[SOLVED] suricata: cant enable PT Research ruleset

Started by Fright, August 26, 2020, 12:05:45 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
August 26, 2020, 12:05:45 PM Last Edit: August 27, 2020, 12:27:31 PM by Fright
Hi!
Trying to add and enable PT Research ruleset.
-Plugin (IDS PT Research ruleset) install ok
-Try enable it in IDS and press "Download & Update Rules"
Result:
"Error reconfiguring IDS
Error(1)"
With no messages in suricata log.
With no errors in general\backend logs.
in general log:
/rule-updater.py[16117]   download completed for https://github.com/ptresearch/AttackDetection/raw/master/pt.rules.tar.gz
in backend log:
configd.py[46270]   [c0717ac5-5c24-4734-91c5-65e3e6105448] returned exit status 1
configd.py[46270]   [c0717ac5-5c24-4734-91c5-65e3e6105448] update and reload intrusion detection rules

after that
Non-Free/PT Research ruleset is "Enabled" in rulset BUT in Rules tab not a single rule displayed (nothing at all).
and chrome dev console throws error "Cannot read property 'length' of undefined" in  renderRows(rows) function in jquery.bootgrid.js (rows is undefined).

what am I doing wrong?
can someone reproduce problem?
Thanks!
August 26, 2020, 01:25:04 PM #1
I have the same issue. So far I've just disabled it.

Best, Bernd
IPU451, 16GB RAM, 120GB SSD:
OPNsense 22.7.11_1-amd64
FreeBSD 13.1-RELEASE-p5
OpenSSL 1.1.1s 1 Nov 2022

IPU441, 8GB RAM, 120GB SSD:
OPNsense 23.1.1_2-amd64
FreeBSD 13.1-RELEASE-p6
OpenSSL 1.1.1t 7 Feb 2023
August 26, 2020, 02:22:21 PM #2
Thanks!
will try to look in rule-updater.py for more info
August 26, 2020, 03:44:25 PM #3
try to update and install rules manualy.
issue in installRules.py\rulecache.py:
root@OPNsense:~ # /usr/local/opnsense/scripts/suricata/rule-updater.py
root@OPNsense:~ # /usr/local/opnsense/scripts/suricata/installRules.py
Traceback (most recent call last):
  File "/usr/local/opnsense/scripts/suricata/installRules.py", line 56, in <module>
    for rule_info_record in RuleCache.list_rules(filename=filename):
  File "/usr/local/opnsense/scripts/suricata/lib/rulecache.py", line 110, in list_rules
    record['metadata'][parts[0]] = parts[1]
IndexError: list index out of range

keep digging
August 26, 2020, 05:26:03 PM #4
just added ticket for metadata parsing issue in rulecache.py
https://github.com/opnsense/plugins/issues/2005
August 27, 2020, 12:27:02 PM #5
Thanks to AdSchellevis!
parsing error fixed:
https://github.com/opnsense/core/commit/f082239c5ca5f28901fa7dc6a9d104648616043e

loose some metadata on rule detail view in GUI due to invalid metadata format in PTresearch rules but updates without errors
Print
Go Up Pages1
User actions