Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Unable to load Rules page if no Category is selected.

    Scheduled Pinned Locked Moved IDS/IPS
    15 Posts 2 Posters 1.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • bmeeksB
      bmeeks
      last edited by

      This is a bug, but I am not sure exactly why. Will need to dig around in the PHP code a bit to see what's up.

      I can easily reproduce the issue.

      M 1 Reply Last reply Reply Quote 2
      • M
        michmoor LAYER 8 Rebel Alliance @bmeeks
        last edited by

        @bmeeks
        You want me to submit a redmine for tracking?

        Firewall: NetGate,Palo Alto-VM,Juniper SRX
        Routing: Juniper, Arista, Cisco
        Switching: Juniper, Arista, Cisco
        Wireless: Unifi, Aruba IAP
        JNCIP,CCNP Enterprise

        bmeeksB 1 Reply Last reply Reply Quote 0
        • bmeeksB
          bmeeks @michmoor
          last edited by

          @michmoor said in Unable to load Rules page if no Category is selected.:

          @bmeeks
          You want me to submit a redmine for tracking?

          Please. The Netgate crew likes to see a Redmine ticket attached to each submitted pull request.

          M 1 Reply Last reply Reply Quote 0
          • M
            michmoor LAYER 8 Rebel Alliance @bmeeks
            last edited by

            @bmeeks said in Unable to load Rules page if no Category is selected.:

            Reply Quote 0

            No worries. Issue #15312 created

            Firewall: NetGate,Palo Alto-VM,Juniper SRX
            Routing: Juniper, Arista, Cisco
            Switching: Juniper, Arista, Cisco
            Wireless: Unifi, Aruba IAP
            JNCIP,CCNP Enterprise

            bmeeksB 1 Reply Last reply Reply Quote 0
            • bmeeksB
              bmeeks @michmoor
              last edited by

              @michmoor said in Unable to load Rules page if no Category is selected.:

              @bmeeks said in Unable to load Rules page if no Category is selected.:

              Reply Quote 0

              No worries. Issue #15312 created

              The fix turned out to be very easy. I've posted a pull request for the Netgate team to review and merge here: https://github.com/pfsense/FreeBSD-ports/pull/1349.

              Once they do that, a new 7.0.3_1 Suricata package version will appear in the Package Manager.

              M 1 Reply Last reply Reply Quote 2
              • M
                michmoor LAYER 8 Rebel Alliance @bmeeks
                last edited by

                @bmeeks
                nice work. Thank you sir

                Firewall: NetGate,Palo Alto-VM,Juniper SRX
                Routing: Juniper, Arista, Cisco
                Switching: Juniper, Arista, Cisco
                Wireless: Unifi, Aruba IAP
                JNCIP,CCNP Enterprise

                M 2 Replies Last reply Reply Quote 0
                • M
                  michmoor LAYER 8 Rebel Alliance @michmoor
                  last edited by

                  @bmeeks
                  Tested and working wonderfully.

                  Another question :)
                  I understand that a pkg update is re-installing the package essentially but certain parts of the config arent sticking. For example, the categories I select are still selected but so are the 'default' ones as well. I have to uncheck each update.

                  c6f0377a-3bdf-4d84-9807-74ce03649b77-image.png

                  Firewall: NetGate,Palo Alto-VM,Juniper SRX
                  Routing: Juniper, Arista, Cisco
                  Switching: Juniper, Arista, Cisco
                  Wireless: Unifi, Aruba IAP
                  JNCIP,CCNP Enterprise

                  bmeeksB 1 Reply Last reply Reply Quote 1
                  • M
                    michmoor LAYER 8 Rebel Alliance @michmoor
                    last edited by

                    @bmeeks

                    Found another issue :(

                    When your custom rule does fire off an alert and you go to review the alert and view the signature text, there is an empty box..

                    Example Rule:
                    28e1dc6c-d7af-4275-8f03-1d7ccbe5f57b-image.png

                    Example Alert:
                    482c4186-ae0a-4324-815c-6b9dda4cb84b-image.png

                    Firewall: NetGate,Palo Alto-VM,Juniper SRX
                    Routing: Juniper, Arista, Cisco
                    Switching: Juniper, Arista, Cisco
                    Wireless: Unifi, Aruba IAP
                    JNCIP,CCNP Enterprise

                    bmeeksB 1 Reply Last reply Reply Quote 0
                    • bmeeksB
                      bmeeks @michmoor
                      last edited by

                      @michmoor said in Unable to load Rules page if no Category is selected.:

                      but so are the 'default' ones as well. I have to uncheck each update.

                      This is normal. There is a package of default rules distributed with the Suricata binary, and those get installed (and sometimes updated) with each release. To be sure the user has them available, they are reinstalled and enabled as part of each update.

                      If you want changes to the default rules to "stick", you can put their category file names in a disablesid.conf file and use the SID MGMT feature to prevent them from loading.

                      1 Reply Last reply Reply Quote 2
                      • bmeeksB
                        bmeeks @michmoor
                        last edited by bmeeks

                        @michmoor said in Unable to load Rules page if no Category is selected.:

                        @bmeeks

                        Found another issue :(

                        When your custom rule does fire off an alert and you go to review the alert and view the signature text, there is an empty box..

                        Example Rule:
                        28e1dc6c-d7af-4275-8f03-1d7ccbe5f57b-image.png

                        Example Alert:
                        482c4186-ae0a-4324-815c-6b9dda4cb84b-image.png

                        Your custom rule is missing the GID (generator ID). Provide that in the rule text and see if the lookup succeeds then. All the rules are loaded into an array where the GID:SID values are the multidimenional array keys. The default GID is "1".

                        M 1 Reply Last reply Reply Quote 0
                        • M
                          michmoor LAYER 8 Rebel Alliance @bmeeks
                          last edited by

                          @bmeeks
                          The disabled SID worked, thank you for that.

                          Regarding the custom rule alert issue above. Suricata is not parsing the rule when I add GID

                          [130204 - Suricata-Main] 2024-03-06 12:48:30 Error: detect: error parsing signature "alert tls any any -> 192.168.50.240 any (msg:"TLS 1.2 Traffic Detected"; tls.version: 0x0303; sid 1:1000002; rev:1;)" from file /usr/local/etc/suricata/suricata_38311_igc0/rules/custom.rules at line 1
                          
                          

                          Firewall: NetGate,Palo Alto-VM,Juniper SRX
                          Routing: Juniper, Arista, Cisco
                          Switching: Juniper, Arista, Cisco
                          Wireless: Unifi, Aruba IAP
                          JNCIP,CCNP Enterprise

                          bmeeksB 1 Reply Last reply Reply Quote 0
                          • bmeeksB
                            bmeeks @michmoor
                            last edited by bmeeks

                            @michmoor said in Unable to load Rules page if no Category is selected.:

                            Regarding the custom rule alert issue above. Suricata is not parsing the rule when I add GID

                            That's not the correct syntax for a GID. It is a separate field like this:

                            alert tls any any -> 192.168.50.240 any (msg:"TLS 1.2 Traffic Detected"; tls.version: 0x0303; gid: 1 sid: 1000002; rev:1;)
                            

                            GID comes from Snort and is required there as it designates which rules are coming from preprocessors and which are general text rules. GID 1 is the general text rule generator ID.

                            Suricata does not explicitly require a GID because it does not have preprocessors as does Snort. But it will digest GID in the rule signature. Because the logic for in-memory rule array management is the same in the Suricata and Snort GUI code, the GID is necessary on the Suricata side.

                            I did take a look into the code last night to check, and the Suricata GUI code should be providing a default GID of "1" when one is not explicitly present in a rule. So, it will be interesting to see if the behavior changes when a GID is explicitly added to your custom rule.

                            M 1 Reply Last reply Reply Quote 0
                            • M
                              michmoor LAYER 8 Rebel Alliance @bmeeks
                              last edited by

                              @bmeeks
                              Ive had that syntax as well but had the same error.
                              Using your syntax

                              [130204 - Suricata-Main] 2024-03-06 12:55:15 Error: detect: error parsing signature "alert tls any any -> 192.168.50.240 any (msg:"TLS 1.2 Traffic Detected"; tls.version: 0x0303; gid: 1 sid: 1000002; rev:1;)" from file /usr/local/etc/suricata/suricata_38311_igc0/rules/custom.rules at line 1
                              
                              

                              Firewall: NetGate,Palo Alto-VM,Juniper SRX
                              Routing: Juniper, Arista, Cisco
                              Switching: Juniper, Arista, Cisco
                              Wireless: Unifi, Aruba IAP
                              JNCIP,CCNP Enterprise

                              bmeeksB 1 Reply Last reply Reply Quote 0
                              • bmeeksB
                                bmeeks @michmoor
                                last edited by

                                @michmoor said in Unable to load Rules page if no Category is selected.:

                                @bmeeks
                                Ive had that syntax as well but had the same error.
                                Using your syntax

                                [130204 - Suricata-Main] 2024-03-06 12:55:15 Error: detect: error parsing signature "alert tls any any -> 192.168.50.240 any (msg:"TLS 1.2 Traffic Detected"; tls.version: 0x0303; gid: 1 sid: 1000002; rev:1;)" from file /usr/local/etc/suricata/suricata_38311_igc0/rules/custom.rules at line 1
                                
                                

                                Interesting, I thought from past experience Suricata would take the GID and really just skip it. Don't recall it complaining about it, but then when I wrote all this code it was way back when Suricata was at the version 2.x stage from upstream.

                                1 Reply Last reply Reply Quote 0
                                • First post
                                  Last post
                                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.