search

StamusNetworks / SELKS

A Suricata based IDS/IPS/NSM distro
https://www.stamus-networks.com/open-source/#selks
GNU General Public License v3.0
1.46k stars 286 forks source link

🐞💿 Suppression gives 400 Bad Request #473

Open timguyuk opened 3 months ago

timguyuk commented 3 months ago

Is there an existing issue for this?

Current Behavior

Installing Selks 10 I have the system up and running. I have a internal server that is hit by authorised traffic but ET SCAN Potential SSH Scan picks it up. no problem I add the authorised src ips to suppression accept I cant in selks 10. If I try and add from the hunting Dashboard I get a 400 Bad Request. Within https://x.x.x.x/rules/rule I can no longer click on the comments to see the suppression. I can goto history there are entry's but no information other than ip 172.18.0.2? If I goto https://x.x.x.x/rules/ruleset/1/ I can see suppressions but if I click on the id number i get "Server Error (500)"

Expected Behavior

No response

Steps To Reproduce

  1. Goto hunting dashboard
  2. Filter by Source IP
  3. Policy Actions / Supress
  4. Default Rule Set / Comments
  5. Submit
  6. 400 Bad Reques

Anything else?

No response

timguyuk commented 3 months ago

I have managed to add hunting suppressions but when i goto hunting / policies I get "failed to fetch policies statistics"

also https://x.x.x.x/rules/rule/pk/2001219/ doesnt match hunting policies so still have issue

Ive tried a few different browsers.

Permissions?

timguyuk commented 3 months ago

Reinstalled today to make sure it wasnt something weird. Still problems. Everything appears to work I just can confidently say that suppression is working. Certainly all the errors from my first post stand.

pevma commented 3 months ago

Hi,

Are there any errors in docker/containers-data/scirius/logs/django-error.log, if you could share those please?

Thanks

pevma commented 3 months ago

Another way to do the suppression manually is to use the docker/containers-data/suricata/etc/threshold.config and edit it directly, afterwhich you just need to restart the suricata container.

timguyuk commented 3 months ago

Hi,

Are there any errors in docker/containers-data/scirius/logs/django-error.log, if you could share those please?

Thanks

Very basic reinstall and trying to add a supression on the first event and the django-error.log gives

2024-07-04 10:22:28,834 WARNING Not Found: /favicon.ico 2024-07-05 09:51:38,453 WARNING Bad Request: /rest/rules/processing-filter/

pevma commented 3 months ago

Does the workaround work ? (in my previous comment)