apt-get update error with IPS Suricata

General questions.
Post Reply
JonM
Posts: 141
Joined: August 4th, 2017, 5:49 pm
Location: US

apt-get update error with IPS Suricata

Post by JonM » May 31st, 2019, 7:04 pm

I've been trying to update & upgrade my Raspberry Pi for the past few days but I kept getting lots of errors:

Code: Select all

pi@raspi:~ $ sudo apt-get update

Ign:1 http://archive.raspberrypi.org/debian stretch InRelease
Ign:2 http://raspbian.raspberrypi.org/raspbian stretch InRelease
Err:3 http://archive.raspberrypi.org/debian stretch Release
  Connection failed [IP: 93.93.128.230 80]
Err:4 http://raspbian.raspberrypi.org/raspbian stretch Release
  Connection failed [IP: 93.93.128.193 80]
Reading package lists... Done
E: The repository 'http://archive.raspberrypi.org/debian stretch Release' does no longer have a Release file.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
E: The repository 'http://raspbian.raspberrypi.org/raspbian stretch Release' does no longer have a Release file.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
I kept focusing on the device but it turned out to be a setting on IPFire. After turning off & on various services I finally shutdown IPS Suricata. Success!

In the menu Firewall > Intrusion Prevention I have this rule checked:
emerging-policy.rules

and within emerging-policy.rules is this item:
ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management
Screen Shot 2019-05-31 at 1.37.16 PM.png

This is nothing I clicked ON but must be a default setting for emerging-policy.rules. And it shutdown the apt-get update!

Turning off ET POLICY GNU/Linux APT User-Agent Outbound allows apt-get update to run without error.
Production:
Image

Testing Raspi 3B+:
Image

TimF
Posts: 83
Joined: June 10th, 2017, 7:27 pm

Re: apt-get update error with IPS Suricata

Post by TimF » May 31st, 2019, 7:42 pm

I would suggest being very careful of rules in the 'Policy' category The rules here are for stopping applications that are not necessarily unsafe but which are not allowed by a company's policy, for example Facebook. While some rules are distributed as enabled by default, you need to go through the list one-by-one if you're planning to enable the category. The same applies to Talos VRT rules (including community), but at least the registered/subscribed rules divide the policies up among multiple categories.

It's likely that several of these rules affect traffic used by many users, including software updates.

JonM
Posts: 141
Joined: August 4th, 2017, 5:49 pm
Location: US

Re: apt-get update error with IPS Suricata

Post by JonM » May 31st, 2019, 8:20 pm

Hey Tim! Thank you for this info - I did not realize.

Based on a conversation in the past, I thought there were base rules (probably not the right term) and sub-rules that need the base rules to be present. ET POLICY was one of the base rules. ET EXPLOIT would be an example of a sub-rule that relies on ET POLICY. (again these are probably not the right terms)

viewtopic.php?f=27&t=21526#p119274

I know this issue is more me not understanding IDS/IPS. And this is probably related to moving fromSnort/Guardian to Suricata.
Production:
Image

Testing Raspi 3B+:
Image

TimF
Posts: 83
Joined: June 10th, 2017, 7:27 pm

Re: apt-get update error with IPS Suricata

Post by TimF » June 1st, 2019, 12:07 am

I'm improving my understanding as well...

The main category for the 'basic' rules is ET INFO, however there are some in ET POLICY as well, and there may well be a few elsewhere. I think that the difference is that the rules in ET INFO are really only useful as 'basic' rules - for setting flowbits used by more specific malware detecting rules. The rules in ET POLICY could be used for setting flowbits, but can be useful in their own right.

As an example, one company might use the rules in ET POLICY to detect files up/downloaded to Dropbox so that they can be scanned for malware, whereas another might wish to block Dropbox completely (this requires changing the rule action, which is not supported by the IPFire WUI yet).

Post Reply