SYSTEM WARNING: 'date_default_timezone_get(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected the timezone 'UTC' for now, but please set date.timezone to select your timezone.' in '/usr/share/mantis/www/core.php' line 264

0004559: Intrusion Prevention auto-update not working in EFW 2.5.2 - MantisBT Endian Bugtracker
Endian Issue Tracker





Please see now our new Bugtracker system: JIRA








View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0004559Endian FirewallIntrusion Preventionpublic2013-08-19 01:492013-09-12 07:11
Reportergmar_87 
Assigned Toluca-endian 
PriorityhighSeverityminorReproducibilityalways
StatusclosedResolutionunable to reproduce 
PlatformEndian Firewall Community 2.5.2OSOS Version
Product Version2.5 
Target VersionFixed in Version 
Summary0004559: Intrusion Prevention auto-update not working in EFW 2.5.2
DescriptionIntrusion Prevention auto-update not working in EFW 2.5.2 Community devel release.
Manual update using "update rules now" button from GUI works.

Re-applied the following config, but still not auto-update:
- Automatically fetch SNORT rules enabled.
- Update schedule hourly.
Steps To Reproduce1. Configure Intrusion Prevention from GUI to perform auto-updates
2. Wait for update frequency and check if IPS signatures have updated
3. IPS signatures do not update
Additional InformationLogs from /var/log/endian/jobsengine

11:41:52 is the auto-update
11:43:31 is the manual update

The manual request has "force:True" instead of "force:False".



Aug 19 11:41:52 PROXY1 jobsengine[2645]: ENGINE-fire action:fetchsnortrules.restart params:options(force:False,tmp_dir:False,http_username:False,no_post:False,no_block_rules:True,no_pre:False,debug:False,no_post_un_compress:False,http_password:False) event:request(status:restart,params:options(force:False,tmp_dir:False,http_username:False,no_post:False,no_block_rules:True,no_pre:False,debug:False,no_post_un_compress:False,http_password:False),name:fetchsnortrules)
Aug 19 11:43:31 PROXY1 jobsengine[2645]: ENGINE-fire action:fetchsnortrules.restart params:options(force:True,tmp_dir:False,http_username:False,no_post:False,no_block_rules:True,no_pre:False,debug:False,no_post_un_compress:False,http_password:False) event:request(status:restart,params:options(force:True,tmp_dir:False,http_username:False,no_post:False,no_block_rules:True,no_pre:False,debug:False,no_post_un_compress:False,http_password:False),name:fetchsnortrules)
TagsNo tags attached.
Attached Files

- Relationships

-  Notes
(0008451)
gmar_87 (reporter)
2013-08-19 01:51

2.5.2 was installed using efw-upgade from 2.5.1
(0008462)
luca-endian (developer)
2013-08-26 08:36

Without "force" the signatures should be downloaded only whether they are newer could be the reason why they seems not updated?
(0008468)
gmar_87 (reporter)
2013-08-26 10:03

I will monitor http://rules.emergingthreats.net/open/snort-2.8.6/ [^] and see if my installation of EFW 2.5.2 auto updates when Emerging Threats release new signatures.
(0008475)
gmar_87 (reporter)
2013-08-27 11:11

New rules exist on http://rules.emergingthreats.net/open/snort-2.8.6/ [^] - 26-Aug-2013 22:01. I have compared the rules and confirmed the new rules are contain differences.

The hourly FETCHSNORTRULES has been running, but my signatures have not updated. The GUI shows "Rules last updated: Sun Aug 25 22:05:37 2013"
(0008509)
carlos-endian (reporter)
2013-09-04 13:06
edited on: 2013-09-04 13:08

Hi,

in my community the auto-update signature work fine.
i have put in debug the fetchsnortrules and i have this entry in log file of jobsengine:

Sep 4 12:54:42 old-community jobsengine[2363]: ENGINE-fire action:fetchsnortrules.restart params:options(force:False,tmp_dir:False,http_username:False,no_post:False,no_block_rules:True,no_pre:False,debug:True,no_post_un_compress:False,http_password:False) event:request(status:restart,params:options(force:False,tmp_dir:False,http_username:False,no_post:False,no_block_rules:True,no_pre:False,debug:True,no_post_un_compress:False,http_password:False),name:fetchsnortrules)
Sep 4 12:54:42 old-community jobsengine[7669]: FETCHSNORTRULES-Initializing notification for service 'FETCHSNORTRULES'
Sep 4 12:54:42 old-community jobsengine[7669]: FETCHSNORTRULES-Start download job.
Sep 4 12:54:42 old-community jobsengine[7669]: FETCHSNORTRULES-Etag not changed. Skip http://rules.emergingthreats.net/open/snort-2.8.6/emerging.rules.tar.gz. [^]
Sep 4 12:54:42 old-community jobsengine[7669]: FETCHSNORTRULES-No new data: skip download.

Please, if you have again experience the problem, could you put the Debug mode. In /usr/local/bin/fetchsnortrules, change the default in this line :
parser.add_option("-d", "--debug", dest="debug", action="store_true",
                  help="Be more verbose", default=True)

after the auto-update check log file.

(0008510)
gmar_87 (reporter)
2013-09-05 11:55

Here is the output with debug mode enabled.

Sep 5 21:44:27 PROXY1 jobsengine[2641]: ENGINE-fire action:fetchsnortrules.restart params:options(force:False,tmp_dir:False,http_username:False,no_post:False,no_block_rules:True,no_pre:False,debug:True,no_post_un_compress:False,http_password:False) event:request(status:restart,params:options(force:False,tmp_dir:False,http_username:False,no_post:False,no_block_rules:True,no_pre:False,debug:True,no_post_un_compress:False,http_password:False),name:fetchsnortrules)
Sep 5 21:44:27 PROXY1 jobsengine[2641]: ENGINE-fire action:getblackholedns.restart params:options(debug:False,force:False,update:False) event:request(status:restart,params:options(debug:False,force:False,update:False),name:getblackholedns)
Sep 5 21:44:27 PROXY1 jobsengine[31926]: FETCHSNORTRULES-Initializing notification for service 'FETCHSNORTRULES'
Sep 5 21:44:27 PROXY1 jobsengine[31926]: FETCHSNORTRULES-Start download job.
Sep 5 21:44:28 PROXY1 jobsengine[31927]: GETBLACKHOLEDNS-Download url: http://data.phishtank.com/data/online-valid.csv.gz [^] to /var/tmp/tmpneDB7Z/tmpP61txP
Sep 5 21:44:28 PROXY1 jobsengine[31926]: FETCHSNORTRULES-Etag not changed. Skip http://ips.signatures.endian.com/snort-2.8.6/emerging.rules.tar.gz. [^]
Sep 5 21:44:28 PROXY1 jobsengine[31926]: FETCHSNORTRULES-No new data: skip download.
(0008511)
carlos-endian (reporter)
2013-09-05 13:09

In the output, as you can see there are not error, the only things strange is the link with the rules are updated.

I nedd more information, could you check the file /usr/lib/efw/snort/default/settings then see what is the SNORT_RULES_URL.
Do you have update your community from 2.5.1 or previous version? or do you have install 2.5.2 from iso image?
(0008512)
carlos-endian (reporter)
2013-09-05 13:44

Do you have import some backup?
could you check /var/efw/snort/. thanks
(0008516)
gmar_87 (reporter)
2013-09-10 07:14

I upgraded 2.5.1 to 2.5.2 using "efw-upgrade".

Contents of /usr/lib/efw/snort/default/settings

RULESTYPE=community
ENABLED=0
POSTGRESQL=off
SNORT_RULES_URL=http://rules.emergingthreats.net/open/snort-2.8.6/emerging.rules.tar.gz [^]
SNORT_RULES_ETAG=
ENABLED_RULES=auto,custom
UPDATE_SCHEDULE=daily
SNORT_DEFAULT_POLICY=alert
SNORT_LOG_ROTATE=
CREDENTIALS=off
SIGNATURES_VERSION=2.8.6


Contents of /var/efw/snort/settings

ENABLED=1
ENABLED_RULES=auto
NTOP_ENABLED=off
SNORT_RULES_ETAG="1c0005-16a2b3-4c1b4b7ec72ea"
SNORT_RULES_URL=http://ips.signatures.endian.com/snort-2.8.6/emerging.rules.tar.gz [^]
UPDATE_SCHEDULE=hourly
(0008517)
gmar_87 (reporter)
2013-09-10 07:19

I just renamed /var/efw/snort/settings and re-applied snort settings through GUI. The contents of the settings file changed to:

SNORT_RULES_ETAG=
RULESTYPE=community
CREDENTIALS=off
POSTGRESQL=off
ENABLED_RULES=auto,custom
ENABLED=1
SNORT_LOG_ROTATE=
SNORT_DEFAULT_POLICY=alert
SNORT_RULES_URL=http://rules.emergingthreats.net/open/snort-2.8.6/emerging.rules.tar.gz [^]
SIGNATURES_VERSION=2.8.6
UPDATE_SCHEDULE=hourly


I then forced an update of snort rules via gui and the settings file now contains:

ENABLED=1
SNORT_RULES_ETAG="1f02ff9-15b9ca-4e5be5b96d080"
UPDATE_SCHEDULE=hourly
(0008518)
carlos-endian (reporter)
2013-09-10 07:58

The issue is the link to download the snort rules.
The right link is:
SNORT_RULES_URL=http://rules.emergingthreats.net/open/snort-2.8.6/emerging.rules.tar.gz [^]

The other one (SNORT_RULES_URL=http://ips.signatures.endian.com/snort-2.8.6/emerging.rules.tar.gz [^] ), it's an old link, i don't understand why it was present in your configuration, probably in the past do you have import a backup?

Now when the auto-update start, in the logs you must see the right link.
Please check in /var/signature/snort/auto if the rules are update (after your force update). In the next day take a look this folder and check if the files are updates with the repository of snort.
(0008519)
gmar_87 (reporter)
2013-09-11 05:08
edited on: 2013-09-11 05:08

Auto updates are now working after renaming original settings file and recreating through the GUI. :)

The original install of 2.5.1 probably had a backup config imported. 2.5.1 was then upgraded to 2.5.2, but no new config import.

Thanks for your help!

(0008520)
luca-endian (developer)
2013-09-12 07:10

renamed? strange.. maybe something with the modification date or permissions?
btw seems an isolated case.

I'm closing this bug

- Issue History
Date Modified Username Field Change
2013-08-19 01:49 gmar_87 New Issue
2013-08-19 01:51 gmar_87 Note Added: 0008451
2013-08-26 08:36 luca-endian Note Added: 0008462
2013-08-26 08:36 luca-endian Assigned To => luca-endian
2013-08-26 08:36 luca-endian Status new => feedback
2013-08-26 10:03 gmar_87 Note Added: 0008468
2013-08-26 10:03 gmar_87 Status feedback => new
2013-08-27 11:11 gmar_87 Note Added: 0008475
2013-09-04 13:06 carlos-endian Note Added: 0008509
2013-09-04 13:08 carlos-endian Note Edited: 0008509 View Revisions
2013-09-05 11:55 gmar_87 Note Added: 0008510
2013-09-05 13:09 carlos-endian Note Added: 0008511
2013-09-05 13:44 carlos-endian Note Added: 0008512
2013-09-10 07:14 gmar_87 Note Added: 0008516
2013-09-10 07:19 gmar_87 Note Added: 0008517
2013-09-10 07:58 carlos-endian Note Added: 0008518
2013-09-11 05:08 gmar_87 Note Added: 0008519
2013-09-11 05:08 gmar_87 Note Edited: 0008519 View Revisions
2013-09-12 07:10 luca-endian Note Added: 0008520
2013-09-12 07:11 luca-endian Status new => closed
2013-09-12 07:11 luca-endian Resolution open => unable to reproduce

Copyright © 2005-2008 Endian, SRL. All rights reserved.


Copyright © 2000 - 2012 MantisBT Group
Powered by Mantis Bugtracker