SID Management not working, rules not loading/parsed 2.4.4-2 / Suricata 4.1.2_1
-
I think since the last update (4.1.2_1), suddenly the enablesid.conf are not parsed anymore in SID management. You can also see the rules are not loaded/enabled in "Interface -> Edit -> Categories" and not in "Interface -> Edit -> Rules".
Here is a part of my enablesid.conf:
### enablesid-wan.conf # ET rules emerging-worm emerging-trojan emerging-malware emerging-mobile_malware # Snort rules snort_exploit-kit snort_malware-backdoor # pcre pcre:"Malware" pcre:"Spyware" pcre:"Trojan"
Only the "default enabled" rules are now loaded :(
-
Oops! I found a piece of code in one of the PHP files where I forgot to update the new rules path.
Thanks for reporting this. I will work on a fix and get it posted later today for the pfSense team to review and hopefully merge tomorrow (Monday).
Bill
-
For an immediate fix, until I can get an updated package reviewed and posted, you can edit these three lines in the following file.
File: /usr/local/pkg/suricata/suricata.inc
Line 1776, change from
log_error(gettext("[Suricata] WARNING: Flowbit resolution not done - no rules in {$suricatadir}rules/ ..."));
to
log_error(gettext("[Suricata] WARNING: Flowbit resolution not done - no rules in ". SURICATA_RULES_DIR . " ..."));
Line 2274, change from
$files = glob("{$suricatadir}rules/{$prefix}*.rules");
to
$files = glob(SURICATA_RULES_DIR . "{$prefix}*.rules");
Line 3481, change from
$all_rules = suricata_load_rules_map("{$suricatadir}rules/");
to
$all_rules = suricata_load_rules_map(SURICATA_RULES_DIR);
Update: the permanent fix for this is now awaiting review and merge by the pfSense team. It should be posted as Suricata version 4.1.2_2 in the next day or two.
-
Thanks again for the rapid response!
Line 2275 should be 2274 (at least in my suricata.inc :) ) -
Tested and working!
-
@digdug3 said in SID Management not working, rules not loading/parsed 2.4.4-2 / Suricata 4.1.2_1:
Thanks again for the rapid response!
Line 2275 should be 2274 (at least in my suricata.inc :) )Yep. Looked at the wrong line number when composing my post. Will correct it.
-
The permanent fix for this issue was merged in Suricata package version 4.1.2_2 which is now posted. This issue is resolved.