Unable to load Rules page if no Category is selected.
-
@michmoor said in Unable to load Rules page if no Category is selected.:
@bmeeks
You want me to submit a redmine for tracking?Please. The Netgate crew likes to see a Redmine ticket attached to each submitted pull request.
-
@bmeeks said in Unable to load Rules page if no Category is selected.:
Reply Quote 0
No worries. Issue #15312 created
-
@michmoor said in Unable to load Rules page if no Category is selected.:
@bmeeks said in Unable to load Rules page if no Category is selected.:
Reply Quote 0
No worries. Issue #15312 created
The fix turned out to be very easy. I've posted a pull request for the Netgate team to review and merge here: https://github.com/pfsense/FreeBSD-ports/pull/1349.
Once they do that, a new 7.0.3_1 Suricata package version will appear in the Package Manager.
-
@bmeeks
nice work. Thank you sir -
@bmeeks
Tested and working wonderfully.Another question :)
I understand that a pkg update is re-installing the package essentially but certain parts of the config arent sticking. For example, the categories I select are still selected but so are the 'default' ones as well. I have to uncheck each update. -
Found another issue :(
When your custom rule does fire off an alert and you go to review the alert and view the signature text, there is an empty box..
Example Rule:
Example Alert:
-
@michmoor said in Unable to load Rules page if no Category is selected.:
but so are the 'default' ones as well. I have to uncheck each update.
This is normal. There is a package of default rules distributed with the Suricata binary, and those get installed (and sometimes updated) with each release. To be sure the user has them available, they are reinstalled and enabled as part of each update.
If you want changes to the default rules to "stick", you can put their category file names in a
disablesid.conf
file and use the SID MGMT feature to prevent them from loading. -
@michmoor said in Unable to load Rules page if no Category is selected.:
Found another issue :(
When your custom rule does fire off an alert and you go to review the alert and view the signature text, there is an empty box..
Example Rule:
Example Alert:
Your custom rule is missing the GID (generator ID). Provide that in the rule text and see if the lookup succeeds then. All the rules are loaded into an array where the GID:SID values are the multidimenional array keys. The default GID is "1".
-
@bmeeks
The disabled SID worked, thank you for that.Regarding the custom rule alert issue above. Suricata is not parsing the rule when I add GID
[130204 - Suricata-Main] 2024-03-06 12:48:30 Error: detect: error parsing signature "alert tls any any -> 192.168.50.240 any (msg:"TLS 1.2 Traffic Detected"; tls.version: 0x0303; sid 1:1000002; rev:1;)" from file /usr/local/etc/suricata/suricata_38311_igc0/rules/custom.rules at line 1
-
@michmoor said in Unable to load Rules page if no Category is selected.:
Regarding the custom rule alert issue above. Suricata is not parsing the rule when I add GID
That's not the correct syntax for a GID. It is a separate field like this:
alert tls any any -> 192.168.50.240 any (msg:"TLS 1.2 Traffic Detected"; tls.version: 0x0303; gid: 1 sid: 1000002; rev:1;)
GID comes from Snort and is required there as it designates which rules are coming from preprocessors and which are general text rules. GID 1 is the general text rule generator ID.
Suricata does not explicitly require a GID because it does not have preprocessors as does Snort. But it will digest GID in the rule signature. Because the logic for in-memory rule array management is the same in the Suricata and Snort GUI code, the GID is necessary on the Suricata side.
I did take a look into the code last night to check, and the Suricata GUI code should be providing a default GID of "1" when one is not explicitly present in a rule. So, it will be interesting to see if the behavior changes when a GID is explicitly added to your custom rule.
-
@bmeeks
Ive had that syntax as well but had the same error.
Using your syntax[130204 - Suricata-Main] 2024-03-06 12:55:15 Error: detect: error parsing signature "alert tls any any -> 192.168.50.240 any (msg:"TLS 1.2 Traffic Detected"; tls.version: 0x0303; gid: 1 sid: 1000002; rev:1;)" from file /usr/local/etc/suricata/suricata_38311_igc0/rules/custom.rules at line 1
-
@michmoor said in Unable to load Rules page if no Category is selected.:
@bmeeks
Ive had that syntax as well but had the same error.
Using your syntax[130204 - Suricata-Main] 2024-03-06 12:55:15 Error: detect: error parsing signature "alert tls any any -> 192.168.50.240 any (msg:"TLS 1.2 Traffic Detected"; tls.version: 0x0303; gid: 1 sid: 1000002; rev:1;)" from file /usr/local/etc/suricata/suricata_38311_igc0/rules/custom.rules at line 1
Interesting, I thought from past experience Suricata would take the GID and really just skip it. Don't recall it complaining about it, but then when I wrote all this code it was way back when Suricata was at the version 2.x stage from upstream.