SID Management not working, rules not loading/parsed 2.4.4-2 / Suricata 4.1.2_1



  • I think since the last update (4.1.2_1), suddenly the enablesid.conf are not parsed anymore in SID management. You can also see the rules are not loaded/enabled in "Interface -> Edit -> Categories" and not in "Interface -> Edit -> Rules".

    Here is a part of my enablesid.conf:

    ### enablesid-wan.conf
    # ET rules
    emerging-worm
    emerging-trojan
    emerging-malware
    emerging-mobile_malware
    
    # Snort rules
    snort_exploit-kit
    snort_malware-backdoor
    
    # pcre
    pcre:"Malware"
    pcre:"Spyware"
    pcre:"Trojan"
    

    Only the "default enabled" rules are now loaded :(



  • Oops! I found a piece of code in one of the PHP files where I forgot to update the new rules path.

    Thanks for reporting this. I will work on a fix and get it posted later today for the pfSense team to review and hopefully merge tomorrow (Monday).

    Bill



  • For an immediate fix, until I can get an updated package reviewed and posted, you can edit these three lines in the following file.

    File: /usr/local/pkg/suricata/suricata.inc

    Line 1776, change from

    log_error(gettext("[Suricata] WARNING: Flowbit resolution not done - no rules in {$suricatadir}rules/ ..."));
    

    to

    log_error(gettext("[Suricata] WARNING: Flowbit resolution not done - no rules in ". SURICATA_RULES_DIR . " ..."));
    

    Line 2274, change from

    $files = glob("{$suricatadir}rules/{$prefix}*.rules");
    

    to

    $files = glob(SURICATA_RULES_DIR . "{$prefix}*.rules");
    

    Line 3481, change from

    $all_rules = suricata_load_rules_map("{$suricatadir}rules/");
    

    to

    $all_rules = suricata_load_rules_map(SURICATA_RULES_DIR);
    

    Update: the permanent fix for this is now awaiting review and merge by the pfSense team. It should be posted as Suricata version 4.1.2_2 in the next day or two.



  • @bmeeks

    Thanks again for the rapid response!
    Line 2275 should be 2274 (at least in my suricata.inc :) )



  • Tested and working!



  • @digdug3 said in SID Management not working, rules not loading/parsed 2.4.4-2 / Suricata 4.1.2_1:

    @bmeeks

    Thanks again for the rapid response!
    Line 2275 should be 2274 (at least in my suricata.inc :) )

    Yep. Looked at the wrong line number when composing my post. Will correct it.



  • The permanent fix for this issue was merged in Suricata package version 4.1.2_2 which is now posted. This issue is resolved.


Log in to reply