OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Archive »
  • 20.7 Legacy Series »
  • [SOLVED] suricata: cant enable PT Research ruleset
« previous next »
  • Print
Pages: [1]

Author Topic: [SOLVED] suricata: cant enable PT Research ruleset  (Read 2968 times)

Fright

  • Hero Member
  • *****
  • Posts: 1777
  • Karma: 164
    • View Profile
[SOLVED] suricata: cant enable PT Research ruleset
« on: August 26, 2020, 12:05:45 pm »
Hi!
Trying to add and enable PT Research ruleset.
-Plugin (IDS PT Research ruleset) install ok
-Try enable it in IDS and press "Download & Update Rules"
Result:
"Error reconfiguring IDS
Error(1)"
With no messages in suricata log.
With no errors in general\backend logs.
in general log:
/rule-updater.py[16117]   download completed for https://github.com/ptresearch/AttackDetection/raw/master/pt.rules.tar.gz
in backend log:
configd.py[46270]   [c0717ac5-5c24-4734-91c5-65e3e6105448] returned exit status 1
configd.py[46270]   [c0717ac5-5c24-4734-91c5-65e3e6105448] update and reload intrusion detection rules

after that
Non-Free/PT Research ruleset is "Enabled" in rulset BUT in Rules tab not a single rule displayed (nothing at all).
and chrome dev console throws error "Cannot read property 'length' of undefined" in  renderRows(rows) function in jquery.bootgrid.js (rows is undefined).

what am I doing wrong?
can someone reproduce problem?
Thanks!
« Last Edit: August 27, 2020, 12:27:31 pm by Fright »
Logged

lebernd

  • Jr. Member
  • **
  • Posts: 85
  • Karma: 3
    • View Profile
Re: suricata: cant enable PT Research ruleset
« Reply #1 on: August 26, 2020, 01:25:04 pm »
I have the same issue. So far I‘ve just disabled it.

Best, Bernd
Logged
IPU451, 16GB RAM, 120GB SSD:
OPNsense 22.7.11_1-amd64
FreeBSD 13.1-RELEASE-p5
OpenSSL 1.1.1s 1 Nov 2022

IPU441, 8GB RAM, 120GB SSD:
OPNsense 23.1.1_2-amd64
FreeBSD 13.1-RELEASE-p6
OpenSSL 1.1.1t 7 Feb 2023

Fright

  • Hero Member
  • *****
  • Posts: 1777
  • Karma: 164
    • View Profile
Re: suricata: cant enable PT Research ruleset
« Reply #2 on: August 26, 2020, 02:22:21 pm »
Thanks!
will try to look in rule-updater.py for more info
Logged

Fright

  • Hero Member
  • *****
  • Posts: 1777
  • Karma: 164
    • View Profile
Re: suricata: cant enable PT Research ruleset
« Reply #3 on: August 26, 2020, 03:44:25 pm »
try to update and install rules manualy.
issue in installRules.py\rulecache.py:
root@OPNsense:~ # /usr/local/opnsense/scripts/suricata/rule-updater.py
root@OPNsense:~ # /usr/local/opnsense/scripts/suricata/installRules.py
Traceback (most recent call last):
  File "/usr/local/opnsense/scripts/suricata/installRules.py", line 56, in <module>
    for rule_info_record in RuleCache.list_rules(filename=filename):
  File "/usr/local/opnsense/scripts/suricata/lib/rulecache.py", line 110, in list_rules
    record['metadata'][parts[0]] = parts[1]
IndexError: list index out of range

keep digging
Logged

Fright

  • Hero Member
  • *****
  • Posts: 1777
  • Karma: 164
    • View Profile
Re: suricata: cant enable PT Research ruleset
« Reply #4 on: August 26, 2020, 05:26:03 pm »
just added ticket for metadata parsing issue in rulecache.py
https://github.com/opnsense/plugins/issues/2005
Logged

Fright

  • Hero Member
  • *****
  • Posts: 1777
  • Karma: 164
    • View Profile
Re: suricata: cant enable PT Research ruleset
« Reply #5 on: August 27, 2020, 12:27:02 pm »
Thanks to AdSchellevis!
parsing error fixed:
https://github.com/opnsense/core/commit/f082239c5ca5f28901fa7dc6a9d104648616043e

loose some metadata on rule detail view in GUI due to invalid metadata format in PTresearch rules but updates without errors
Logged
  • Print
Pages: [1]
« previous next »
  • OPNsense Forum »
  • Archive »
  • 20.7 Legacy Series »
  • [SOLVED] suricata: cant enable PT Research ruleset
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2024 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2