Upload/URL pull of subscriber snort rules failes.

[Sc0th]

Attempting to upload the subscriber Snort rules (version 2983) results in '413 Request Entity Too Large' error being kicked back from nginx and the rules are not imported.

[Sc0th]

Ok, fixed this part by upping client_max_body_size to 100M, however now I get '504 Gateway Time-out' seems to be set at 60 seconds and cannot see where this is set, any pointers much appreciated...

[regit]

Hi @Sc0th,

How are you running scirius (fcgi, gunicorn) ?

[Sc0th]

Hi! - Excuse my ignorance, but I have no idea, I am a running SELKS, whilst I have a technical background, this is all very new to me, pretty much a default install from the latest 3.0 ISO...

[regit]

You should try to set

    fastcgi_read_timeout 300s;

below fastcgi_pass in /etc/nginx/sites-enabled/stamus.conf 

And then restart nginx.

[Sc0th]

Splendid, thank you, much closer! - now I see 'UNIQUE constraint failed: rules_rule.sid' - this looks more like a user error on my part, not sure this is the correct forum to discuss; I will mosey over to the other forums if I cannot find a fix.

[regit]

This means that you did already import a source containing similar rules. Maybe you have imported open ruleset from Snort or something alike. Try to delete the other source and reimport.

[Sc0th]

That makes sense, I did have the Snort community rules loaded, I have deleted them and rebooted for good measure, still seeing the same response. I will poke about a bit

[Sc0th]

If I delete all sources, I still get the same response, any chance there could be some leftovers from a previous failed attempt that are not getting cleaned up with a delete?

[regit]

It is really unlikely. Do you have information about the failling SID ?

[Sc0th]

I have just spent 30 mins trying to find an answer to that question, I have failed, no idea how to see what it's doing...

[pevma]

@Sc0th - what is the err that you are getting now?

[Sc0th]

Hi, this 'UNIQUE constraint failed: rules_rule.sid' in a red banner. This is when trying to upload snortrules-snapshot-2983.tar.gz, I have the SELKS default sources installed ET Open & SSLBL. The install is mostly untouched other than the above, a bit of network config & a couple of additional accounts.

[Sc0th]

Have removed all other sources and rulesets, still the same error

[Sc0th]

FWIW - The import of the Snort Community rules also now fails on the test phase, something here is rather borked, will blow it away and start again.

[Sc0th]

Sadly, after considerable faffing and numerous tries I have concluded it is actually not possible to import the Snort subscriber rule-set into the SELKS environment, this is a real shame, if you are reading this and need these rules, probably best to look elsewhere for the time being.

[pevma]

There are a couple of points here to consider:

• Scirius has been upgraded and will be soon into the upcoming SELKS4 (you can try nonetheless it form the Scirius github repo)
• Snort community rules are not optimized for Suricata

[trahtunberg]

As I detected 2 files cause an error mentioned above UNIQUE constraint failed: rules_rule.sid:

1. browser-ie.rules
2. browser-plugins.rules

If you delete these 2 files from an archive - then it's uploaded normally.

Also you need:

1. to add in /etc/nginx/nginx.conf the next line client_max_body_size 100M; in http { section
2. to add fastcgi_read_timeout 300s; below fastcgi_pass in /etc/nginx/sites-enabled/stamus.conf
3. Restart nginx with command: service nginx restart

[pevma]

@trahtunberg - thanks for the tip and sharing!

[mrnerdhair]

147 may help with this, though I'm still getting the same SID error.