.rules-files array not parsed last

VVelox commented 11 months ago

Apparently the .rule-files array does not handle arbitrary placement nicely. So if the include for it or it comes to early, then stuff like GeoIP or the like is not seen as enabled, even if it is in the config.

This can be reproduced easily by making sure the first item in the config is the include pointing to the rules include.

The best way to fix this is after reading in all the configs and merging them them to one complex hash(or whatever the C equivalent is here), don't process any of the rules files till after the rest of the keys have been handled. Just push entries in it into a array while processing the hash and then once done with everything else process that array and load all the rules. This the rules don't run into any dependency issues.

VVelox commented 11 months ago

%YAML 1.1
---
vars:
  sagan-groups:
    FIFO: "/var/sagan/fifo/sagan.fifo"
    RULE_PATH: "/usr/local/etc/sagan-rules"
    LOCKFILE: "/var/run/sagan/sagan.pid"
    LOG_PATH: "/var/log/sagan"
  address-groups:
    HOME_NET: "any"
    EXTERNAL_NET: "any"
  port-groups:
    SSH_PORT: 22
    HTTP_PORT: 80
    HTTPS_PORT: 443
    TELNET_PORT: 23
    DNS_PORT: 53
    SNMP_PORT: 161
    POP3_PORT: 110
    IMAP_PORT: 143
    SMTP_PORT: 25
    MYSQL_PORT: 3306
    MSSQL_PORT: 1433
    NTP_PORT: 123
    OPENVPN_PORT: 1194
    PPTP_PORT: 1723
    FTP_PORT: 21
    RSYNC_PORT: 873
    SQUID_PORT: 3128
  geoip-groups:
    HOME_COUNTRY: "US,CA"
  aetas-groups:
    SAGAN_HOURS: "0700-1800"
    SAGAN_DAYS: "12345"
  mmap-groups:
    MMAP_DEFAULT: 10000
  misc-groups:
    CREDIT_CARD_PREFIXES: "4,34,37,300,301,302,303,304,305,2014,2149,309,36,38,39,54,55,6011,6221,6222, 6223,6224,6225,6226,  6227,6228,6229,644,645,646,647,648,649,65,636,637,638,639,22,23,24,25,26,27,51,52,53,
53,55"
    RFC1918: "10.,192.168.,172.16.,172.17.,172.18.,172.19.,172.20.,172.21.,172.22.,172.23.,172.24.,172.25.,172.26.,172.27.,172.28.,172.29.,172.30.,172.31."
    WINDOWS_DOMAINS: "MYCOMPANYDOMAIN,EXAMPLEDOMAIN,ANOTHER_DOMAIN"
    PSEXEC_MD5: "CD23B7C9E0EDEF184930BC8E0CA2264F0608BCB3, 9A46E577206D306D9D2B2AB2F72689E4F5F38FB1,2EDEEFB431663F20A36A63C853108E083F4DA895,B5C62D79EDA4F7E4B60A9CAA5736A3FDC2F1B27E,A7F7A0F74C8B48F1699858B3B6C11
EDA"
sagan-core:
  core:
    sensor-name: "default_sensor_name" # Unique name for this sensor (no spaces)
    cluster-name: "default_cluster_name" # Cluster name (no spaces)
    syslog: enabled # Log Sagan output to syslog
    default-host: 192.168.2.1
    default-port: 514
    default-proto: udp
    dns-warnings: disabled
    source-lookup: disabled
    fifo-size: 1048576 # System must support F_GETPIPE_SZ/F_SETPIPE_SZ. 
    classification: "$RULE_PATH/classification.config"
    reference: "$RULE_PATH/reference.config"
    protocol-map: "$RULE_PATH/protocol.map"
    chown-fifo: yes # Change ownership of FIFO to the "sagan" user.
    xbit-storage: mmap # "redis" or "mmap"
    max-threads: 50 # Increase this if the system is under heavy load.
    batch-size: 1
    message-buffer-size: 32kb
    input-type: pipe # pipe or json
    json-map: "$RULE_PATH/json-input.map" # mapping file if input-type: json
    json-software: syslog-ng # by "software" type. 
    json-parse-data: enabled
  redis-server:
    enabled: no
    server: 127.0.0.1
    port: 6379
    writer_threads: 10
  mmap-ipc:
    ipc-directory: /dev/shm
    xbit: $MMAP_DEFAULT
    flexbit: $MMAP_DEFAULT
    after: $MMAP_DEFAULT
    threshold: $MMAP_DEFAULT
    track-clients: $MMAP_DEFAULT
  ignore-list:
    enabled: no
    ignore-file: "$RULE_PATH/sagan-ignore-list.txt"
  liblognorm:
    enabled: yes
    normalize_rulebase: "$RULE_PATH/normalization.rulebase"
  plog:
    enabled: no
    interface: eth0
    bpf: "port 514"
    log-device: /dev/log
    promiscuous: yes
include: /usr/local/etc/sagan-include.yaml

%YAML 1.1
---

outputs:
- eve-log:
    alerts: yes
    alerts-base64: yes
    enabled: yes
    filename: $LOG_PATH/eve.json
    interface: logs
    logs: no
- alert:
    enabled: yes
    filename: $LOG_PATH/alert.log
processors:
- zeek-intel:
    enabled: no
- dynamic-load:
    enabled: yes
    sample-rate: 100
    type: dynamic_load
- bluedot:
    enabled: no
- blacklist:
    enabled: no
- stats-json:
    enabled: yes
    filename: $LOG_PATH/stats.json
    subtract_old_values: 'true'
    time: '300'
- rule-tracking:
    console: disabled
    enabled: yes
    syslog: enabled
    time: '1440'
- client-stats:
    data-interval: '900'
    enabled: yes
    filename: $LOG_PATH/client-stats.json
    max-clients: '1000'
    private-only: enabled
    time: '600'
    type: ip
- track-clients:
    enabled: no
sagan-core:
  core:
    cluster-name: nibbles0-lae
    default-host: 127.0.0.1
    sensor-name: nibbles0-lae
    syslog: enabled
  geoip:
    country_database: /usr/local/share/GeoIP/GeoLite2-Country.mmdb
    enabled: yes
vars:
  geoip-groups:
    HOME_COUNTRY: US,FR
include: /usr/local/etc/sagan-rules.yaml

%YAML 1.1
---
rules-files:
  - $RULE_PATH/fatpipe-geoip.rules
  - $RULE_PATH/fortinet-geoip.rules
  - $RULE_PATH/mcas-geoip.rules
  - $RULE_PATH/openssh-geoip.rules
  - $RULE_PATH/palo-alto-geoip.rules
  - $RULE_PATH/proftpd-geoip.rules
  - $RULE_PATH/riverbed-geoip.rules
  - $RULE_PATH/vsftpd-geoip.rules
  - $RULE_PATH/openssh-aetas.rules
  - $RULE_PATH/proftpd-aetas.rules
  - $RULE_PATH/riverbed-aetas.rules
  - $RULE_PATH/ssh-tectia-server-aetas.rules
  - $RULE_PATH/blacklist.rules
  - $RULE_PATH/windows-blacklist.rules
  - $RULE_PATH/azureEventHub_windows-correlated.rules
  - $RULE_PATH/cisco-correlated.rules
  - $RULE_PATH/citrix-correlated.rules
  - $RULE_PATH/courier-correlated.rules
  - $RULE_PATH/fatpipe-correlated.rules
  - $RULE_PATH/fortinet-correlated.rules
  - $RULE_PATH/imapd-correlated.rules
  - $RULE_PATH/openssh-correlated.rules
  - $RULE_PATH/ssh-tectia-server-correlated.rules
  - $RULE_PATH/vmware-correlated.rules
  - $RULE_PATH/vsftpd-correlated.rules
  - $RULE_PATH/windows-correlated.rules
  - $RULE_PATH/windows-owa-correlated.rules
  - $RULE_PATH/airtables.rules
  - $RULE_PATH/apache.rules
  - $RULE_PATH/apc-emu.rules
  - $RULE_PATH/arp.rules
  - $RULE_PATH/artillery.rules
  - $RULE_PATH/asterisk.rules
  - $RULE_PATH/attack.rules
  - $RULE_PATH/auditd.rules
  - $RULE_PATH/bash.rules
  - $RULE_PATH/bind.rules
  - $RULE_PATH/bonding.rules
  - $RULE_PATH/cacti-thold.rules
  - $RULE_PATH/centrify.rules
  - $RULE_PATH/ftpd.rules
  - $RULE_PATH/github.rules
  - $RULE_PATH/grsec.rules
  - $RULE_PATH/honeyd.rules
  - $RULE_PATH/hostapd.rules
  - $RULE_PATH/imapd.rules
  - $RULE_PATH/ipop3d.rules
  - $RULE_PATH/juniper.rules
  - $RULE_PATH/knockd.rules
  - $RULE_PATH/librenms.rules
  - $RULE_PATH/linux-kernel.rules
  - $RULE_PATH/mcas.rules
  - $RULE_PATH/milter.rules
  - $RULE_PATH/mimecast.rules
  - $RULE_PATH/mongodb.rules
  - $RULE_PATH/ms-defender.rules
  - $RULE_PATH/mysql.rules
  - $RULE_PATH/netskope.rules
  - $RULE_PATH/netwrix-api-integration.rules
  - $RULE_PATH/netwrix.rules
  - $RULE_PATH/nexpose.rules
  - $RULE_PATH/nfcapd-malware.rules
  - $RULE_PATH/nfcapd.rules
  - $RULE_PATH/nginx.rules
  - $RULE_PATH/ninjarmm.rules
  - $RULE_PATH/ntp.rules
  - $RULE_PATH/nxlog.rules
  - $RULE_PATH/okta.rules
  - $RULE_PATH/onelogin.rules
  - $RULE_PATH/openssh.rules
  - $RULE_PATH/openvpn.rules
  - $RULE_PATH/oracle.rules
  - $RULE_PATH/palo-alto.rules
  - $RULE_PATH/passwordstate.rules
  - $RULE_PATH/php.rules
  - $RULE_PATH/postfix.rules
  - $RULE_PATH/postgresql.rules
  - $RULE_PATH/pptp.rules
  - $RULE_PATH/procurve.rules
  - $RULE_PATH/proftpd.rules
  - $RULE_PATH/proofpoint.rules
  - $RULE_PATH/proxy-malware.rules
  - $RULE_PATH/pure-ftpd.rules
  - $RULE_PATH/racoon.rules
  - $RULE_PATH/ransomcare.rules
  - $RULE_PATH/riverbed.rules
  - $RULE_PATH/roundcube.rules
  - $RULE_PATH/rsa-dpm.rules
  - $RULE_PATH/rsync.rules
  - $RULE_PATH/sagan.rules
  - $RULE_PATH/samba.rules
  - $RULE_PATH/sendmail.rules
  - $RULE_PATH/sentinelone.rules
  - $RULE_PATH/snort.rules
  - $RULE_PATH/solaris.rules
  - $RULE_PATH/sonicwall.rules
  - $RULE_PATH/sophos.rules
  - $RULE_PATH/squid.rules
  - $RULE_PATH/ssh-tectia-server.rules
  - $RULE_PATH/su.rules
  - $RULE_PATH/symantec-ems.rules
  - $RULE_PATH/syslog.rules
  - $RULE_PATH/systemd.rules
  - $RULE_PATH/tcp.rules
  - $RULE_PATH/telnet.rules
  - $RULE_PATH/tenable.rules
  - $RULE_PATH/trendmicro.rules
  - $RULE_PATH/tripwire.rules
  - $RULE_PATH/vmpop3d.rules
  - $RULE_PATH/vmware.rules
  - $RULE_PATH/vpopmail.rules
  - $RULE_PATH/vsftpd.rules
  - $RULE_PATH/watchguard.rules
  - $RULE_PATH/web-attack.rules
  - $RULE_PATH/weblabrinth.rules
  - $RULE_PATH/windows-applocker.rules
  - $RULE_PATH/windows-auth.rules
  - $RULE_PATH/windows-clipboard.rules
  - $RULE_PATH/windows-emet.rules
  - $RULE_PATH/windows-malware.rules
  - $RULE_PATH/windows-misc.rules
  - $RULE_PATH/windows-powershell.rules
  - $RULE_PATH/windows.rules
  - $RULE_PATH/windows-security.rules
  - $RULE_PATH/windows-sysmon.rules
  - $RULE_PATH/wordpress.rules
  - $RULE_PATH/xinetd.rules
  - $RULE_PATH/yubikey.rules
  - $RULE_PATH/zeus.rules

VVelox commented 11 months ago

If you update the include to it will error...

%YAML 1.1
---
include: /usr/local/etc/sagan-rules.yaml
outputs:
- eve-log:
    alerts: yes
    alerts-base64: yes
    enabled: yes
    filename: $LOG_PATH/eve.json
    interface: logs
    logs: no
- alert:
    enabled: yes
    filename: $LOG_PATH/alert.log
processors:
- zeek-intel:
    enabled: no
- dynamic-load:
    enabled: yes
    sample-rate: 100
    type: dynamic_load
- bluedot:
    enabled: no
- blacklist:
    enabled: no
- stats-json:
    enabled: yes
    filename: $LOG_PATH/stats.json
    subtract_old_values: 'true'
    time: '300'
- rule-tracking:
    console: disabled
    enabled: yes
    syslog: enabled
    time: '1440'
- client-stats:
    data-interval: '900'
    enabled: yes
    filename: $LOG_PATH/client-stats.json
    max-clients: '1000'
    private-only: enabled
    time: '600'
    type: ip
- track-clients:
    enabled: no
sagan-core:
  core:
    cluster-name: nibbles0-lae
    default-host: 127.0.0.1
    sensor-name: nibbles0-lae
    syslog: enabled
  geoip:
    country_database: /usr/local/share/GeoIP/GeoLite2-Country.mmdb
    enabled: yes
vars:
  geoip-groups:
    HOME_COUNTRY: US,FR

[*] Sagan's PID is 75040
[*] Loading classifications.conf file. [/usr/local/etc/sagan-rules/classification.config]
[*] 62 classifications loaded
[*] Loading references.conf file. [/usr/local/etc/sagan-rules/reference.config]
[*] 6 references loaded.
[*] Loading protocol map file. [/usr/local/etc/sagan-rules/protocol.map]
[*] 31 protocols loaded. Loaded 13 'message' search items and 18 'program' items.
[*] Loading /usr/local/etc/sagan-rules/normalization.rulebase for normalization.
[*] Loading included file '/usr/local/etc/sagan-include.yaml'.
[*] Loading included file '/usr/local/etc/sagan-rules.yaml'.
[*] Loading /usr/local/etc/sagan-rules/fatpipe-geoip.rules rule file.
[E] [rules.c, line 1785] Rule /usr/local/etc/sagan-rules/fatpipe-geoip.rules at line 31 has GeoIP option,  but Sagan configuration lacks GeoIP - Abort

With it at the bottom, it results in...

[*] Sagan's PID is 12102
[*] Loading classifications.conf file. [/usr/local/etc/sagan-rules/classification.config]
[*] 62 classifications loaded
[*] Loading references.conf file. [/usr/local/etc/sagan-rules/reference.config]
[*] 6 references loaded.
[*] Loading protocol map file. [/usr/local/etc/sagan-rules/protocol.map]
[*] 31 protocols loaded. Loaded 13 'message' search items and 18 'program' items.
[*] Loading /usr/local/etc/sagan-rules/normalization.rulebase for normalization.
[*] Loading included file '/usr/local/etc/sagan-include.yaml'.
[*] Loading included file '/usr/local/etc/sagan-rules.yaml'.
[*] Loading /usr/local/etc/sagan-rules/fatpipe-geoip.rules rule file.
[*] Loading /usr/local/etc/sagan-rules/fortinet-geoip.rules rule file.
[*] Loading /usr/local/etc/sagan-rules/mcas-geoip.rules rule file.
[*] Loading /usr/local/etc/sagan-rules/openssh-geoip.rules rule file.
[*] Loading /usr/local/etc/sagan-rules/palo-alto-geoip.rules rule file.
[*] Loading /usr/local/etc/sagan-rules/proftpd-geoip.rules rule file.
[*] Loading /usr/local/etc/sagan-rules/riverbed-geoip.rules rule file.
[*] Loading /usr/local/etc/sagan-rules/vsftpd-geoip.rules rule file.
[*] Loading /usr/local/etc/sagan-rules/openssh-aetas.rules rule file.
[*] Loading /usr/local/etc/sagan-rules/proftpd-aetas.rules rule file.
[*] Loading /usr/local/etc/sagan-rules/riverbed-aetas.rules rule file.
[*] Loading /usr/local/etc/sagan-rules/ssh-tectia-server-aetas.rules rule file.
[*] Loading /usr/local/etc/sagan-rules/blacklist.rules rule file.
[*] Loading /usr/local/etc/sagan-rules/windows-blacklist.rules rule file.
[*] Loading /usr/local/etc/sagan-rules/azureEventHub_windows-correlated.rules rule file.
[*] Loading /usr/local/etc/sagan-rules/cisco-correlated.rules rule file.
[*] Loading /usr/local/etc/sagan-rules/citrix-correlated.rules rule file.
[*] Loading /usr/local/etc/sagan-rules/courier-correlated.rules rule file.
[*] Loading /usr/local/etc/sagan-rules/fatpipe-correlated.rules rule file.
[*] Loading /usr/local/etc/sagan-rules/fortinet-correlated.rules rule file.
[*] Loading /usr/local/etc/sagan-rules/imapd-correlated.rules rule file.
[*] Loading /usr/local/etc/sagan-rules/openssh-correlated.rules rule file.
[*] Loading /usr/local/etc/sagan-rules/ssh-tectia-server-correlated.rules rule file.
[*] Loading /usr/local/etc/sagan-rules/vmware-correlated.rules rule file.
[*] Loading /usr/local/etc/sagan-rules/vsftpd-correlated.rules rule file.
[*] Loading /usr/local/etc/sagan-rules/windows-correlated.rules rule file.
[*] Loading /usr/local/etc/sagan-rules/windows-owa-correlated.rules rule file.
[*] Loading /usr/local/etc/sagan-rules/airtables.rules rule file.
[*] Loading /usr/local/etc/sagan-rules/apache.rules rule file.
[*] Loading /usr/local/etc/sagan-rules/apc-emu.rules rule file.
[*] Loading /usr/local/etc/sagan-rules/arp.rules rule file.
[*] Loading /usr/local/etc/sagan-rules/artillery.rules rule file.
[*] Loading /usr/local/etc/sagan-rules/asterisk.rules rule file.
[*] Loading /usr/local/etc/sagan-rules/attack.rules rule file.
[*] Loading /usr/local/etc/sagan-rules/auditd.rules rule file.
[*] Loading /usr/local/etc/sagan-rules/bash.rules rule file.
[*] Loading /usr/local/etc/sagan-rules/bind.rules rule file.
[*] Loading /usr/local/etc/sagan-rules/bonding.rules rule file.
[*] Loading /usr/local/etc/sagan-rules/cacti-thold.rules rule file.
[*] Loading /usr/local/etc/sagan-rules/centrify.rules rule file.
[*] Loading /usr/local/etc/sagan-rules/ftpd.rules rule file.
[*] Loading /usr/local/etc/sagan-rules/github.rules rule file.
[*] Loading /usr/local/etc/sagan-rules/grsec.rules rule file.
[*] Loading /usr/local/etc/sagan-rules/honeyd.rules rule file.
[*] Loading /usr/local/etc/sagan-rules/hostapd.rules rule file.
[*] Loading /usr/local/etc/sagan-rules/imapd.rules rule file.
[*] Loading /usr/local/etc/sagan-rules/ipop3d.rules rule file.
[*] Loading /usr/local/etc/sagan-rules/juniper.rules rule file.
[*] Loading /usr/local/etc/sagan-rules/knockd.rules rule file.
[*] Loading /usr/local/etc/sagan-rules/librenms.rules rule file.
[*] Loading /usr/local/etc/sagan-rules/linux-kernel.rules rule file.
[*] Loading /usr/local/etc/sagan-rules/mcas.rules rule file.
[*] Loading /usr/local/etc/sagan-rules/milter.rules rule file.
[*] Loading /usr/local/etc/sagan-rules/mimecast.rules rule file.
[*] Loading /usr/local/etc/sagan-rules/mongodb.rules rule file.
[*] Loading /usr/local/etc/sagan-rules/ms-defender.rules rule file.
[*] Loading /usr/local/etc/sagan-rules/mysql.rules rule file.
[*] Loading /usr/local/etc/sagan-rules/netskope.rules rule file.
[*] Loading /usr/local/etc/sagan-rules/netwrix-api-integration.rules rule file.
[*] Loading /usr/local/etc/sagan-rules/netwrix.rules rule file.
[*] Loading /usr/local/etc/sagan-rules/nexpose.rules rule file.
[*] Loading /usr/local/etc/sagan-rules/nfcapd-malware.rules rule file.
[*] Loading /usr/local/etc/sagan-rules/nfcapd.rules rule file.
[*] Loading /usr/local/etc/sagan-rules/nginx.rules rule file.
[*] Loading /usr/local/etc/sagan-rules/ninjarmm.rules rule file.
[*] Loading /usr/local/etc/sagan-rules/ntp.rules rule file.
[*] Loading /usr/local/etc/sagan-rules/nxlog.rules rule file.
[*] Loading /usr/local/etc/sagan-rules/okta.rules rule file.
[*] Loading /usr/local/etc/sagan-rules/onelogin.rules rule file.
[*] Loading /usr/local/etc/sagan-rules/openssh.rules rule file.
[*] Loading /usr/local/etc/sagan-rules/openvpn.rules rule file.
[*] Loading /usr/local/etc/sagan-rules/oracle.rules rule file.
[*] Loading /usr/local/etc/sagan-rules/palo-alto.rules rule file.
[*] Loading /usr/local/etc/sagan-rules/passwordstate.rules rule file.
[*] Loading /usr/local/etc/sagan-rules/php.rules rule file.
[*] Loading /usr/local/etc/sagan-rules/postfix.rules rule file.
[*] Loading /usr/local/etc/sagan-rules/postgresql.rules rule file.
[*] Loading /usr/local/etc/sagan-rules/pptp.rules rule file.
[*] Loading /usr/local/etc/sagan-rules/procurve.rules rule file.
[*] Loading /usr/local/etc/sagan-rules/proftpd.rules rule file.
[*] Loading /usr/local/etc/sagan-rules/proofpoint.rules rule file.
[*] Loading /usr/local/etc/sagan-rules/proxy-malware.rules rule file.
[*] Loading /usr/local/etc/sagan-rules/pure-ftpd.rules rule file.
[*] Loading /usr/local/etc/sagan-rules/racoon.rules rule file.
[*] Loading /usr/local/etc/sagan-rules/ransomcare.rules rule file.
[*] Loading /usr/local/etc/sagan-rules/riverbed.rules rule file.
[*] Loading /usr/local/etc/sagan-rules/roundcube.rules rule file.
[*] Loading /usr/local/etc/sagan-rules/rsa-dpm.rules rule file.
[*] Loading /usr/local/etc/sagan-rules/rsync.rules rule file.
[*] Loading /usr/local/etc/sagan-rules/sagan.rules rule file.
[*] Loading /usr/local/etc/sagan-rules/samba.rules rule file.
[*] Loading /usr/local/etc/sagan-rules/sendmail.rules rule file.
[*] Loading /usr/local/etc/sagan-rules/sentinelone.rules rule file.
[*] Loading /usr/local/etc/sagan-rules/snort.rules rule file.
[*] Loading /usr/local/etc/sagan-rules/solaris.rules rule file.
[*] Loading /usr/local/etc/sagan-rules/sonicwall.rules rule file.
[*] Loading /usr/local/etc/sagan-rules/sophos.rules rule file.
[*] Loading /usr/local/etc/sagan-rules/squid.rules rule file.
[*] Loading /usr/local/etc/sagan-rules/ssh-tectia-server.rules rule file.
[*] Loading /usr/local/etc/sagan-rules/su.rules rule file.
[*] Loading /usr/local/etc/sagan-rules/symantec-ems.rules rule file.
[*] Loading /usr/local/etc/sagan-rules/syslog.rules rule file.
[*] Loading /usr/local/etc/sagan-rules/systemd.rules rule file.
[*] Loading /usr/local/etc/sagan-rules/tcp.rules rule file.
[*] Loading /usr/local/etc/sagan-rules/telnet.rules rule file.
[*] Loading /usr/local/etc/sagan-rules/tenable.rules rule file.
[*] Loading /usr/local/etc/sagan-rules/trendmicro.rules rule file.
[*] Loading /usr/local/etc/sagan-rules/tripwire.rules rule file.
[*] Loading /usr/local/etc/sagan-rules/vmpop3d.rules rule file.
[*] Loading /usr/local/etc/sagan-rules/vmware.rules rule file.
[*] Loading /usr/local/etc/sagan-rules/vpopmail.rules rule file.
[*] Loading /usr/local/etc/sagan-rules/vsftpd.rules rule file.
[*] Loading /usr/local/etc/sagan-rules/watchguard.rules rule file.
[*] Loading /usr/local/etc/sagan-rules/web-attack.rules rule file.
[*] Loading /usr/local/etc/sagan-rules/weblabrinth.rules rule file.
[*] Loading /usr/local/etc/sagan-rules/windows-applocker.rules rule file.
[*] Loading /usr/local/etc/sagan-rules/windows-auth.rules rule file.
[*] Loading /usr/local/etc/sagan-rules/windows-clipboard.rules rule file.
[*] Loading /usr/local/etc/sagan-rules/windows-emet.rules rule file.
[*] Loading /usr/local/etc/sagan-rules/windows-malware.rules rule file.
[*] Loading /usr/local/etc/sagan-rules/windows-misc.rules rule file.
[*] Loading /usr/local/etc/sagan-rules/windows-powershell.rules rule file.
[*] Loading /usr/local/etc/sagan-rules/windows.rules rule file.
[*] Loading /usr/local/etc/sagan-rules/windows-security.rules rule file.
[*] Loading /usr/local/etc/sagan-rules/windows-sysmon.rules rule file.
[*] Loading /usr/local/etc/sagan-rules/wordpress.rules rule file.
[*] Loading /usr/local/etc/sagan-rules/xinetd.rules rule file.
[*] Loading /usr/local/etc/sagan-rules/yubikey.rules rule file.
[*] Loading /usr/local/etc/sagan-rules/zeus.rules rule file.
[*] Loading GeoIP database. []
[W] Cannot open '' [No such file or directory]!
[W] Make sure the GeoIP database '' is readable by 'sagan'.
[E] Sagan is NOT loading the GeoIP database data! Abort!

Which is also bad as the include sets .sagan-core.geoip.country_database to '/usr/local/share/GeoIP/GeoLite2-Country.mmdb'.

VVelox commented 11 months ago

Also for client-stats, the top errors, but the bottom works.

  - client-stats:
      data-interval: 900
      enabled: yes
      filename: $LOG_PATH/client-stats.json
      max-clients: 1000
      private-only: enabled
      time: 600
      type: "ip"

#  - client-stats:
#      enabled: yes
#      type: "ip"
#      private-only: enabled                   # Only collect private IP addresses
#      filename: "$LOG_PATH/client-stats.json"
#      time: 600
#      data-interval: 900
#      max-clients: 1000

[E] [config-yaml.c, line 2868] client-stats "data-interval" is missing.

Both should be the same, but the order is different.

quadrantsec / sagan

.rules-files array not parsed last #80