Regarding IDS Rules not Downloading and Updating

[raskin.ece]

Hi,

I am using OPnsense Instrusion Detection Functionality on OPnsense 21.1 and unable to Download and Update the rules and than tried to update to 21.7 and still the result is same. Only 4 IDS rules are possible to download and rest are not downloading. Need to know whether it is repository issue or any configuration issue or any known bug and also if there is any troubleshooting method available to identify the issue kindly let me know. Couple of method already tried and here is the summary.

* DNS resolution from Firewall is working fine
* Tried to upgrade to latest package and latest firmware version
* Restarted Multiple Times
* Disabled all kind of offloading
* Tried different repository
* Enabled all rules before downloading

[raskin.ece]

Images Artifacts As Reference

[Fright]

hi
any clue in general log after "Download&Update rules"?

[abulafia]

problems here as well -- after upgrade to 21.7, I wanted to try IDS again.

rulesets are apparently downloaded, but the "rules" tab shows no rules, suricata throws error messages about being unable to import rules and the log shows

Code Select Expand

2021-08-08T13:27:54 suricata[49327] [100545] <Warning> -- [ERRCODE: SC_ERR_NO_RULES_LOADED(43)] - 1 rule files specified, but no rule was loaded at all!
2021-08-08T13:27:54 suricata[49327] [100545] <Warning> -- [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /usr/local/etc/suricata/opnsense.rules/suricata.rules

[ollibraun]

I would delete the following two directories (via SSH access):

Code Select Expand

/usr/local/etc/suricata/opnsense.rules
/usr/local/etc/suricata/rules

Then reboot and download again.

[abulafia]

I would delete the following two directories (via SSH access):

Code Select Expand

/usr/local/etc/suricata/opnsense.rules
/usr/local/etc/suricata/rules

Then reboot and download again.

Thank you -- downloading works (same as before) but the IDS -> Administration -> Rules tab still shows

Code Select Expand

No results found!

and enabling Suricata shows GUI error "Error loading IDS rules" (or something like that, copy&pasting the error did not work)

Log does not help:

Code Select Expand

2021-08-08T13:46:09 suricata[49327] [100545] <Notice> -- Stats for 'igb3': pkts: 0, drop: 0 (nan%), invalid chksum: 0
2021-08-08T13:46:09 suricata[49327] [100545] <Notice> -- Stats for 'igb2': pkts: 0, drop: 0 (nan%), invalid chksum: 0
2021-08-08T13:46:09 suricata[49327] [100545] <Notice> -- Stats for 'igb1': pkts: 22674, drop: 0 (0.00%), invalid chksum: 227
2021-08-08T13:46:08 suricata[49327] [100545] <Notice> -- Signal Received. Stopping engine.

[Fright]

@abulafia hi. can you try with only one ruleset enabled (say OPNsense-App-detect/mail)?

[raskin.ece]

Hi All,

There is no such clue in general logs except the below one only and can anyone help to know any cli commands to identify the issue?

SC_ERR_NO_RULES_LOADED(43)] - 1 rule files specified, but no rule was loaded at all!

Moreover anyone got any success deleting these directories

usr/local/etc/suricata/opnsense.rules
/usr/local/etc/suricata/rules

Any right direction would be very helpful

[raskin.ece]

Tried deleting the 2 directories and downloaded ips rules again but no luck

/usr/local/etc/suricata/opnsense.rules
/usr/local/etc/suricata/rules

Not sure any resolution it has or not?

[Fright]

although it shouldn't be necessary, you can try this
-stop suricata
-clear /usr/local/etc/suricata/opnsense.rules and /usr/local/etc/suricata/rules content
-run

Code Select Expand

/usr/local/opnsense/scripts/suricata/rule-updater.py

Code Select Expand

/usr/local/opnsense/scripts/suricata/installRules.py
-start suricata
share errors if any please