Merge branch 'master-IDSv3' into temp-c164-development

2026-04-28 11:43:25 +02:00 · 2022-01-14 14:05:10 +00:00
parent d822bdb5d3 2f62fd0007
commit 86cf6898aa
15 changed files with 2855 additions and 769 deletions
--- a/config/backup/backup.pl
+++ b/config/backup/backup.pl
@@ -159,6 +159,12 @@ restore_backup() {
 		rm -rf "/var/ipfire/snort"
 	fi
 	# IDS multiple providers converter.
 	if [ -e "/var/ipfire/suricata/rules-settings" ]; then
 		# Run the converter
 		convert-ids-multiple-providers
 	fi
 	# Convert DNS settings
 	convert-dns-settings
--- a/config/backup/include
+++ b/config/backup/include
@@ -49,7 +49,7 @@
 /var/ipfire/qos/bin/qos.sh
 /var/ipfire/suricata/*.conf
 /var/ipfire/suricata/*.yaml
-/var/ipfire/suricata/rules-settings
+/var/ipfire/suricata/providers-settings
 /var/ipfire/*/settings
 /var/ipfire/time/
 /var/ipfire/urlfilter
@@ -59,4 +59,5 @@
 /var/log/rrd/*
 /var/log/rrd/collectd
 /var/log/vnstat
-/var/tmp/idsrules.tar.gz
+/var/tmp/idsrules-*.tar.gz
 /var/tmp/idsrules-*.rules
--- a/config/cfgroot/ids-functions.pl
+++ b/config/cfgroot/ids-functions.pl
--- a/config/oinkmaster/oinkmaster.conf
+++ b/config/oinkmaster/oinkmaster.conf
@@ -182,11 +182,8 @@ update_files = \.rules$|\.config$|\.conf$|\.txt$|\.map$
 # files from included files. Example to load stuff from "/etc/foo.conf".
 # include /etc/foo.conf
-# Include file for enabled sids.
+# Include file for provider specific includes.
-include /var/ipfire/suricata/oinkmaster-enabled-sids.conf
+include /var/ipfire/suricata/oinkmaster-provider-includes.conf
 # Include file for disabled sids.
 include /var/ipfire/suricata/oinkmaster-disabled-sids.conf
 # Include file which defines the runmode of suricata.
 include /var/ipfire/suricata/oinkmaster-modify-sids.conf
--- a/config/rootfiles/common/configroot
+++ b/config/rootfiles/common/configroot
@@ -4,6 +4,7 @@ usr/sbin/convert-portfw
 usr/sbin/convert-snort
 usr/sbin/convert-xtaccess
 usr/sbin/convert-ids-modifysids-file
 usr/sbin/convert-ids-multiple-providers
 usr/sbin/firewall-policy
 #var/ipfire
 var/ipfire/addon-lang
--- a/config/suricata/convert-ids-multiple-providers
+++ b/config/suricata/convert-ids-multiple-providers
@@ -0,0 +1,284 @@
 #!/usr/bin/perl
 ###############################################################################
 #                                                                             #
 # IPFire.org - A linux based firewall                                         #
 # Copyright (C) 2021 IPFire Development Team <info@ipfire.org>                #
 #                                                                             #
 # This program is free software: you can redistribute it and/or modify        #
 # it under the terms of the GNU General Public License as published by        #
 # the Free Software Foundation, either version 3 of the License, or           #
 # (at your option) any later version.                                         #
 #                                                                             #
 # This program is distributed in the hope that it will be useful,             #
 # but WITHOUT ANY WARRANTY; without even the implied warranty of              #
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the               #
 # GNU General Public License for more details.                                #
 #                                                                             #
 # You should have received a copy of the GNU General Public License           #
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.       #
 #                                                                             #
 ###############################################################################
 use strict;
 require '/var/ipfire/general-functions.pl';
 require "${General::swroot}/ids-functions.pl";
 # Old file declarations
 my $old_rules_settings_file = "$IDS::settingsdir/rules-settings";
 my $old_used_rulefiles_file = "$IDS::settingsdir/suricata-used-rulefiles.yaml";
 my $old_enabled_sids_file = "$IDS::settingsdir/oinkmaster-enabled-sids.conf";
 my $old_disabled_sids_file = "$IDS::settingsdir/oinkmaster-disabled-sids.conf";
 my $old_rules_tarball = "/var/tmp/idsrules.tar.gz";
 # Script wide variable to store the used ruleset provider.
 my $ruleset_provider;
 # Hashes to store the old and new settings.
 my %old_rules_settings = ();
 my %idssettings = ();
 my %providers_settings = ();
 exit unless(-f $IDS::ids_settings_file and -f $old_rules_settings_file);
 # Read-in all settings.
 &General::readhash($old_rules_settings_file, \%old_rules_settings);
 &General::readhash($IDS::ids_settings_file, \%idssettings);
 #
 ## Step 1: Create new file layout
 #
 &IDS::check_and_create_filelayout();
 #
 ## Step 2: Migrate automatic update interval.
 #
 # Get old configured autoupdate interval.
 my $autoupdate_interval = $old_rules_settings{'AUTOUPDATE_INTERVAL'};
 # Check for valid intervals.
 if ($autoupdate_interval eq "off" || $autoupdate_interval eq "daily" || $autoupdate_interval eq "weekly") {
 	# Put the setting to the new configuration location.
 	$idssettings{'AUTOUPDATE_INTERVAL'} = $autoupdate_interval;
 } else {
 	# Swith to default which should be weekly.
 	$idssettings{'AUTOUPDATE_INTERVAL'} = "weekly";
 }
 # Store the updated idssettings file.
 &General::writehash($IDS::ids_settings_file, \%idssettings);
 #
 ## Step 3: Migrate the providers settings.
 #
 # Try to get the previously configured provider.
 $ruleset_provider = $old_rules_settings{'RULES'};
 # Exit the script if no ruleset provider has configured.
 exit unless ($ruleset_provider);
 # Defaults.
 my $id = "1";
 my $enabled = "enabled";
 my $autoupdate_status = "enabled";
 # Try to get a configured subscription code.
 my $subscription_code = $old_rules_settings{'OINKCODE'};
 # Check if the autoupdate should be disabled.
 if ($idssettings{'AUTOUPDATE_INTERVAL'} eq "off") {
 	# Set the autoupdate for the provider to disabled.
 	$autoupdate_status = "disabled";
 }
 # Create and assign the provider structure to the providers hash.
 $providers_settings{$id} = [ "$ruleset_provider", "$subscription_code", "$autoupdate_status", "$enabled" ];
 # Write the converted provider settings to the new providers-settings file.
 &General::writehasharray($IDS::providers_settings_file, \%providers_settings);
 # Set correct ownership.
 &IDS::set_ownership("$IDS::providers_settings_file");
 # Remove old rules settings file.
 unlink($old_rules_settings_file);
 #
 ## Step 4: Rename downloaded rulestarball to new name sheme.
 #
 # Check if a rulestarball exists.
 if (-f $old_rules_tarball) {
 	# Load perl module which contains the move command.
 	use File::Copy;
 	# Call function to generate the path and filename for the new rules tarball name.
 	my $new_rules_tarball = &IDS::_get_dl_rulesfile($ruleset_provider);
 	# Move the rulestarball to the new location.
 	move($old_rules_tarball, $new_rules_tarball);
 	# Set correct ownership.
 	&IDS::set_ownership("$new_rules_tarball");
 }
 #
 ## Step 5: Migrate oinkmaster configuration files for enabled and disabled rules.
 #
 # Read-in old enabled / disabled sids files.
 my %enabled_disabled_sids = (
 	&IDS::read_enabled_disabled_sids_file($old_enabled_sids_file),
 	&IDS::read_enabled_disabled_sids_file($old_disabled_sids_file)
 );
 # Check if any modifications have been done.
 if (%enabled_disabled_sids) {
 	# Get path and filename for new file.
 	my $oinkmaster_provider_modified_sids_file = &IDS::get_oinkmaster_provider_modified_sids_file($ruleset_provider);
 	# Open the new file for writing.
 	open (FILE, ">", $oinkmaster_provider_modified_sids_file) or die "Could not write to $oinkmaster_provider_modified_sids_file. $!\n";
 	# Write header to the files.
 	print PROVIDER_MOD_FILE "#Autogenerated file. Any custom changes will be overwritten!\n";
 	# Loop through the hash.
 	foreach my $sid (keys %enabled_disabled_sids) {
 		# Check if the sid is enabled.
 		if ($enabled_disabled_sids{$sid} eq "enabled") {
 			# Print the sid as enabled to the file.
 			print FILE "enablesid $sid\n";
 		# Check if the sid is disabled.
 		} elsif ($enabled_disabled_sids{$sid} eq "disabled") {
 			# Print the sid as disabled to the file.
 			print FILE "disablesid $sid\n";
 		# Something strange happende - skip the current sid.
 		} else {
 			next;
 		}
 	}
 	# Close the file handle.
 	close(FILE);
 	# Add the provider modifications file to the oinkmaster provider includes file.
 	&IDS::alter_oinkmaster_provider_includes_file("add", "$ruleset_provider");
 	# Set correct ownership for the new generated file.
 	&IDS::set_ownership("$oinkmaster_provider_modified_sids_file");
 }
 # Set correct ownership for the main file.
 &IDS::set_ownership("$IDS::oinkmaster_provider_includes_file");
 # Remove old files.
 unlink($old_enabled_sids_file);
 unlink($old_disabled_sids_file);
 #
 ## Step 6: Call oinkmaster and regenerate the ruleset structures.
 #
 &IDS::oinkmaster();
 # Set correct ownerships.
 &IDS::set_ownership("$IDS::rulespath");
 #
 ## Step 7: Migrate used rulefiles into new format.
 #
 # Check if the a used rulesfile exists.
 if (-f $old_used_rulefiles_file) {
 	# Array to collect the used rulefiles.
 	my @used_rulefiles = ();
 	# Open the file or used rulefiles and read-in content.
 	open(FILE, $old_used_rulefiles_file) or die "Could not open $old_used_rulefiles_file. $!\n";
 	while (<FILE>) {
 		# Assign the current line to a nice variable.
 		my $line = $_;
 		# Remove newlines.
 		chomp($line);
 		# Skip comments.
 		next if ($line =~ /\#/);
 		# Skip blank  lines.
 		next if ($line =~ /^\s*$/);
 		# Gather the rulefile.
 		if ($line =~ /.*- (.*)/) {
 			my $rulefile = $1;
 			# Skip whitelist.rules and local.rules
 			next if ($rulefile eq "whitelist.rules" || $rulefile eq "local.rules");
 			# Splitt the filename into chunks.
 			my @filename = split("-", $rulefile);
 			# Reverse the array.
 			@filename = reverse(@filename);
 			# Get the amount of elements in the array.
 			my $elements = @filename;
 			# Remove last element of the hash.
 			# It contains the vendor name, which will be replaced.
 			if ($elements >= 3) {
 				# Remove last element from hash.
 				pop(@filename);
 			}
 			# Check if the last element of the filename does not
 			# contain the providers name.
 			if ($filename[-1] ne "$ruleset_provider") {
 				# Add provider name as last element.
 				push(@filename, $ruleset_provider);
 			}
 			# Reverse the array back.
 			@filename = reverse(@filename);
 			# Generate the name for the rulesfile.
 			$rulefile = join("-", @filename);
 			# Add the rulefile to the array of used rulesfiles.
 			push(@used_rulefiles, $rulefile);
 		}
 	}
 	# Close the file.
 	close(FILE);
 	# Write the new provider exclusive used rulesfiles file.
 	&IDS::write_used_provider_rulefiles_file($ruleset_provider, @used_rulefiles);
 	# Write main used rulefiles file.
 	&IDS::write_main_used_rulefiles_file("$ruleset_provider");
 	# Get the provider specific used rulefiles file name.
 	my $provider_used_rulefiles_file = &IDS::get_used_provider_rulesfile_file($ruleset_provider);
 	# Set correct ownerships.
 	&IDS::set_ownership("$provider_used_rulefiles_file");
 	&IDS::set_ownership("$IDS::suricata_used_providers_file");
 	&IDS::set_ownership("$IDS::suricata_default_rulefiles_file");
 }
 # Remove old used rulefiles file.
 unlink($old_used_rulefiles_file);
 #
 ## Step 8: Reload the IDS ruleset if running.
 #
 # Check if the IDS is running.
 if(&IDS::ids_is_running()) {
 	# Call suricatactrl to restart it.
 	&IDS::call_suricatactrl("restart");
 }
--- a/config/suricata/convert-snort
+++ b/config/suricata/convert-snort
@@ -118,14 +118,10 @@ my %snortsettings;
 #
 # Add default value for MONITOR_TRAFFIC_ONLY which will be "on"
 # when migrating from snort to the new IDS.
 my %idssettings = (
 	"MONITOR_TRAFFIC_ONLY" => "on",
 );
 # Hash which contains the RULES settings.
 #
 # Set default value for UPDATE_INTERVAL to weekly.
-my %rulessettings = (
+my %idssettings = (
 	"MONITOR_TRAFFIC_ONLY" => "on",
 	"AUTOUPDATE_INTERVAL" => "weekly",
 );
@@ -159,17 +155,27 @@ foreach my $zone (@network_zones) {
 	}
 }
-# Grab the choosen ruleset from snort settings hash and store it in the rules
+# Hash to store the provider settings.
-# settings hash.
+my %providersettings = ();
-$rulessettings{"RULES"} = $snortsettings{"RULES"};
+
 # Default ID.
 $id = "1";
 # Grab the choosen ruleset from snort settings hash.
 my $provider = $snortsettings{"RULES"};
 my $subscription_code;
 # Check if an oinkcode has been provided.
 if($snortsettings{"OINKCODE"}) {
-	# Take the oinkcode from snort settings hash and store it in the rules
+	# Take the oinkcode from snort settings hash.
-	# settings hash.
+	$subscription_code = $snortsettings{"OINKCODE"};
 	$rulessettings{"OINKCODE"} = $snortsettings{"OINKCODE"};
 }
 # Generate providers config line and add it to the provider settings hash.
 #
 # Enabled automatic ruleste updates and the usage of the provider.
 $providersettings{$id} = [ "$provider", "$subscription_code", "enabled", "enabled" ];
 #
 ## Step 4: Import guardian settings and whitelist if the addon is installed.
 #
@@ -225,8 +231,8 @@ if (-f $guardian_meta) {
 # Write IDS settings.
 &General::writehash("$IDS::ids_settings_file", \%idssettings);
-# Write rules settings.
+# Write provider settings.
-&General::writehash("$IDS::rules_settings_file", \%rulessettings);
+&General::writehash("$IDS::providers_settings_file", \%providersettings);
 #
 ## Step 6: Generate and write the file to modify the ruleset.
@@ -242,16 +248,19 @@ if (-f $guardian_meta) {
 ## Step 7: Move rulestarball to its new location.
 #
 # Grab file and path to store the provider rules tarball.
 my $rulestarball = &IDS::_get_dl_rulesfile($provider);
 # Check if a rulestarball has been downloaded yet.
 if (-f $snort_rules_tarball) {
 	# Load perl module which contains the move command.
 	use File::Copy;
 	# Move the rulestarball to the new location.
-	move($snort_rules_tarball, $IDS::rulestarball);
+	move($snort_rules_tarball, $rulestarball);
 	# Set correct ownership.
-	&IDS::set_ownership("$IDS::rulestarball");
+	&IDS::set_ownership("$rulestarball");
 # In case no tarball is present, try to download the ruleset.
 } else {
@@ -270,7 +279,7 @@ if (-f $snort_rules_tarball) {
 #
 # Check if a rulestarball is present.
-if (-f $IDS::rulestarball) {
+if (-f $rulestarball) {
 	# Launch oinkmaster by calling the subfunction.
 	&IDS::oinkmaster();
@@ -312,10 +321,10 @@ if (-f $IDS::rulestarball) {
 ## Step 12: Setup automatic ruleset updates.
 #
-# Check if a ruleset is configured.
+# Check if a provider is configured.
-if($rulessettings{"RULES"}) {
+if(%providersettings) {
 	# Call suricatactrl and setup the periodic update mechanism.
-	&IDS::call_suricatactrl("cron", $rulessettings{'AUTOUPDATE_INTERVAL'});
+	&IDS::call_suricatactrl("cron", $idssettings{'AUTOUPDATE_INTERVAL'});
 }
 #
@@ -362,7 +371,16 @@ while (my $line = <SNORTCONF>) {
 close(SNORTCONF);
 # Pass the array of enabled rule files to the subfunction and write the file.
-&IDS::write_used_rulefiles_file(@enabled_rule_files);
+&IDS::write_used_provider_rulefiles_file("$provider", @enabled_rule_files);
 &IDS::write_main_used_rulefiles_file("$provider");
 # Grab the used provider rulesfile file path and name.
 my $used_provider_rulesfile_file = &IDS::get_used_provider_rulesfile_file("$provider");
 # Set correct ownership for new files.
 &IDS::set_ownership("$suricata_used_providers_file");
 &IDS::set_ownership("$suricata_static_rulefiles_file");
 &IDS::set_ownership("$used_provider_rulesfile_file");
 #
 ## Step 14: Start the IDS if enabled.
--- a/config/suricata/ruleset-sources
+++ b/config/suricata/ruleset-sources
@@ -1,15 +1,169 @@
-# Ruleset for registered sourcefire users.
+package IDS::Ruleset;
 registered = https://www.snort.org/rules/snortrules-snapshot-29161.tar.gz?oinkcode=<oinkcode>
-# Ruleset for registered sourcefire users with valid subscription.
+# This file contains the supported ruleset providers.
-subscripted = https://www.snort.org/rules/snortrules-snapshot-29161.tar.gz?oinkcode=<oinkcode>
+#
 # Each one is defined as a hash in the main hash.
 # It's name acts as handle/key and the key/value pair acts as data part.
 # So the structure is like the following:
 #
 # handle => {
 # 	summary => A short summary of the service. This also will be shown if no translation string is available for the WUI.
 # 	website => The website of the ruleset provider.
 # 	tr_string => The translation string which is used by the WUI and part of the language files.
 # 	requires_subscription => "True/False" - If some kind of registration code is required in order to download the ruleset.
 # 	dl_url => The download URL to grab the ruleset.
 # 	dl_type => "archive/plain" - To specify, if the downloaded file is a packed archive or a plain text file.
 # },
-# Community rules from sourcefire.
+# Hash which contains the supported ruleset providers.
-community = https://www.snort.org/rules/community
+our %Providers = (
 	# Ruleset for registered sourcefire users.
 	registered => {
 		summary => "Talos VRT rules for registered users",
 		website => "https://www.snort.org",
 		tr_string => "registered user rules",
 		requires_subscription => "True",
 		dl_url => "https://www.snort.org/rules/snortrules-snapshot-29190.tar.gz?oinkcode=<subscription_code>",
 		dl_type => "archive",
 	},
-# Emerging threads community rules.
+	# Ruleset for registered sourcefire users with a valid subsription.
-emerging = https://rules.emergingthreats.net/open/suricata-5.0/emerging.rules.tar.gz
+	subscripted => {
 		summary => "Talos VRT rules with subscription",
 		website => "https://www.snort.org",
 		tr_string => "subscripted user rules",
 		requires_subscription => "True",
 		dl_url => "https://www.snort.org/rules/snortrules-snapshot-29190.tar.gz?oinkcode=<subscription_code>",
 		dl_type => "archive",
 	},
-# Emerging threads pro rules.
+	# Community rules from sourcefire.
-emerging_pro = https://rules.emergingthreatspro.com/<oinkcode>/suricata-5.0/etpro.rules.tar.gz
+	community => {
 		summary => "Snort/VRT GPLv2 Community Rules",
 		website => "https://www.snort.org",
 		tr_string => "community rules",
 		requires_subscription => "False",
 		dl_url => "https://www.snort.org/rules/community",
 		dl_type => "archive",
 	},
 	# Emerging threads community rules.
 	emerging => {
 		summary => "Emergingthreats.net Community Rules",
 		website => "https://emergingthreats.net/",
 		tr_string => "emerging rules",
 		requires_subscription => "False",
 		dl_url => "https://rules.emergingthreats.net/open/suricata-5.0/emerging.rules.tar.gz",
 		dl_type => "archive",
 	},
 	# Emerging threads Pro rules.
 	emerging_pro => {
 		summary => "Emergingthreats.net Pro Rules",
 		website => "https://emergingthreats.net/",
 		tr_string => "emerging pro rules",
 		requires_subscription => "True",
 		dl_url => "https://rules.emergingthreatspro.com/<subscription_code>/suricata-5.0/etpro.rules.tar.gz",
 		dl_type => "archive",
 	},
 	# Abuse.ch SSLBL JA3 fingerprint rules.
 	sslbl_ja3 => {
 		summary => "Abuse.ch SSLBL JA3 Rules",
 		website => "https://sslbl.abuse.ch/",
 		tr_string => "sslbl ja3 fingerprint rules",
 		requires_subscription => "False",
 		dl_url => "https://sslbl.abuse.ch/blacklist/ja3_fingerprints.rules",
 		dl_type => "plain",
 	},
 	# Abuse.ch SSLBL Blacklist rules.
 	sslbl_blacklist => {
 		summary => "Abuse.ch SSLBL Blacklist Rules",
 		website => "https://sslbl.abuse.ch/",
 		tr_string => "sslbl blacklist rules",
 		requires_subscription => "False",
 		dl_url => "https://sslbl.abuse.ch/blacklist/sslblacklist.rules",
 		dl_type => "plain",
 	},
 	# Abuse.ch URLhaus Blacklist rules.
 	urlhaus => {
 		summary => "Abuse.ch URLhaus Blacklist Rules",
 		website => "https://urlhaus.abuse.ch/",
 		tr_string => "urlhaus blacklist rules",
 		requires_subscription => "False",
 		dl_url => "https://urlhaus.abuse.ch/downloads/urlhaus_suricata.tar.gz",
 		dl_type => "archive",
 	},
 	# Etnetera Aggressive Blacklist.
 	etnetera_aggresive => {
 		summary => "Etnetera Aggressive Blacklist Rules",
 		website => "https://security.etnetera.cz/",
 		tr_string => "etnetera aggressive blacklist rules",
 		requires_subscription => "False",
 		dl_url => "https://security.etnetera.cz/feeds/etn_aggressive.rules",
 		dl_type => "plain",
 	},
 	# OISF Traffic ID rules.
 	oisf_trafficid => {
 		summary => "OISF Traffic ID Rules",
 		website => "https://www.openinfosecfoundation.org/",
 		tr_string => "oisf traffic id rules",
 		requires_subscription => "False",
 		dl_url => "https://openinfosecfoundation.org/rules/trafficid/trafficid.rules",
 		dl_type => "plain",
 	},
 	# Positive Technologies Attack Detection Team rules.
 	attack_detection => {
 		summary => "PT Attack Detection Team Rules",
 		website => "https://github.com/ptresearch/AttackDetection",
 		tr_string => "attack detection team rules",
 		requires_subscription => "False",
 		dl_url => "https://raw.githubusercontent.com/ptresearch/AttackDetection/master/pt.rules.tar.gz",
 		dl_type => "archive",
 	},
 	# Secureworks Security rules.
 	secureworks_security => {
 		summary => "Secureworks Security Ruleset",
 		website => "https://www.secureworks.com",
 		tr_string => "secureworks security ruleset",
 		requires_subscription => "True",
 		dl_url => "https://ws.secureworks.com/ti/ruleset/<subscription_code>/Suricata_suricata-security_latest.tgz",
 		dl_type => "archive",
 	},
 	# Secureworks Malware rules.
 	secureworks_malware => {
 		summary => "Secureworks Malware Ruleset",
 		website => "https://www.secureworks.com",
 		tr_string => "secureworks malware ruleset",
 		requires_subscription => "True",
 		dl_url => "https://ws.secureworks.com/ti/ruleset/<subscription_code>/Suricata_suricata-malware_latest.tgz",
 		dl_type => "archive",
 	},
 	# Secureworks Enhanced rules.
 	secureworks_enhanced => {
 		summary => "Secureworks Enhanced Ruleset",
 		website => "https://www.secureworks.com",
 		tr_string => "secureworks enhanced ruleset",
 		requires_subscription => "True",
 		dl_url => "https://ws.secureworks.com/ti/ruleset/<subscription_code>/Suricata_suricata-enhanced_latest.tgz",
 		dl_type => "archive",
 	},
 	# Travis B. Green hunting rules.
 	tgreen => {
 		summary => "Travis Green - Hunting rules",
 		website => "https://github.com/travisbgreen/hunting-rules",
 		tr_string => "travis green hunting rules",
 		requires_subscription => "False",
 		dl_url => "https://raw.githubusercontent.com/travisbgreen/hunting-rules/master/hunting.rules",
 		dl_type => "plain",
 	},
 );
--- a/config/suricata/suricata.yaml
+++ b/config/suricata/suricata.yaml
@@ -46,16 +46,15 @@ vars:
 ##
 default-rule-path: /var/lib/suricata
 rule-files:
-    # Include enabled ruleset files from external file
+    # Include enabled ruleset files from external file.
-    include: /var/ipfire/suricata/suricata-used-rulefiles.yaml
+    include: /var/ipfire/suricata/suricata-used-providers.yaml
    # Include default rules.
    include: /var/ipfire/suricata/suricata-default-rules.yaml
-classification-file: /var/lib/suricata/classification.config
+classification-file: /usr/share/suricata/classification.config
-reference-config-file: /var/lib/suricata/reference.config
+reference-config-file: /usr/share/suricata/reference.config
-threshold-file: /var/lib/suricata/threshold.config
+threshold-file: /usr/share/suricata/threshold.config
 ##
 ## Logging options.
@@ -64,7 +63,7 @@ default-log-dir: /var/log/suricata/
 # global stats configuration
 stats:
-  enabled: yes
+  enabled: no
  # The interval field (in seconds) controls at what interval
  # the loggers are invoked.
  interval: 8
@@ -318,7 +317,7 @@ logging:
  # compiled with the --enable-debug configure option.
  #
  # This value is overriden by the SC_LOG_LEVEL env var.
-  default-log-level: notice
+  default-log-level: Info
  # A regex to filter output.  Can be overridden in an output section.
  # Defaults to empty (no filter).
@@ -522,6 +521,41 @@ app-layer:
           double-decode-path: no
           double-decode-query: no
    # Note: Modbus probe parser is minimalist due to the poor significant field
    # Only Modbus message length (greater than Modbus header length)
    # And Protocol ID (equal to 0) are checked in probing parser
    # It is important to enable detection port and define Modbus port
    # to avoid false positive
    modbus:
      # How many unreplied Modbus requests are considered a flood.
      # If the limit is reached, app-layer-event:modbus.flooded; will match.
      #request-flood: 500
      enabled: no
      detection-ports:
        dp: 502
      # According to MODBUS Messaging on TCP/IP Implementation Guide V1.0b, it
      # is recommended to keep the TCP connection opened with a remote device
      # and not to open and close it for each MODBUS/TCP transaction. In that
      # case, it is important to set the depth of the stream reassembling as
      # unlimited (stream.reassembly.depth: 0)
      # Stream reassembly size for modbus. By default track it completely.
      stream-depth: 0
    # DNP3
    dnp3:
      enabled: no
      detection-ports:
        dp: 20000
    # SCADA EtherNet/IP and CIP protocol support
    enip:
      enabled: no
      detection-ports:
        dp: 44818
        sp: 44818
    ntp:
      enabled: yes
    dhcp:
--- a/html/cgi-bin/ids.cgi
+++ b/html/cgi-bin/ids.cgi
--- a/langs/de/cgi-bin/de.pl
+++ b/langs/de/cgi-bin/de.pl
@@ -1372,11 +1372,17 @@
 'idle' => 'Leerlauf',
 'idle timeout' => 'Leerlaufwartezeit in Minuten (0 zum Deaktivieren):',
 'idle timeout not set' => 'Leerlaufwartezeit nicht angegeben.',
 'ids add provider' => 'Provider hinzufügen',
 'ids apply' => 'Übernehmen',
 'ids apply ruleset changes' => 'Regeländerungen werden übernommen. Bitte warten Sie, bis dieser Vorgang erfolgreich beendet wurde...',
 'ids autoupdates' => 'Automatische Updates',
 'ids automatic rules update' => 'Automatische Regelaktualisierung',
-'ids download new ruleset' => 'Das neue Regelsatz wird heruntergeladen und entpackt. Bitte warten Sie, bis dieser Vorgang erfolgreich beendet wurde...',
+'ids could not add provider' => 'Provider konnte nicht hinzugefügt werden',
 'ids customize ruleset' => 'Regelset anpassen',
 'ids download new ruleset' => 'Das neue Regelset wird heruntergeladen und entpackt. Bitte warten Sie, bis dieser Vorgang erfolgreich beendet wurde...',
 'ids enable' => 'Einbruchsverhinderungssystem aktivieren',
 'ids enable automatic updates' => 'Automatische Updates aktivieren',
 'ids force ruleset update' => 'Regelset jetzt aktualisieren',
 'ids hide' => 'Verstecken',
 'ids ignored hosts' => 'Ausnahmeliste',
 'ids log hits' => 'Gesamtanzahl der Regeltreffer für',
@@ -1385,12 +1391,18 @@
 'ids monitor traffic only' => 'Netzwerkpakete nur überprüfen (nicht verwerfen)',
 'ids monitored interfaces' => 'Überwachte Netzwerkzonen',
 'ids no network zone' => 'Bitte wählen Sie mindestens eine zu überwachende Netzwerkzone aus',
-'ids no ruleset available' => 'Es ist kein Regelsatz verfügbar. Bitte laden Sie einen Regelsatz herunter.',
+'ids no enabled ruleset provider' => 'Es ist kein aktivierter Provider verfügbar. Bitte aktivieren Sie einen oder fügen Sie einen Provider hinzu.',
 'ids oinkcode required' => 'Für den ausgewählten Regelsatz wird ein Abonnement oder ein Oinkcode benötigt',
 'ids provider' => 'Regelset-Anbieter',
 'ids provider settings' => 'Regelset-Anbieter-Einstellungen',
 'ids reset provider' => 'Providereinstellungen zurücksetzen',
 'ids rules update' => 'Regelsatz',
 'ids ruleset autoupdate in progress' => 'Der Regelsatz wird gerade aktualisiert. Bitte warten Sie, bis dieser Vorgang erfolgreich beendet wurde...',
 'ids ruleset settings' => 'Regelsatzeinstellungen',
 'ids show' => 'Anzeigen',
 'ids the choosen provider is already in use' => 'Der gewhählte Provider wird bereits verwendet.',
 'ids unable to download the ruleset' => 'Das Regelset konnte nicht heruntergeladen werden.',
 'ids visit provider website' => 'Anbieter-Webseite besuchen',
 'ids working' => 'Änderungen werden übernommen. Bitte warten Sie, bis dieser Vorgang erfolgreich beendet wurde.',
 'iface' => 'Iface',
 'ignore filter' => '&quot;Ignorieren&quot;-Filter',
--- a/langs/en/cgi-bin/en.pl
+++ b/langs/en/cgi-bin/en.pl
@@ -1401,11 +1401,17 @@
 'idle' => 'Idle',
 'idle timeout' => 'Idle timeout (mins; 0 to disable):',
 'idle timeout not set' => 'Idle timeout not set.',
 'ids add provider' => 'Add provider',
 'ids apply' => 'Apply',
 'ids apply ruleset changes' => 'The ruleset changes are being applied. Please wait until all operations have completed successfully...',
 'ids autoupdates' => 'Automatic updates',
 'ids automatic rules update' => 'Automatic Rule Update',
 'ids could not add provider' => 'Could not add provider',
 'ids customize ruleset' => 'Customize ruleset',
 'ids download new ruleset' => 'Downloading and unpacking new ruleset. Please wait until all operations have completed successfully...',
 'ids enable' => 'Enable Intrusion Prevention System',
 'ids enable automatic updates' => 'Enable automatic updates',
 'ids force ruleset update' => 'Force ruleset update',
 'ids hide' => 'Hide',
 'ids ignored hosts' => 'Whitelisted Hosts',
 'ids log hits' => 'Total of number of activated rules for',
@@ -1414,12 +1420,18 @@
 'ids monitor traffic only' => 'Monitor traffic only',
 'ids monitored interfaces' => 'Monitored Interfaces',
 'ids no network zone' => 'Please select at least one network zone to be monitored',
-'ids no ruleset available' => 'No ruleset is available. Please download one first',
+'ids no enabled ruleset provider' => 'No enabled ruleset is available. Please activate or add one first.',
-'ids oinkcode required' => 'The selected ruleset requires a subscription or an Oinkcode',
+'ids subscription code required' => 'The selected ruleset requires a subscription code',
 'ids provider' => 'Provider',
 'ids provider settings' => 'Provider settings',
 'ids reset provider' => 'Reset provider',
 'ids rules update' => 'Ruleset',
 'ids ruleset autoupdate in progress' => 'Ruleset update in progress. Please wait until all operations have completed successfully...',
 'ids ruleset settings' => 'Ruleset Settings',
 'ids show' => 'Show',
 'ids the choosen provider is already in use' => 'The choosen provider is already in use.',
 'ids unable to download the ruleset' => 'Unable to download the ruleset',
 'ids visit provider website' => 'Visit provider website',
 'ids working' => 'Changes are being applied. Please wait until all operations have completed successfully...',
 'iface' => 'Iface',
 'ignore filter' => 'Ignore filter',
@@ -1497,7 +1509,7 @@
 'invalid input for max clients' => 'Invalid input for Max Clients. The maximum of 1024 clients has been exceeded',
 'invalid input for mode' => 'Invalid input for mode',
 'invalid input for name' => 'Invalid input for user\'s full name or system hostname',
-'invalid input for oink code' => 'Invalid input for Oink code',
+'invalid input for subscription code' => 'Invalid input for subscription code',
 'invalid input for organization' => 'Invalid input for organization',
 'invalid input for remote host/ip' => 'Invalid input for remote host/ip.',
 'invalid input for state or province' => 'Invalid input for state or province.',
@@ -2371,6 +2383,7 @@
 'subnet is invalid' => 'Netmask is invalid',
 'subnet mask' => 'Subnet Mask',
 'subscripted user rules' => 'Talos VRT rules with subscription',
 'subscription code' => 'Subscription code',
 'successfully refreshed updates list' => 'Successfully refreshed updates list.',
 'summaries kept' => 'Keep summaries for',
 'sunday' => 'Sunday',
--- a/lfs/configroot
+++ b/lfs/configroot
@@ -138,6 +138,7 @@ $(TARGET) :
 	# Install snort to suricata converter.
 	cp $(DIR_SRC)/config/suricata/convert-snort	/usr/sbin/convert-snort
 	cp $(DIR_SRC)/config/suricata/convert-ids-modifysids-file   /usr/sbin/convert-ids-modifysids-file
 	cp $(DIR_SRC)/config/suricata/convert-ids-multiple-providers /usr/sbin/convert-ids-multiple-providers
 	# set converters executable
 	chmod 755 /usr/sbin/convert-*
--- a/lfs/suricata
+++ b/lfs/suricata
@@ -100,15 +100,19 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 	# Install yaml file for loading default rules.
 	install -m 0664 $(DIR_SRC)/config/suricata/suricata-default-rules.yaml /var/ipfire/suricata
 	# Set correct ownership for the default rules file.
 	chown nobody:nobody /var/ipfire/suricata/suricata-default-rules.yaml
 	# Create emtpy rules directory.
 	-mkdir -p /var/lib/suricata
 	# Move config files for references, threshold and classification
 	# to the rules directory.
-	mv /etc/suricata/*.config /var/lib/suricata
+	rm -rfv /etc/suricata/*.config
-	# Set correct permissions for the files.
+	# Set correct ownership for the classifiction config file.
-	chmod 644 /var/lib/suricata/*.config
+	# (File has to be writeable for the nobody user)
 	chown nobody:nobody /usr/share/suricata/classification.config
 	# Set correct ownership for /var/lib/suricata and the
 	# contained files
--- a/src/scripts/update-ids-ruleset
+++ b/src/scripts/update-ids-ruleset
@@ -2,7 +2,7 @@
 ###############################################################################
 #                                                                             #
 # IPFire.org - A linux based firewall                                         #
-# Copyright (C) 2018 IPFire Team  <info@ipfire.org>                           #
+# Copyright (C) 2018-2021 IPFire Team  <info@ipfire.org>                      #
 #                                                                             #
 # This program is free software: you can redistribute it and/or modify        #
 # it under the terms of the GNU General Public License as published by        #
@@ -26,6 +26,9 @@ require '/var/ipfire/general-functions.pl';
 require "${General::swroot}/ids-functions.pl";
 require "${General::swroot}/lang.pl";
 # Hash to store the configured providers.
 my %providers = ();
 # The user and group name as which this script should be run.
 my $run_as = 'nobody';
@@ -39,6 +42,17 @@ if ( $> == 0 ) {
 	POSIX::setuid( $uid );
 }
 # Check if the IDS lock file exists.
 # In this case the WUI or another instance currently is altering the
 # ruleset.
 if (-f "$IDS::ids_page_lock_file") {
 	# Store notice to the syslog.
 	&IDS::_log_to_syslog("Another process currently is altering the IDS ruleset.");
 	# Exit.
 	exit 0;
 }
 # Check if the red device is active.
 unless (-e "${General::swroot}/red/active") {
 	# Store notice in the syslog.
@@ -63,21 +77,37 @@ if(&IDS::checkdiskspace()) {
 # Lock the IDS page.
 &IDS::lock_ids_page();
-# Call the download function and gather the new ruleset.
+# Grab the configured providers.
-if(&IDS::downloadruleset()) {
+&General::readhasharray("$IDS::providers_settings_file", \%providers);
 	# Store error message for displaying in the WUI.
 	&IDS::_store_error_message("$Lang::tr{'could not download latest updates'}");
-	# Unlock the IDS page.
+# Loop through the array of available providers.
-	&IDS::unlock_ids_page();
+foreach my $id (keys %providers) {
 	# Assign some nice variabled.
 	my $provider = $providers{$id}[0];
 	my $autoupdate_status = $providers{$id}[3];
-	# Exit.
+	# Skip the provider if autoupdate is not enabled.
-	exit 0;
+	next unless($autoupdate_status eq "enabled");
 	# Call the download function and gather the new ruleset for the current processed provider.
 	if(&IDS::downloadruleset($provider)) {
 		# Store error message for displaying in the WUI.
 		&IDS::_store_error_message("$provider: $Lang::tr{'could not download latest updates'}");
 		# Unlock the IDS page.
 		&IDS::unlock_ids_page();
 		# Exit.
 		exit 0;
 	}
 	# Get path and name of the stored rules file or archive.
 	my $stored_file = &IDS::_get_dl_rulesfile($provider);
 	# Set correct ownership for the downloaded tarball.
 	&IDS::set_ownership("$stored_file");
 }
 # Set correct ownership for the downloaded tarball.
 &IDS::set_ownership("$IDS::rulestarball");
 # Call oinkmaster to alter the ruleset.
 &IDS::oinkmaster();