Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Unable to load Rules page if no Category is selected.

    Scheduled Pinned Locked Moved IDS/IPS
    15 Posts 2 Posters 1.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • bmeeksB
      bmeeks @michmoor
      last edited by

      @michmoor said in Unable to load Rules page if no Category is selected.:

      @bmeeks said in Unable to load Rules page if no Category is selected.:

      Reply Quote 0

      No worries. Issue #15312 created

      The fix turned out to be very easy. I've posted a pull request for the Netgate team to review and merge here: https://github.com/pfsense/FreeBSD-ports/pull/1349.

      Once they do that, a new 7.0.3_1 Suricata package version will appear in the Package Manager.

      M 1 Reply Last reply Reply Quote 2
      • M
        michmoor LAYER 8 Rebel Alliance @bmeeks
        last edited by

        @bmeeks
        nice work. Thank you sir

        Firewall: NetGate,Palo Alto-VM,Juniper SRX
        Routing: Juniper, Arista, Cisco
        Switching: Juniper, Arista, Cisco
        Wireless: Unifi, Aruba IAP
        JNCIP,CCNP Enterprise

        M 2 Replies Last reply Reply Quote 0
        • M
          michmoor LAYER 8 Rebel Alliance @michmoor
          last edited by

          @bmeeks
          Tested and working wonderfully.

          Another question :)
          I understand that a pkg update is re-installing the package essentially but certain parts of the config arent sticking. For example, the categories I select are still selected but so are the 'default' ones as well. I have to uncheck each update.

          c6f0377a-3bdf-4d84-9807-74ce03649b77-image.png

          Firewall: NetGate,Palo Alto-VM,Juniper SRX
          Routing: Juniper, Arista, Cisco
          Switching: Juniper, Arista, Cisco
          Wireless: Unifi, Aruba IAP
          JNCIP,CCNP Enterprise

          bmeeksB 1 Reply Last reply Reply Quote 1
          • M
            michmoor LAYER 8 Rebel Alliance @michmoor
            last edited by

            @bmeeks

            Found another issue :(

            When your custom rule does fire off an alert and you go to review the alert and view the signature text, there is an empty box..

            Example Rule:
            28e1dc6c-d7af-4275-8f03-1d7ccbe5f57b-image.png

            Example Alert:
            482c4186-ae0a-4324-815c-6b9dda4cb84b-image.png

            Firewall: NetGate,Palo Alto-VM,Juniper SRX
            Routing: Juniper, Arista, Cisco
            Switching: Juniper, Arista, Cisco
            Wireless: Unifi, Aruba IAP
            JNCIP,CCNP Enterprise

            bmeeksB 1 Reply Last reply Reply Quote 0
            • bmeeksB
              bmeeks @michmoor
              last edited by

              @michmoor said in Unable to load Rules page if no Category is selected.:

              but so are the 'default' ones as well. I have to uncheck each update.

              This is normal. There is a package of default rules distributed with the Suricata binary, and those get installed (and sometimes updated) with each release. To be sure the user has them available, they are reinstalled and enabled as part of each update.

              If you want changes to the default rules to "stick", you can put their category file names in a disablesid.conf file and use the SID MGMT feature to prevent them from loading.

              1 Reply Last reply Reply Quote 2
              • bmeeksB
                bmeeks @michmoor
                last edited by bmeeks

                @michmoor said in Unable to load Rules page if no Category is selected.:

                @bmeeks

                Found another issue :(

                When your custom rule does fire off an alert and you go to review the alert and view the signature text, there is an empty box..

                Example Rule:
                28e1dc6c-d7af-4275-8f03-1d7ccbe5f57b-image.png

                Example Alert:
                482c4186-ae0a-4324-815c-6b9dda4cb84b-image.png

                Your custom rule is missing the GID (generator ID). Provide that in the rule text and see if the lookup succeeds then. All the rules are loaded into an array where the GID:SID values are the multidimenional array keys. The default GID is "1".

                M 1 Reply Last reply Reply Quote 0
                • M
                  michmoor LAYER 8 Rebel Alliance @bmeeks
                  last edited by

                  @bmeeks
                  The disabled SID worked, thank you for that.

                  Regarding the custom rule alert issue above. Suricata is not parsing the rule when I add GID

                  [130204 - Suricata-Main] 2024-03-06 12:48:30 Error: detect: error parsing signature "alert tls any any -> 192.168.50.240 any (msg:"TLS 1.2 Traffic Detected"; tls.version: 0x0303; sid 1:1000002; rev:1;)" from file /usr/local/etc/suricata/suricata_38311_igc0/rules/custom.rules at line 1
                  
                  

                  Firewall: NetGate,Palo Alto-VM,Juniper SRX
                  Routing: Juniper, Arista, Cisco
                  Switching: Juniper, Arista, Cisco
                  Wireless: Unifi, Aruba IAP
                  JNCIP,CCNP Enterprise

                  bmeeksB 1 Reply Last reply Reply Quote 0
                  • bmeeksB
                    bmeeks @michmoor
                    last edited by bmeeks

                    @michmoor said in Unable to load Rules page if no Category is selected.:

                    Regarding the custom rule alert issue above. Suricata is not parsing the rule when I add GID

                    That's not the correct syntax for a GID. It is a separate field like this:

                    alert tls any any -> 192.168.50.240 any (msg:"TLS 1.2 Traffic Detected"; tls.version: 0x0303; gid: 1 sid: 1000002; rev:1;)
                    

                    GID comes from Snort and is required there as it designates which rules are coming from preprocessors and which are general text rules. GID 1 is the general text rule generator ID.

                    Suricata does not explicitly require a GID because it does not have preprocessors as does Snort. But it will digest GID in the rule signature. Because the logic for in-memory rule array management is the same in the Suricata and Snort GUI code, the GID is necessary on the Suricata side.

                    I did take a look into the code last night to check, and the Suricata GUI code should be providing a default GID of "1" when one is not explicitly present in a rule. So, it will be interesting to see if the behavior changes when a GID is explicitly added to your custom rule.

                    M 1 Reply Last reply Reply Quote 0
                    • M
                      michmoor LAYER 8 Rebel Alliance @bmeeks
                      last edited by

                      @bmeeks
                      Ive had that syntax as well but had the same error.
                      Using your syntax

                      [130204 - Suricata-Main] 2024-03-06 12:55:15 Error: detect: error parsing signature "alert tls any any -> 192.168.50.240 any (msg:"TLS 1.2 Traffic Detected"; tls.version: 0x0303; gid: 1 sid: 1000002; rev:1;)" from file /usr/local/etc/suricata/suricata_38311_igc0/rules/custom.rules at line 1
                      
                      

                      Firewall: NetGate,Palo Alto-VM,Juniper SRX
                      Routing: Juniper, Arista, Cisco
                      Switching: Juniper, Arista, Cisco
                      Wireless: Unifi, Aruba IAP
                      JNCIP,CCNP Enterprise

                      bmeeksB 1 Reply Last reply Reply Quote 0
                      • bmeeksB
                        bmeeks @michmoor
                        last edited by

                        @michmoor said in Unable to load Rules page if no Category is selected.:

                        @bmeeks
                        Ive had that syntax as well but had the same error.
                        Using your syntax

                        [130204 - Suricata-Main] 2024-03-06 12:55:15 Error: detect: error parsing signature "alert tls any any -> 192.168.50.240 any (msg:"TLS 1.2 Traffic Detected"; tls.version: 0x0303; gid: 1 sid: 1000002; rev:1;)" from file /usr/local/etc/suricata/suricata_38311_igc0/rules/custom.rules at line 1
                        
                        

                        Interesting, I thought from past experience Suricata would take the GID and really just skip it. Don't recall it complaining about it, but then when I wrote all this code it was way back when Suricata was at the version 2.x stage from upstream.

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.