SYSTEM WARNING: 'date_default_timezone_get(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected the timezone 'UTC' for now, but please set date.timezone to select your timezone.' in '/usr/share/mantis/www/core.php' line 264

0004559: Intrusion Prevention auto-update not working in EFW 2.5.2 - MantisBT
MantisBT - Endian Firewall
View Issue Details
0004559Endian FirewallIntrusion Preventionpublic2013-08-19 01:492013-09-12 07:11
gmar_87 
luca-endian 
highminoralways
closedunable to reproduce 
Endian Firewall Community 2.5.2
2.5 
 
0004559: Intrusion Prevention auto-update not working in EFW 2.5.2
Intrusion Prevention auto-update not working in EFW 2.5.2 Community devel release.
Manual update using "update rules now" button from GUI works.

Re-applied the following config, but still not auto-update:
- Automatically fetch SNORT rules enabled.
- Update schedule hourly.
1. Configure Intrusion Prevention from GUI to perform auto-updates
2. Wait for update frequency and check if IPS signatures have updated
3. IPS signatures do not update
Logs from /var/log/endian/jobsengine

11:41:52 is the auto-update
11:43:31 is the manual update

The manual request has "force:True" instead of "force:False".



Aug 19 11:41:52 PROXY1 jobsengine[2645]: ENGINE-fire action:fetchsnortrules.restart params:options(force:False,tmp_dir:False,http_username:False,no_post:False,no_block_rules:True,no_pre:False,debug:False,no_post_un_compress:False,http_password:False) event:request(status:restart,params:options(force:False,tmp_dir:False,http_username:False,no_post:False,no_block_rules:True,no_pre:False,debug:False,no_post_un_compress:False,http_password:False),name:fetchsnortrules)
Aug 19 11:43:31 PROXY1 jobsengine[2645]: ENGINE-fire action:fetchsnortrules.restart params:options(force:True,tmp_dir:False,http_username:False,no_post:False,no_block_rules:True,no_pre:False,debug:False,no_post_un_compress:False,http_password:False) event:request(status:restart,params:options(force:True,tmp_dir:False,http_username:False,no_post:False,no_block_rules:True,no_pre:False,debug:False,no_post_un_compress:False,http_password:False),name:fetchsnortrules)
No tags attached.
Issue History
2013-08-19 01:49gmar_87New Issue
2013-08-19 01:51gmar_87Note Added: 0008451
2013-08-26 08:36luca-endianNote Added: 0008462
2013-08-26 08:36luca-endianAssigned To => luca-endian
2013-08-26 08:36luca-endianStatusnew => feedback
2013-08-26 10:03gmar_87Note Added: 0008468
2013-08-26 10:03gmar_87Statusfeedback => new
2013-08-27 11:11gmar_87Note Added: 0008475
2013-09-04 13:06carlos-endianNote Added: 0008509
2013-09-04 13:08carlos-endianNote Edited: 0008509bug_revision_view_page.php?bugnote_id=8509#r2831
2013-09-05 11:55gmar_87Note Added: 0008510
2013-09-05 13:09carlos-endianNote Added: 0008511
2013-09-05 13:44carlos-endianNote Added: 0008512
2013-09-10 07:14gmar_87Note Added: 0008516
2013-09-10 07:19gmar_87Note Added: 0008517
2013-09-10 07:58carlos-endianNote Added: 0008518
2013-09-11 05:08gmar_87Note Added: 0008519
2013-09-11 05:08gmar_87Note Edited: 0008519bug_revision_view_page.php?bugnote_id=8519#r2833
2013-09-12 07:10luca-endianNote Added: 0008520
2013-09-12 07:11luca-endianStatusnew => closed
2013-09-12 07:11luca-endianResolutionopen => unable to reproduce

Notes
(0008451)
gmar_87   
2013-08-19 01:51   
2.5.2 was installed using efw-upgade from 2.5.1
(0008462)
luca-endian   
2013-08-26 08:36   
Without "force" the signatures should be downloaded only whether they are newer could be the reason why they seems not updated?
(0008468)
gmar_87   
2013-08-26 10:03   
I will monitor http://rules.emergingthreats.net/open/snort-2.8.6/ [^] and see if my installation of EFW 2.5.2 auto updates when Emerging Threats release new signatures.
(0008475)
gmar_87   
2013-08-27 11:11   
New rules exist on http://rules.emergingthreats.net/open/snort-2.8.6/ [^] - 26-Aug-2013 22:01. I have compared the rules and confirmed the new rules are contain differences.

The hourly FETCHSNORTRULES has been running, but my signatures have not updated. The GUI shows "Rules last updated: Sun Aug 25 22:05:37 2013"
(0008509)
carlos-endian   
2013-09-04 13:06   
(edited on: 2013-09-04 13:08)
Hi,

in my community the auto-update signature work fine.
i have put in debug the fetchsnortrules and i have this entry in log file of jobsengine:

Sep 4 12:54:42 old-community jobsengine[2363]: ENGINE-fire action:fetchsnortrules.restart params:options(force:False,tmp_dir:False,http_username:False,no_post:False,no_block_rules:True,no_pre:False,debug:True,no_post_un_compress:False,http_password:False) event:request(status:restart,params:options(force:False,tmp_dir:False,http_username:False,no_post:False,no_block_rules:True,no_pre:False,debug:True,no_post_un_compress:False,http_password:False),name:fetchsnortrules)
Sep 4 12:54:42 old-community jobsengine[7669]: FETCHSNORTRULES-Initializing notification for service 'FETCHSNORTRULES'
Sep 4 12:54:42 old-community jobsengine[7669]: FETCHSNORTRULES-Start download job.
Sep 4 12:54:42 old-community jobsengine[7669]: FETCHSNORTRULES-Etag not changed. Skip http://rules.emergingthreats.net/open/snort-2.8.6/emerging.rules.tar.gz. [^]
Sep 4 12:54:42 old-community jobsengine[7669]: FETCHSNORTRULES-No new data: skip download.

Please, if you have again experience the problem, could you put the Debug mode. In /usr/local/bin/fetchsnortrules, change the default in this line :
parser.add_option("-d", "--debug", dest="debug", action="store_true",
                  help="Be more verbose", default=True)

after the auto-update check log file.

(0008510)
gmar_87   
2013-09-05 11:55   
Here is the output with debug mode enabled.

Sep 5 21:44:27 PROXY1 jobsengine[2641]: ENGINE-fire action:fetchsnortrules.restart params:options(force:False,tmp_dir:False,http_username:False,no_post:False,no_block_rules:True,no_pre:False,debug:True,no_post_un_compress:False,http_password:False) event:request(status:restart,params:options(force:False,tmp_dir:False,http_username:False,no_post:False,no_block_rules:True,no_pre:False,debug:True,no_post_un_compress:False,http_password:False),name:fetchsnortrules)
Sep 5 21:44:27 PROXY1 jobsengine[2641]: ENGINE-fire action:getblackholedns.restart params:options(debug:False,force:False,update:False) event:request(status:restart,params:options(debug:False,force:False,update:False),name:getblackholedns)
Sep 5 21:44:27 PROXY1 jobsengine[31926]: FETCHSNORTRULES-Initializing notification for service 'FETCHSNORTRULES'
Sep 5 21:44:27 PROXY1 jobsengine[31926]: FETCHSNORTRULES-Start download job.
Sep 5 21:44:28 PROXY1 jobsengine[31927]: GETBLACKHOLEDNS-Download url: http://data.phishtank.com/data/online-valid.csv.gz [^] to /var/tmp/tmpneDB7Z/tmpP61txP
Sep 5 21:44:28 PROXY1 jobsengine[31926]: FETCHSNORTRULES-Etag not changed. Skip http://ips.signatures.endian.com/snort-2.8.6/emerging.rules.tar.gz. [^]
Sep 5 21:44:28 PROXY1 jobsengine[31926]: FETCHSNORTRULES-No new data: skip download.
(0008511)
carlos-endian   
2013-09-05 13:09   
In the output, as you can see there are not error, the only things strange is the link with the rules are updated.

I nedd more information, could you check the file /usr/lib/efw/snort/default/settings then see what is the SNORT_RULES_URL.
Do you have update your community from 2.5.1 or previous version? or do you have install 2.5.2 from iso image?
(0008512)
carlos-endian   
2013-09-05 13:44   
Do you have import some backup?
could you check /var/efw/snort/. thanks
(0008516)
gmar_87   
2013-09-10 07:14   
I upgraded 2.5.1 to 2.5.2 using "efw-upgrade".

Contents of /usr/lib/efw/snort/default/settings

RULESTYPE=community
ENABLED=0
POSTGRESQL=off
SNORT_RULES_URL=http://rules.emergingthreats.net/open/snort-2.8.6/emerging.rules.tar.gz [^]
SNORT_RULES_ETAG=
ENABLED_RULES=auto,custom
UPDATE_SCHEDULE=daily
SNORT_DEFAULT_POLICY=alert
SNORT_LOG_ROTATE=
CREDENTIALS=off
SIGNATURES_VERSION=2.8.6


Contents of /var/efw/snort/settings

ENABLED=1
ENABLED_RULES=auto
NTOP_ENABLED=off
SNORT_RULES_ETAG="1c0005-16a2b3-4c1b4b7ec72ea"
SNORT_RULES_URL=http://ips.signatures.endian.com/snort-2.8.6/emerging.rules.tar.gz [^]
UPDATE_SCHEDULE=hourly
(0008517)
gmar_87   
2013-09-10 07:19   
I just renamed /var/efw/snort/settings and re-applied snort settings through GUI. The contents of the settings file changed to:

SNORT_RULES_ETAG=
RULESTYPE=community
CREDENTIALS=off
POSTGRESQL=off
ENABLED_RULES=auto,custom
ENABLED=1
SNORT_LOG_ROTATE=
SNORT_DEFAULT_POLICY=alert
SNORT_RULES_URL=http://rules.emergingthreats.net/open/snort-2.8.6/emerging.rules.tar.gz [^]
SIGNATURES_VERSION=2.8.6
UPDATE_SCHEDULE=hourly


I then forced an update of snort rules via gui and the settings file now contains:

ENABLED=1
SNORT_RULES_ETAG="1f02ff9-15b9ca-4e5be5b96d080"
UPDATE_SCHEDULE=hourly
(0008518)
carlos-endian   
2013-09-10 07:58   
The issue is the link to download the snort rules.
The right link is:
SNORT_RULES_URL=http://rules.emergingthreats.net/open/snort-2.8.6/emerging.rules.tar.gz [^]

The other one (SNORT_RULES_URL=http://ips.signatures.endian.com/snort-2.8.6/emerging.rules.tar.gz [^] ), it's an old link, i don't understand why it was present in your configuration, probably in the past do you have import a backup?

Now when the auto-update start, in the logs you must see the right link.
Please check in /var/signature/snort/auto if the rules are update (after your force update). In the next day take a look this folder and check if the files are updates with the repository of snort.
(0008519)
gmar_87   
2013-09-11 05:08   
Auto updates are now working after renaming original settings file and recreating through the GUI. :)

The original install of 2.5.1 probably had a backup config imported. 2.5.1 was then upgraded to 2.5.2, but no new config import.

Thanks for your help!

(0008520)
luca-endian   
2013-09-12 07:10   
renamed? strange.. maybe something with the modification date or permissions?
btw seems an isolated case.

I'm closing this bug