Forums

Resolved
2 votes
I commented on an earlier post regarding this very same issue, but after several days no responses so I thought I'd risk it and start a new thread on this subject.

Having used one of the first ClarkConnect versions for years and having updated to one of the first ClearOS versions in about 2003 or 2004, (I think), and I have used this older version successfully at my home/office for many years. I just now upgraded my ClearOS to 6.6.0 final (the latest release I could locate), with the IPS/IDS installed. My old ClearOS/ClarkConnect would always block and set an IP in the blocked IP list for some kiddy scripts and sometimes something a bit more malicious. However, this new version with the free included rules/signatures never seems to block an IP or at least never shows any blocked IPs. Other than that, for my simple home office use, ClearOS 6.6.0 is working very well.

Having checked the snort.php file, it appears to have changed significantly and trying the hack mentioned in an earlier post to add some php code at line 185 appears to not be a prudent thing to attempt.

Has this been resolved? Again, there is a perception that something is not quite right. Basic blocking for common attacks should be working and should show the offending IP.

It also appears that there are those that feel this should not even be a part of the installation or available in the store. Is it best to not even run these tools with the stock rules?

Thanks for any information or thoughts.

JohnJ
Friday, July 17 2015, 05:36 AM
Share this post:
Responses (4)
  • Accepted Answer

    Friday, July 17 2015, 11:13 AM - #Permalink
    Resolved
    0 votes
    The free rules in 6.x are very limited and, to a large extent, ineffective as they only block old threats. If you want some more recent rules, you'll need a subscription or you'll have to look at something like the Emerging Threats rules. There are some posts on this forum about the ET rules.
    The reply is currently minimized Show
  • Accepted Answer

    Friday, July 17 2015, 03:55 PM - #Permalink
    Resolved
    0 votes
    Thanks Nick for the answer, but... if the old rule set from an older version of ClearOS/ClarkConnect still showed, almost daily, some blocked IPs, doesn't the default rule set from Dans Guardian still have these most basic of rules?

    That is the crux of my question I suppose.

    Weird. I'll check out emerging rules or pay the $100 and I should help support ClearOS for the amount of time I have used it.

    Thanks again.
    The reply is currently minimized Show
  • Accepted Answer

    Monday, July 20 2015, 05:27 AM - #Permalink
    Resolved
    0 votes
    Just as a follow-up, I did purchase the annual subscription and I now do get a lot of blocks but for the same security ID, 2011716 and 3100001.

    I believe one is a SIP port 5060 probe and the other a port 2X probe. (2X = 22 , 23 or 24, not sure).

    Where can I find a complete list of of what these security IDs are? Google is partially helpful, as always, but can never find a complete list. Snort did have one for older version rules, but not so now.

    Thanks again.

    John
    The reply is currently minimized Show
  • Accepted Answer

    Monday, July 20 2015, 11:40 AM - #Permalink
    Resolved
    0 votes
    I can't remember where the rules go but you can do something like "grep 2011716 /etc/snort/* -R" which should find the blocking rule (the folder may be snort.d and not snort). You can also see the rules being triggered (with a description) in /var/log/secure.

    [edit]
    Home now. It is /etc/snort.d/* for the rules.
    [/edit]
    The reply is currently minimized Show
Your Reply