At least these informations are required to display something usefull
on the webgui, even if a provider has been dropped.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- The PT Attack ruleset has not been updated since 2021 and made read-only in 2022
The PT Attack website no longer has any reference to Suricata Rulesets. The PT Attack
ruleset is being removed.
- The Secureworks three rulesets are no longer available. The website path gives a 404
error. No mention of Suricata rulesets in the Secureworks website. The Secureworks three
rulesets are being removed.
- ThreatFox ruleset has been added to the list. Both a plain and archive version of the
rules are available but the plain version is being regularly updated while the archive
version was last updated 5 days ago. So this patch has implemented the plain version.
- All above was discussed in the January Developers Conference call.
- Tested out on my vm testbed. I had PT Attack selected as one of the providers. As
mentioned by Stefan removing PT Attack means it is not available in the list of
providers but the provider stays in the providers table but with the line shown in red.
I will update the wiki to mention the red highlight and what it means.
Suggested-by: Stefan Schantl <stefan.schantl@ipfire.org>
Tested-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
All of a sudden this ruleset provider has dissapeared from Github.
I was not able to find any further details or web page or the ruleset
anymore.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
This file got obsolete, because it's content will be generated
dynamically by the backend code.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
convert-ids-modifications-files converter.
This converter also will convert the used rulesfiles file for the
providers.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
rulefiles.
Suricata seems to struggle when using multiple and/or nested includes in
the same config section. This results in a only partially loaded
confguration where not all rulefiles are loaded and used.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
This converter is responsible to convert the old oinkmaster modification
files into the new files and format.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
our current suricata version not support JA3 based rules so
this drop the providers from the list.
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Suricata will print a warning on startup if the collection of stats
is enabled but no stats logger, which will print them out is enabled.
Acctually we do not use any stats so this safely can be disabled.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
This will prevent suricata from displaying a warning on startup and
anyway would be the log level which suricata switches in such a case.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
All of them are disabled by default, but may be needed in some
environments and so easily can be enabled there.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
This converter does all the magic to convert any suricata
based IPFire version to work with the new multiple providers
IDS.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
The selected rulesfiles of a provider now will be written to an own
provider exclusive yaml file, which will be included dynamically when
the provider is enabled or not.
This allows very easy handling to enable or disable a provider, in this
case the file which keeps the enabled providers rulesets only needs to
be included in the main file or even not.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
The file now contains a lot more of data and easily can be extended
to provide more and new providers.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
The parsers for those are disabled in the suricata config so
the rules are not needed, on the contrary they massively will spam
warnings when launching suricate because of the disabled parsers.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
These rules do not drop anything, but only alert when internal parts of
the engine trigger an event. This will allow us more insight on what is
happening.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
If a stream cannot be identified or if suricata has decided that it
cannot do anything useful any more (e.g. TLS sessions after the
handshake), we will allow suricata to bypass any following packets in
that flow
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Tested-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
