Project

General

Profile

Actions

Bug #3843

closed

no way to re-enable a disabled source previously added with add-source

Added by James Lagermann over 4 years ago. Updated about 4 years ago.

Status:
Closed
Priority:
High
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

When you add a source with suricata-update add-source and then disable that source, there is no way to re-enable it without getting an error.

    $ sudo suricata-update add-source abuse.ch-URLhaus-IDS https://urlhaus.abuse.ch/downloads/urlhaus_suricata.tar.gz 
    $ ls -la ./sources/
    -rw-r--r-- 1 root root  108 Jul 24 18:03 abuse.ch-URLhaus-IDS.yaml

    $ sudo suricata-update disable-source abuse.ch-URLhaus-IDS
    <Info> -- Source abuse.ch-URLhaus-IDS has been disabled
    $ ls -la ./sources/
    -rw-r--r-- 1 root root  108 Jul 24 18:03 abuse.ch-URLhaus-IDS.yaml.disabled

    $ sudo suricata-update add-source abuse.ch-URLhaus-IDS https://urlhaus.abuse.ch/downloads/urlhaus_suricata.tar.gz 
    <Error> -- A source with name abuse.ch-URLhaus-IDS already exists.

    $ sudo suricata-update enable-source abuse.ch-URLhaus-IDS
    <Info> -- Re-enabling previously disabled source for abuse.ch-URLhaus-IDS.
    <Error> -- Unknown source: abuse.ch-URLhaus-IDS

Actions #1

Updated by James Lagermann over 4 years ago

Some additional details:

If the fix will be to use 'enable-source' to re-enable a disabled custom source, it will also require a command to list currently disabled sources. I will have to add a task to check for disabled sources before I try the add-source command or it will still fail.

If the fix will allow 'add-source' to re-enable a disabled custom source, it will not require any changes to the task list below.

I'm using an Ansible Playbook to manage Suricata-update. In the variable file, I have three different lists, one for sources that do not have secret codes {{enable_suricata_remote_sources}}, one for sources that do have secret codes {{enable_suricata_secret_code_sources}}, and one for sources not in the index {{enable_suricata_custom_url_sources}}.

  1. The tasks first update sources,
  2. list currently enabled sources.
  3. go through each group and enable or add the source if it is not already enabled.
  4. go through the original list of enabled sources and disable it if it is not in one of the three enable lists
  5. run suricata-update
enable_suricata_remote_sources:
  - name: (list name)
enable_suricata_secret_code_sources:
  - name: (list name)
    secret_code: (secret code)
enable_suricata_custom_url_sources:
  - name: (list name)
    url: (list url)

-------------------------------------------------------

- name:             Update Suricata-update Sources
  command:          suricata-update update-sources
  changed_when:     false

- name:             Collect list of enabled sources
  command:          suricata-update list-enabled-sources
  register:         enabled_sources
  changed_when:     false

- name:             Enable remote sources with secret-codes
  command:          suricata-update enable-source "{{ item.name }}" secret-code="{{ item.secret_code }}" 
  with_items:       "{{ enable_suricata_secret_code_sources|default([]) }}" 
  when:             'item.name not in enabled_sources.stdout'
  no_log:           true

- name:             Enable remote sources without secret-codes
  command:          suricata-update enable-source "{{ item }}" 
  with_items:       "{{ enable_suricata_remote_sources|default([]) }}" 
  when:             'item not in enabled_sources.stdout'

- name:             Add remote sources not in the index
  command:          suricata-update add-source "{{ item.name }}" "{{ item.url }}" 
  with_items:       "{{ enable_suricata_custom_url_sources|default([]) }}" 
  when:             'item.name not in enabled_sources.stdout'

- name:             Disable Suricata-update remote sources tasks
  command:          suricata-update disable-source "{{ item }}" 
  with_items        "{{ enabled_sources.stdout_lines | select('match', '^  - [a-z]') | list | regex_replace('  - ') }}" 
  when:
    - 'item not in (enable_suricata_remote_sources|default([])|string)' 
    - 'item not in (enable_suricata_secret_code_sources|default([])|string)'
    - 'item not in (enable_suricata_custom_url_sources|default([])|string)'

- name:             Run Suricata-update
  command:          suricata-update --no-reload

Actions #2

Updated by Shivani Bhardwaj over 4 years ago

  • Status changed from New to Assigned
  • Priority changed from Normal to High
  • Target version set to 1.2.0
Actions #3

Updated by James Lagermann over 4 years ago

Is this fix on track for version 1.2.0? I don't see anything related to it in 1.2.0rc1.

Actions #4

Updated by Shivani Bhardwaj about 4 years ago

James Lagermann wrote in #note-3:

Is this fix on track for version 1.2.0? I don't see anything related to it in 1.2.0rc1.

Hi James!
That's correct. You can always check the target version in the issue.

I have a question about a concern that you have raised about a certain fix.

If the fix will be to use 'enable-source' to re-enable a disabled custom source, it will also require a command to list currently disabled sources. I will have to add a task to check for disabled sources before I try the add-source command or it will still fail.

Is it possible that before enabling/adding any source at all, we write the task for disabling the sources that are not already present in the three lists?
And then, right before the task for adding the remote sources, we add a task to remove all the sources mentioned in the `enable_suricata_remote_sources` list irrespective of whether it exists or not. It will not error out in case a source does not already exist and is being asked to be removed, it'll give a warning in that case. But, I see even if that were the case, there is a field to ignore errors for a task with ansible?

Please let me know if I am missing any steps and this would not make sense.

Actions #5

Updated by Shivani Bhardwaj about 4 years ago

  • Status changed from Assigned to In Review
Actions #6

Updated by Jason Ish about 4 years ago

  • Target version changed from 1.2.0 to 1.2.0rc2
Actions #7

Updated by Shivani Bhardwaj about 4 years ago

  • Status changed from In Review to Closed
Actions

Also available in: Atom PDF