Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    SID Management not working, rules not loading/parsed 2.4.4-2 / Suricata 4.1.2_1

    Scheduled Pinned Locked Moved IDS/IPS
    7 Posts 2 Posters 795 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      digdug3
      last edited by

      I think since the last update (4.1.2_1), suddenly the enablesid.conf are not parsed anymore in SID management. You can also see the rules are not loaded/enabled in "Interface -> Edit -> Categories" and not in "Interface -> Edit -> Rules".

      Here is a part of my enablesid.conf:

      ### enablesid-wan.conf
# ET rules
emerging-worm
emerging-trojan
emerging-malware
emerging-mobile_malware

# Snort rules
snort_exploit-kit
snort_malware-backdoor

# pcre
pcre:"Malware"
pcre:"Spyware"
pcre:"Trojan"

      Only the "default enabled" rules are now loaded :(

      1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks
        last edited by

        Oops! I found a piece of code in one of the PHP files where I forgot to update the new rules path.

        Thanks for reporting this. I will work on a fix and get it posted later today for the pfSense team to review and hopefully merge tomorrow (Monday).

        Bill

        1 Reply Last reply Reply Quote 0
        • bmeeksB
          bmeeks
          last edited by bmeeks

          For an immediate fix, until I can get an updated package reviewed and posted, you can edit these three lines in the following file.

          File: /usr/local/pkg/suricata/suricata.inc

          Line 1776, change from

          log_error(gettext("[Suricata] WARNING: Flowbit resolution not done - no rules in {$suricatadir}rules/ ..."));

          to

          log_error(gettext("[Suricata] WARNING: Flowbit resolution not done - no rules in ". SURICATA_RULES_DIR . " ..."));

          Line 2274, change from

          $files = glob("{$suricatadir}rules/{$prefix}*.rules");

          to

          $files = glob(SURICATA_RULES_DIR . "{$prefix}*.rules");

          Line 3481, change from

          $all_rules = suricata_load_rules_map("{$suricatadir}rules/");

          to

          $all_rules = suricata_load_rules_map(SURICATA_RULES_DIR);

          Update: the permanent fix for this is now awaiting review and merge by the pfSense team. It should be posted as Suricata version 4.1.2_2 in the next day or two.

          D 1 Reply Last reply Reply Quote 1
          • D
            digdug3 @bmeeks
            last edited by

            @bmeeks

            Thanks again for the rapid response!
            Line 2275 should be 2274 (at least in my suricata.inc :) )

            bmeeksB 1 Reply Last reply Reply Quote 0
            • D
              digdug3
              last edited by

              Tested and working!

              1 Reply Last reply Reply Quote 0
              • bmeeksB
                bmeeks @digdug3
                last edited by

                @digdug3 said in SID Management not working, rules not loading/parsed 2.4.4-2 / Suricata 4.1.2_1:

                @bmeeks

                Thanks again for the rapid response!
                Line 2275 should be 2274 (at least in my suricata.inc :) )

                Yep. Looked at the wrong line number when composing my post. Will correct it.

                1 Reply Last reply Reply Quote 0
                • bmeeksB
                  bmeeks
                  last edited by

                  The permanent fix for this issue was merged in Suricata package version 4.1.2_2 which is now posted. This issue is resolved.

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.