 2020, 12:05:45 pm

Hi!
Trying to add and enable PT Research ruleset.
-Plugin (IDS PT Research ruleset) install ok
-Try enable it in IDS and press "Download & Update Rules"
Result:
"Error reconfiguring IDS
Error(1)"
With no messages in suricata log.
With no errors in general\backend logs.
in general log:
/rule-updater.py[16117]   download completed for https://github.com/ptresearch/AttackDetection/raw/master/pt.rules.tar.gz
in backend log:
configd.py[46270]   [c0717ac5-5c24-4734-91c5-65e3e6105448] returned exit status 1
configd.py[46270]   [c0717ac5-5c24-4734-91c5-65e3e6105448] update and reload intrusion detection rules

after that
Non-Free/PT Research ruleset is "Enabled" in rulset BUT in Rules tab not a single rule displayed (nothing at all).
and chrome dev console throws error "Cannot read property 'length' of undefined" in  renderRows(rows) function in jquery.bootgrid.js (rows is undefined).

what am I doing wrong?
can someone reproduce problem?
Thanks!

Title: Re: suricata: cant enable PT Research ruleset
Post by: lebernd on August 26, 2020, 01:25:04 pm

I have the same issue. So far I‘ve just disabled it.

Best, Bernd

Title: Re: suricata: cant enable PT Research ruleset
Post by: Fright on August 26, 2020, 02:22:21 pm

Thanks!
will try to look in rule-updater.py for more info

Title: Re: suricata: cant enable PT Research ruleset
Post by: Fright on August 26, 2020, 03:44:25 pm

try to update and install rules manualy.
issue in installRules.py\rulecache.py:
root@OPNsense:~ # /usr/local/opnsense/scripts/suricata/rule-updater.py
root@OPNsense:~ # /usr/local/opnsense/scripts/suricata/installRules.py
Traceback (most recent call last):
  File "/usr/local/opnsense/scripts/suricata/installRules.py", line 56, in <module>
    for rule_info_record in RuleCache.list_rules(filename=filename):
  File "/usr/local/opnsense/scripts/suricata/lib/rulecache.py", line 110, in list_rules
    record['metadata'][parts[0]] = parts[1]
IndexError: list index out of range

keep digging

Title: Re: suricata: cant enable PT Research ruleset
Post by: Fright on August 26, 2020, 05:26:03 pm

just added ticket for metadata parsing issue in rulecache.py
https://github.com/opnsense/plugins/issues/2005

Title: Re: suricata: cant enable PT Research ruleset
Post by: Fright on August 27, 2020, 12:27:02 pm

Thanks to AdSchellevis!
parsing error fixed:
https://github.com/opnsense/core/commit/f082239c5ca5f28901fa7dc6a9d104648616043e

loose some metadata on rule detail view in GUI due to invalid metadata format in PTresearch rules but updates without errors