Forums

Matt Ashby
Matt Ashby
Offline
Resolved
0 votes
I have installed the Intrusion Protection and Detection modules and they all seem good. I get notification that 1000'sso f attempts have been made, however they seem to be from the same IP address.

If I check under the Blocked List, no IPs have been added.

How do I get it to auto block persistent attempts?
Thursday, March 24 2016, 02:18 PM
Share this post:
Responses (1)
  • Accepted Answer

    Thursday, March 24 2016, 05:05 PM - #Permalink
    Resolved
    0 votes
    If you only have the free rules then only 111 of them have blocking elements ("grep -v ^# /etc/snort.d/rules/gpl/*.rules | grep fwsam" to see them). If you know which rule is triggering them - look for snort in /var/log/secure then the bit like [1:1280:9] where you want the middle number. then search the rules for an sid of that number e.g. "grep sid:1280 /etc/snort.d/rules/gpl/*.rules", that will identify the rule which is triggering. You can edit the rule and add the fwsam component something like "fwsam: src, 86400 seconds;". You need to work out from the rule if you are blocking the source or destination (which depends on it the rule is detecting the incoming packet or the return packet, you'll have to read the rule) and decide how long you want the block for. Alternatively you can create a file /etc/sid-block.map and add a line like:
    1201: src, 3 days
    Again, check the direction you want to block. I would prefer the /etc/sid-block.map route. Restart snort after adding the block rule.

    FWIW the gpl rules put out by ClearOS are very old and not too useful. To get up to date rules you'll really need a subscription with ClearOS. There are also a lot of free rules from Emerging Threats which you can use.

    Worth bearing in mind is that snort sits outside the firewall. This means that adding a block rule will not stop the messages.Also, if snort is detecting something on a port that is not open, there is no point in adding a firewall rule as the port is closed anyway and there is no point in using the snort rule.
    The reply is currently minimized Show
Your Reply