Suricata rules download error

Stefano_Zamboni (Stefano Zamboni) 2017-10-31 10:24:06 UTC #1

Hi there

when I click on “download rules” button, I see this in my messages log:

Oct 31 11:20:27 mail2 esmith::event[48715]: #011Error 404 when fetching https://rules.emergingthreats.net/open-nogpl/suricata/emerging.rules.tar.gz.md5 at /usr/bin/pulledpork line 534.
Oct 31 11:20:27 mail2 esmith::event[48715]: #011main::md5file(‘open-nogpl’, ‘emerging.rules.tar.gz’, ‘/tmp/’, ‘https://rules.emergingthreats.net/open-nogpl/suricata/’) called at /usr/bin/pulledpork line 2006
Oct 31 11:20:27 mail2 esmith::event[48715]: IP Blacklist download of http://talosintelligence.com/feeds/ip-filter.blf…
Oct 31 11:20:27 mail2 esmith::event[48715]: Reading IP List…
Oct 31 11:20:27 mail2 esmith::event[48715]: Checking latest MD5 for emerging.rules.tar.gz…
Oct 31 11:20:27 mail2 esmith::event[48715]: #011A 404 error occurred, please verify your filenames and urls for your tarball!
Oct 31 11:20:27 mail2 suricata: 31/10/2017 – 11:20:27 - - rule reload starting
Oct 31 11:20:27 mail2 suricata: 31/10/2017 – 11:20:27 - - [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - Invalid rule-files configuration section: expected a list of filenames.
Oct 31 11:20:27 mail2 suricata: 31/10/2017 – 11:20:27 - - [ERRCODE: SC_ERR_EVENT_ENGINE(210)] - can’t suppress sid 2022913, gid 1: unknown rule
Oct 31 11:20:27 mail2 suricata: 31/10/2017 – 11:20:27 - - [ERRCODE: SC_ERR_EVENT_ENGINE(210)] - can’t suppress sid 2011124, gid 1: unknown rule
Oct 31 11:20:27 mail2 suricata: 31/10/2017 – 11:20:27 - - rule reload complete

taking a look at remote dir, I see:

as you can see the path is changed

Jclendineng (Joel Clendineng) 2017-10-31 13:41:56 UTC #2

you can manually download and unpack in the directory until a fix is pushed, its just a simple url change.

giacomo (Giacomo Sanchietti) 2017-10-31 13:48:22 UTC #3

I can confirm the bug, this patch should fix the download URL:

--- /etc/e-smith/templates/etc/pulledpork/pulledpork.conf/20options	2017-10-06 16:50:28.000000000 +0200
+++ /tmp/20options	2017-09-15 15:19:29.135683774 +0200
@@ -152,7 +152,7 @@
 # This value MUST contain all 4 minor version
 # numbers. ET rules are now also dependant on this, verify supported ET versions
 # prior to simply throwing rubbish in this variable kthx!
-snort_version=suricata
+snort_version=suricata-1.3-enhanced
 
 # Here you can specify what rule modification files to run automatically.
 # simply uncomment and specify the apt path.

If new categories have been added by ET, probably you will see some untranslated labels on the web interface.

Would you like to open an issue and/or a PR to fix the whole thing?

giacomo (Giacomo Sanchietti) 2017-11-02 08:06:12 UTC #4

@Stefano_Zamboni have you tried the proposed fix?

I should have the time to prepare a testing package, are you willing to test it? Come on, don’t be shy!

Stefano_Zamboni (Stefano Zamboni) 2017-11-02 08:16:46 UTC #5

the fix is working as expected, IMO no testing package required, just release the update (the change is trivial)

giacomo (Giacomo Sanchietti) 2017-11-02 12:57:22 UTC #6

I think it’s not so trivial, it changes two packages and I had to open 3 different pull requests (including the doc)

Please help us testing it, you can find updated packages in nethserver-testing:

nethserver-pulledpork-2.1.0-1.1.g46ab0d3.ns7.noarch.rpm
nethserver-suricata-1.1.0-1.1.g6fecaa5.ns7.noarch.rpm

To test:

yum --enablerepo=nethserver-testing update nethserver-suricata nethserver-pulledpork

Everything is tracked here:

After the test, you can report your findings on the tracker or directly in this thread

Stefano_Zamboni (Stefano Zamboni) 2017-11-02 13:21:50 UTC #7

will try to find the time, quite busy ATM

giacomo (Giacomo Sanchietti) 2017-11-06 12:00:10 UTC #8

@Stefano_Zamboni did you have the time to try it out?

alefattorini (Alessio Fattorini) 2017-11-06 14:09:49 UTC #9

@Jclendineng or someone of the @quality_team would like to try?

Jclendineng (Joel Clendineng) 2017-11-06 14:24:59 UTC #10

I already had the testing repo installed, so I got the update when you pushed it. Works fine, it was just a url change right?

alefattorini (Alessio Fattorini) 2017-11-06 14:27:42 UTC #11

Can you check @giacomo’s issue? Look at this guide, it would be great if you can add your outcomes there!