Are there pre-installed Correlation rules on clean install of UTMStackServer?

[lacak-sk]

When I click on MENU / Manage Correlation Rules (in web interface of UTMStackServer) I do not see there any rules.
When I looked at demo.utmstack.com there I can see there "system" folder which contains a lot of other folders with yml files.
Does it means that my clean install (from ISO image) is not armed with any rules? So it doesn't actually do any kind of log correlation and therefore doesn't raise any alerts?

[c3s4rfred]

Hi, @lacak-sk. All versions and variants of UTMStack have the correlation rules preinstalled, but you can see the system rules folder only in the latest versions because we moved the project to open source. If you can't see the folder, you're using an old version.

Best regards

[lacak-sk]

Thanks, but I downloaded "ISO Image" from https://utmstack.com/install/ so I think that it is current version (https://cdn.utmstack.com/iso/utmstack-v10-1-0-autoinstall.iso) ... does is it not?
(In Web GUI I see version 10.3.0; In CORRELATION RULES there is only message "It feels lonely here..."; /utmstack/rules directory is empty)

[c3s4rfred]

Hi @lacak-sk, rules are on a public git repository, please check if you have something blocking connections to git repositories.

Best regards

[lacak-sk]

Thanks. I have deployed UTMStackServer behind corporate firewall, but I do not think that firewall block outbound connection to git repository. I can successfully do (from Ubuntu console) for example "sudo apt update", "sudo apt upgrade", "wget http://github.com/utmstack/UTMStack/releases/latest/download/installer".
What is path to git repository where rules are published? (I can try download them manually)
May be that it is again network/routing issue (as discussed in #599, #602), if connection to git repository is attempted from inside docker container which utilizes IP address already presented in LAN ...
It would be nice if the connectivity problem was logged in "Settings/Application Logs" + there should be somewhere warning (something like "There are no correlation rules. Alerts will not be generated ...") that if there are no rules (installed, entered) then no alerts can/will be raised. -> entered also as a feature request #646

[c3s4rfred]

The correlation rules are downloaded automatically when installing, something must be blocking that, but you can add the rules manually, the rules can be found here -> https://github.com/utmstack/rules.
After adding the rules, the correlation rules docker container if you have added a complete rule folder; if you add rules one by one, you don't need to restart the container.
Let us know the results,

Best regards

[lacak-sk]

I did from Ubuntu console:
wget https://github.com/utmstack/rules/archive/refs/heads/master.zip && unzip ./master.zip -d /utmstack/rules
Now I can see in web GUI "Manage Correlation Rules" folder "rules-master". So I think that rules are there.

But original question remains: why during install rules were not downloaded? Now download succeeded, why not before? (of course, I haven't changed anything (on network, firewall, etc.) in the meantime)

(are rules cloned from https://github.com/AtlasInsideCorp/UTMStackCorrelationRules.git into "system" directory as it is in rules/update.go? Where are written messages logged by log.Println()?)

[osmontero]

docker service logs utmstack_correlation

[osmontero]

Maybe you had a network failure during the installation, GitHub could be experiencing some service degradation, etc.

[lacak-sk]

I can confirm, that there is logged error message: "Could not update ruleset ...":
(docker service logs utmstack_correlation 2>&1 | grep "Could not update ruleset")

2024/04/29 08:19:15 Downloading rules
2024/04/29 08:19:23 Could not update ruleset: chdir /app/rulesets/system: no such file or directory

But root of problem was same as in #599. After I apply steps suggested in https://github.com/orgs/utmstack/discussions/599#discussioncomment-9260240, the directory "system" was created with the rules.
So basically it was a docker network issue.