Adding Snort Community Rules

[UnZone]

I have the appliance installed on a Proxmox cluster. No desktop version. Latest updates as of 8/15/2018.

Perhaps I'm missing something. I feel like I've looked for the solution pretty well. I am unable to add the Snort Community Rules to my install. I receive the following error:

Error during update: [Errno 2] No such file or directory: '/var/lib/scirius/git-sources/8/rules'

There is a directory called 'community-rules' in the /8 folder and I tried adding a symbolic link from rules to that directory thinking that may be the issue, but that is not it.

Am I missing something?

Thank you all.

[pevma]

Hi ,

How did you add the source/ruleset?

Thanks

-- Regards, Peter Manev

On 17 Aug 2018, at 08:03, UnZone notifications@github.com wrote:

I have the appliance installed on a Proxmox cluster. No desktop version. Latest updates as of 8/15/2018.

Perhaps I'm missing something. I feel like I've looked for the solution pretty well. I am unable to add the Snort Community Rules to my install. I receive the following error:

Error during update: [Errno 2] No such file or directory: '/var/lib/scirius/git-sources/8/rules'

There is a directory called 'community-rules' in the /8 folder and I tried adding a symbolic link from rules to that directory thinking that may be the issue, but that is not it.

Am I missing something?

Thank you all.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or mute the thread.

[UnZone]

I was using the Web GUI via the SELKS appliance. Am I in the wrong forum?

[pevma]

On Tue, Aug 21, 2018 at 11:49 AM UnZone notifications@github.com wrote:

I was using the Web GUI via the SELKS appliance. Am I in the wrong forum?

— You are receiving this because you commented. Reply to this email directly, view it on GitHub, or mute the thread.

No, you can get help here too :) So you created a new Source, then added it to a ruleset and you got the error - correct? I was wondering if you can maybe share the exact steps so we can try to reproduce?

Thank you

-- Regards, Peter Manev

[UnZone]

Sure. Appreciate the assistance.

I'm running Scirius CE v2.0.1. My steps are, using Web GUI:

Click 'sources' Click 'add custom source' Name -> 'Snort Community Rules' Method -> 'HTTP URL' Data Type -> 'sigs in tar archive' URI -> 'https://www.snort.org/downloads/community/community-rules.tar.gz' Check Certificates -> 'Check' Optional Auth Key -> My oink code Default SELKS Rule -> 'Check'

Hit 'submit'

Starts to progress and then pops error: Error during update: [Errno 2] No such file or directory: '/var/lib/scirius/git-sources/8/rules'

That dir in the error /var/lib.../8 contains 'community-rules' as a folder.

I've used SELKS before and this used to work so I'm stumped. Thanks for the help.

[pevma]

On Wed, Aug 22, 2018 at 7:26 AM UnZone notifications@github.com wrote:

Sure. Appreciate the assistance.

I'm running Scirius CE v2.0.1. My steps are, using Web GUI:

Click 'sources' Click 'add custom source' Name -> 'Snort Community Rules' Method -> 'HTTP URL' Data Type -> 'sigs in tar archive' URI -> 'https://www.snort.org/downloads/community/community-rules.tar.gz' Check Certificates -> 'Check' Optional Auth Key -> My oink code Default SELKS Rule -> 'Check'

Hit 'submit'

Starts to progress and then pops error: Error during update: [Errno 2] No such file or directory: '/var/lib/scirius/git-sources/8/rules'

That dir in the error /var/lib.../8 contains 'community-rules' as a folder.

I've used SELKS before and this used to work so I'm stumped. Thanks for the help.

(edited as the issue is already open :) ) - I will try it out with the next to be release and see if we have the same issue - but at least we will keep track on it. By the way just wondering if you know if the folder structure change in the tar.gz ?

Thank you

-- Regards, Peter Manev

[UnZone]

By the way just wondering if you know if the folder structure change in the tar.gz ?

I'm not sure actually. When I look at the file the top folder is 'community-rules'. I can't say if it used to be just 'rules' or not. I haven't had to touch the file in years, usually just let whatever process I'm using handle it. Which is normally pfSense, but I'm trying this out as an in-line scanner for my LAN.

[pevma]

Is there any chance if you could try just renaming community-rules to just rules and see if that goes through ?

[UnZone]

Okay. I tried several things. Nothing seemed to work. Here is what I did:

Renamed the folder 'community-rules' to 'rules' -> result was folder being deleted by the update process.

Tried a symbolic link again -> result was same error.

Used personal web server, downloaded the 'community-rules.tar.gz' file, decompressed it, renamed all the 'community-rules' folders to 'rules', re-compressed it as 'rules.tar.gz', pointed source to that personal web server asking it to download the new file, everything was going great and then it popped the error 'Error during update: [Errno 2] No such file or directory: '/var/lib/scirius/git-sources/11/.'

So perhaps on the last test I did something wrong during re-compression of the file, but the structure looked the same as the original just the name change.

[pevma]

Thank you for the investigation. You could maybe repeat the step by deleting completely the source and rule set of the last attempt. Should work that way?

[UnZone]

The VM I was running this in was lost. The NAS I had it on lost two disks and, even though it was RAID 10, it dumped RAID group in the process. I'm waiting for new disks to arrive and then I will re-install and try again. I'll report back when I have tried your suggestion.

[PhilMarsden]

Having the same problem here. If I repack the tar files with the main directory changes to "rules" then initially I got a Ngnix 413 "Request Entity too large" so after increasing the Ngnix limit to 100M it got further and uploaded

However, lots or errors about the formats of the rules not being right.

Same with v2.9 and v3.0 files

[pevma]

The Request Entity too large should not be there with the latest Scirius version -could you check please? The rest of the errors are simply returned from Suricata rule load checks.