Suricata rules download error

Hi there

when I click on “download rules” button, I see this in my messages log:

Oct 31 11:20:27 mail2 esmith::event[48715]: #011Error 404 when fetching https://rules.emergingthreats.net/open-nogpl/suricata/emerging.rules.tar.gz.md5 at /usr/bin/pulledpork line 534.
Oct 31 11:20:27 mail2 esmith::event[48715]: #011main::md5file(‘open-nogpl’, ‘emerging.rules.tar.gz’, ‘/tmp/’, ‘https://rules.emergingthreats.net/open-nogpl/suricata/’) called at /usr/bin/pulledpork line 2006
Oct 31 11:20:27 mail2 esmith::event[48715]: IP Blacklist download of http://talosintelligence.com/feeds/ip-filter.blf…
Oct 31 11:20:27 mail2 esmith::event[48715]: Reading IP List…
Oct 31 11:20:27 mail2 esmith::event[48715]: Checking latest MD5 for emerging.rules.tar.gz…
Oct 31 11:20:27 mail2 esmith::event[48715]: #011A 404 error occurred, please verify your filenames and urls for your tarball!
Oct 31 11:20:27 mail2 suricata: 31/10/2017 – 11:20:27 - - rule reload starting
Oct 31 11:20:27 mail2 suricata: 31/10/2017 – 11:20:27 - - [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - Invalid rule-files configuration section: expected a list of filenames.
Oct 31 11:20:27 mail2 suricata: 31/10/2017 – 11:20:27 - - [ERRCODE: SC_ERR_EVENT_ENGINE(210)] - can’t suppress sid 2022913, gid 1: unknown rule
Oct 31 11:20:27 mail2 suricata: 31/10/2017 – 11:20:27 - - [ERRCODE: SC_ERR_EVENT_ENGINE(210)] - can’t suppress sid 2011124, gid 1: unknown rule
Oct 31 11:20:27 mail2 suricata: 31/10/2017 – 11:20:27 - - rule reload complete

taking a look at remote dir, I see:

Immagine1.png821×383 14.4 KB

as you can see the path is changed

you can manually download and unpack in the directory until a fix is pushed, its just a simple url change.

I can confirm the bug, this patch should fix the download URL:

--- /etc/e-smith/templates/etc/pulledpork/pulledpork.conf/20options	2017-10-06 16:50:28.000000000 +0200
+++ /tmp/20options	2017-09-15 15:19:29.135683774 +0200
@@ -152,7 +152,7 @@
 # This value MUST contain all 4 minor version
 # numbers. ET rules are now also dependant on this, verify supported ET versions
 # prior to simply throwing rubbish in this variable kthx!
-snort_version=suricata
+snort_version=suricata-1.3-enhanced
 
 # Here you can specify what rule modification files to run automatically.
 # simply uncomment and specify the apt path.

If new categories have been added by ET, probably you will see some untranslated labels on the web interface.

Would you like to open an issue and/or a PR to fix the whole thing?

@Stefano_Zamboni have you tried the proposed fix?

I should have the time to prepare a testing package, are you willing to test it? Come on, don’t be shy!

the fix is working as expected, IMO no testing package required, just release the update (the change is trivial)

I think it’s not so trivial, it changes two packages and I had to open 3 different pull requests (including the doc)

Please help us testing it, you can find updated packages in nethserver-testing:

• nethserver-pulledpork-2.1.0-1.1.g46ab0d3.ns7.noarch.rpm
• nethserver-suricata-1.1.0-1.1.g6fecaa5.ns7.noarch.rpm

To test:

yum --enablerepo=nethserver-testing update nethserver-suricata nethserver-pulledpork

Everything is tracked here:

After the test, you can report your findings on the tracker or directly in this thread

will try to find the time, quite busy ATM

@Stefano_Zamboni did you have the time to try it out?

@Jclendineng or someone of the @quality_team would like to try?

I already had the testing repo installed, so I got the update when you pushed it. Works fine, it was just a url change right?

Can you check @giacomo’s issue? Look at this guide, it would be great if you can add your outcomes there!