IPS Download Rules

Support
,
1

Hello… in wich place I can see if rules is download…??

2

Hi @kristian1369 ,

in /var/log/messages or /var/log/sid_changes.log you can see which rules are new and deleted.
Rules are in /etc/suricata/rules.

My /var/log/messages after rules download: 
Mar 22 21:36:12 server esmith::event[5553]: expanding /etc/pulledpork/pulledpork.conf
Mar 22 21:36:12 server esmith::event[5553]: Action: /etc/e-smith/events/actions/generic_template_expand SUCCESS [0.351723]
Mar 22 21:36:13 server esmith::event[5553]:
Mar 22 21:36:13 server esmith::event[5553]:    https://github.com/shirkdog/pulledpork
Mar 22 21:36:13 server esmith::event[5553]:      _____ ____
Mar 22 21:36:13 server esmith::event[5553]:     `----,\    )
Mar 22 21:36:13 server esmith::event[5553]:      `--==\\  /    PulledPork v0.7.3 - Making signature updates great again!
Mar 22 21:36:13 server esmith::event[5553]:       `--==\\/
Mar 22 21:36:13 server esmith::event[5553]:     .-~~~~-.Y|\\_  Copyright (C) 2009-2017 JJ Cummings, Michael Shirk
Mar 22 21:36:13 server esmith::event[5553]:  @_/        /  66\_  and the PulledPork Team!
Mar 22 21:36:13 server esmith::event[5553]:    |    \   \   _(")
Mar 22 21:36:13 server esmith::event[5553]:     \   /-| ||'--'  Rules give me wings!
Mar 22 21:36:13 server esmith::event[5553]:      \_\  \_\\
Mar 22 21:36:13 server esmith::event[5553]: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Mar 22 21:36:13 server esmith::event[5553]:
Mar 22 21:36:13 server esmith::event[5553]: Prepping rules from emerging.rules.tar.gz for work....
Mar 22 21:36:14 server evebox: 2018-03-22 21:36:14 (evefileprocessor.go:175) <Info> -- Total: 1; last minute: 1; EOFs: 60
Mar 22 21:36:24 server esmith::event[5553]: #011Done!
Mar 22 21:36:24 server esmith::event[5553]: Reading rules...
Mar 22 21:36:24 server esmith::event[5553]: Reading rules...
Mar 22 21:36:24 server esmith::event[5553]: Modifying Sids....
Mar 22 21:36:24 server esmith::event[5553]: #011Done!
Mar 22 21:36:24 server esmith::event[5553]: Processing /etc/pulledpork/enablesid.conf....
Mar 22 21:36:24 server esmith::event[5553]: #011Modified 0 rules
Mar 22 21:36:24 server esmith::event[5553]: #011Skipped 0 rules (already disabled)
Mar 22 21:36:24 server esmith::event[5553]: #011Done
Mar 22 21:36:24 server esmith::event[5553]: Processing /etc/pulledpork/dropsid.conf....
Mar 22 21:36:24 server esmith::event[5553]: #011Modified 0 rules
Mar 22 21:36:24 server esmith::event[5553]: #011Skipped 0 rules (already disabled)
Mar 22 21:36:24 server esmith::event[5553]: #011Done
Mar 22 21:36:24 server esmith::event[5553]: Processing /etc/pulledpork/disablesid.conf....
Mar 22 21:36:24 server esmith::event[5553]: #011Modified 0 rules
Mar 22 21:36:24 server esmith::event[5553]: #011Skipped 0 rules (already disabled)
Mar 22 21:36:24 server esmith::event[5553]: #011Done
Mar 22 21:36:24 server esmith::event[5553]: Setting Flowbit State....
Mar 22 21:36:24 server esmith::event[5553]: #011Enabled 142 flowbits
Mar 22 21:36:24 server esmith::event[5553]: #011Enabled 1 flowbits
Mar 22 21:36:24 server esmith::event[5553]: #011Done
Mar 22 21:36:24 server esmith::event[5553]: Writing rules to unique destination files....
Mar 22 21:36:24 server esmith::event[5553]: #011Writing rules to /etc/suricata/rules/
Mar 22 21:36:24 server esmith::event[5553]: #011Done
Mar 22 21:36:24 server esmith::event[5553]: Generating sid-msg.map....
Mar 22 21:36:24 server esmith::event[5553]: #011Done
Mar 22 21:36:24 server esmith::event[5553]: Writing v1 /etc/suricata/sid-msg.map....
Mar 22 21:36:24 server esmith::event[5553]: #011Done
Mar 22 21:36:24 server esmith::event[5553]: Writing /var/log/sid_changes.log....
Mar 22 21:36:24 server esmith::event[5553]: #011Done
Mar 22 21:36:24 server esmith::event[5553]: Rule Stats...
Mar 22 21:36:24 server esmith::event[5553]: #011New:-------0
Mar 22 21:36:24 server esmith::event[5553]: #011Deleted:---254
Mar 22 21:36:24 server esmith::event[5553]: #011Enabled Rules:----17519
Mar 22 21:36:24 server esmith::event[5553]: #011Dropped Rules:----0
Mar 22 21:36:24 server esmith::event[5553]: #011Disabled Rules:---0
Mar 22 21:36:24 server esmith::event[5553]: #011Total Rules:------17519
Mar 22 21:36:24 server esmith::event[5553]: No IP Blacklist Changes
Mar 22 21:36:24 server esmith::event[5553]:
Mar 22 21:36:24 server esmith::event[5553]: Done
Mar 22 21:36:24 server esmith::event[5553]: Please review /var/log/sid_changes.log for additional details
Mar 22 21:36:24 server esmith::event[5553]: Fly Piggy Fly!
Mar 22 21:36:24 server esmith::event[5553]: Action: /etc/e-smith/events/nethserver-pulledpork-save/S30nethserver-pulledpork-apply SUCCESS [11.505476]

http://docs.nethserver.org/projects/nethserver-devel/en/v7/nethserver-pulledpork.html

3

Hello @mrmarkuz this rules I have to update every day, week or month…?

4

They’re updated daily via cron:

[root@server ~]# cat /etc/cron.d/pulledpork
30 2 * * * root /usr/bin/pulledpork -c /etc/pulledpork/pulledpork.conf -k -g -l >/dev/null; /etc/e-smith/events/actions/nethserver-pulledpork-apply >/dev/null
3 Likes