It was only based on the fact that i couldnt find it mentioned in the docs for it :P though it seems alot of it is like that.

Curious. I've looked at the snortsam changelog and the sid-block.map file was introduced around 2003-02-09, which is round about snort version 1.9 build 229. What is making you say our snort version is too old for sid-block.map to work?

I'm in the correct position to test anything you want just give me some instructions to do so. Clearly im not incapable of doing such just unsure what you would want me to do to approach the situation. Though the bugs marked as fixed now

I could not work out where to put it even as the file they said to put it with did not exist either! I tries where the conf file was and where the rules were but could not see any evidence of it loading. My ability to test it is minimal because of the restrictions in my VM.

Nick the sid-block.map file wont work because the version is so old

@Robert
I've simplified your list to remove duplicates:
[file name=Reduced.txt size=22226]http://www.clearfoundation.com/media/kunena/attachments/legacy/files/Reduced.txt[/file]Rename to sid-block.map because of forum posting rules.

I've also created a list from all the 5.2 rules as there are some there which you don't have in your list but do get used if you use the Emerging Threats rules
[file name=5.txt size=29850]http://www.clearfoundation.com/media/kunena/attachments/legacy/files/5.txt[/file]Again, rename to sid-block.map because of forum posting rules.

If you are trying to use pulledpork, did you find my Emerging Threats script for 5.2 here. It would need updating for 6.2 and is a bit of a sledgehammer so you can't select which rules to enable and which you don't want, which I believe is waht you can do with pulledpork.

I'll try to raise a feature request for the IPS so we get some form of editor for sid-block.map if ClearOS are not going to provide any rules with snortsam blocks.

[edit]
Bug/Feature 609 filed in bug tracker
[/edit]

[edit2]
Where have you put your sid-block.map file? I've put in the directory with my rules, but as I'm using a play NAT'ed VM it is a bit hard to make snort/snortsam trigger so I can't test properly.
[/edit2]

Ok talking to the peeps on Snort IRC channel and that version installed in ClearOS 6.2 is EOL

"it was EOL on July 13 of last year"

Can you possably tell me the configure line used to compile the rpm so i can give the latest release a whirle a little easier.

Thanks,

Rob

@Nick

http://dl.dropbox.com/u/17606346/sid-block.zip

knock your heart out. Im trying to get pulledpork to work but cant because its trying to access the version of the snort rules that i dont have access to i think.

    http://code.google.com/p/pulledpork/

      _____ ____

     `----,\    )

      `--==\\  /    PulledPork v0.6.1 the Smoking Pig <////~

       `--==\\/

     .-~~~~-.Y|\\_  Copyright (C) 2009-2011 JJ Cummings

  @_/        /  66\_  cummingsj@gmail.com

    |    \   \   _(")

     \   /-| ||'--'  Rules give me wings!

      \_\  \_\\

 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



Checking latest MD5 for snortrules-snapshot-2904.tar.gz....

        A 403 error occurred, please wait for the 15 minute timeout

        to expire before trying again or specify the -n runtime switch

        You may also wish to verfiy your oinkcode, tarball name, and other configuration options

        Error 403 when fetching https://www.snort.org/reg-rules/snortrules-snapshot-2904.tar.gz.md5" target="_blank">https://www.snort.org/reg-rules/snortrules-snapshot-2904.tar.gz.md5 at ./pulledpork.pl line 453

        main::md5file('<OINKCODE>', 'snortrules-snapshot-2904.tar.gz', '/tmp/', 'https://www.snort.org/reg-rules/') called at ./pulledpork.pl line 1758

@Robert
Have you seen this for configuring sid-block.map.

@Tim,
It makes snortsam pretty much useless as it is. I'll see if I can work out how to dump all the current (ClearOS5.2) fwsam rules so they can be put into a sid-block.map file, but I haven't a clue where I'd stand at all with licensing. I also don't know how the 5.2 rules compare against the 6.2 ones.

Robert wrote:

So what your suggesting is that currently snort on COS 6.2 Does nothing at all.

ouch! looks that way, or at least the intrusion prevention service...IDS is still working

It would appear that Snort no longer provide rules without a VRT subscription, or indirectly via the ClearOS Intrusion Protection Updates app. It's a real shame if all that's left is a bunch of rules with no IPS hooks...particularly when compared with what we had in 5.2!

Nick i dont think they realised that they where removed from the normal ruleset. I did a google and found that a few other products suffered the same fate and they sujest using a .map file i have the .map file but im yet to achive to get it working. Purely because im a snort novice. I will keep looking into it though.

It looks like they've moved more things between 5.2 and 6.2. Note to me - check in 6.2 before posting from memory. ........ and yes it looks like there are no rules with fwsam defined so it makes you wonder about why bother running snortsam. Snort is still doing its stuff, detecting and logging packets but snortsam looks like a waste of effort as the rules are.

If you search the forum I wrote a script to use the Emerging Threats rules which as a by-product allows you to define your own fwsam elements. The script will need updating for 6.2 as 6.2 uses v2.9.x of snort whereas 5.2 used 2.8.x and the file layout is different.

@devs - What is the point of snortsam with the default rule set?

So what your sujesting is that currently snort on COS 6.2 Does nothing at all.

[root@node1 ~]# grep fwsam /etc/snort.d/rules/gpl/*.rules

[root@node1 ~]#

The location you mentioned doesnt exist on COS 6.2

Snort just does detection. if the rule has a "fwsam" element to it with another couple of parameters snortsam will then activate a block. Have a little read here. There are some rules with blocks defined and you can see them with

grep fwsam /etc/snort/*.rules | less

Hi Tim,

I think you may need to revisit the Snort.conf file and adjust it as i had to uncomment something else completly to get it to place messages in /var/log/secure

Now i get the message but dont see any action taken on the Intrusion Prevention table.

May 10 23:45:12 node1 snort[9350]: [122:5:1] PSNG_TCP_FILTERED_PORTSCAN [Classification: Attempted Information Leak] [Priority: 2] {PROTO:255} external_source_ip -> wan_ip

Even set to high its not blocked.

Nmap is run from an external source

Just tested with that section uncommented on medium instead of low and that doesnt do anything either. Just testing shields up

May 10 01:27:19 node1 snort[30231]: [1:1418:11] GPL SNMP request tcp [Classification: Attempted Information Leak] [Priority: 2] {TCP} 4.79.142.206:40318 -> my.wan.ip:161

May 10 01:27:19 node1 snort[30231]: [1:1420:11] GPL SNMP trap tcp [Classification: Attempted Information Leak] [Priority: 2] {TCP} 4.79.142.206:40318 -> my.wan.ip:162

May 10 01:27:20 node1 snort[30231]: [1:1418:11] GPL SNMP request tcp [Classification: Attempted Information Leak] [Priority: 2] {TCP} 4.79.142.206:40318 -> my.wan.ip:161

May 10 01:27:20 node1 snort[30231]: [1:1420:11] GPL SNMP trap tcp [Classification: Attempted Information Leak] [Priority: 2] {TCP} 4.79.142.206:40318 -> my.wan.ip:162

May 10 01:27:20 node1 snort[30231]: [1:1418:11] GPL SNMP request tcp [Classification: Attempted Information Leak] [Priority: 2] {TCP} 4.79.142.206:40318 -> my.wan.ip:161

May 10 01:27:20 node1 snort[30231]: [1:1420:11] GPL SNMP trap tcp [Classification: Attempted Information Leak] [Priority: 2] {TCP} 4.79.142.206:40318 -> my.wan.ip:162

May 10 01:27:21 node1 snort[30231]: [1:1418:11] GPL SNMP request tcp [Classification: Attempted Information Leak] [Priority: 2] {TCP} 4.79.142.206:40318 -> my.wan.ip:161

May 10 01:27:21 node1 snort[30231]: [1:1420:11] GPL SNMP trap tcp [Classification: Attempted Information Leak] [Priority: 2] {TCP} 4.79.142.206:40318 -> my.wan.ip:162

Theres the log

If you look in /etc/snort.d/rules/scan.rules you'll notice that only a few scanner signatures are actually detected in this way... I can recall what rule the GRC scan use to trigger in 5.2? something to do with port 0 if I recall...

Are you using nmap from within your own LAN? or externally? the former will not trigger anything as Snort listens to the external interfaces

If you want better portscan detection - rather than just rules have a look at /etc/snort.conf and

# Portscan detection.  For more information, see README.sfportscan

# preprocessor sfportscan: proto  { all } memcap { 10000000 } sense_level { low }

Snort docs are here

less /usr/share/doc/snort-2.9.0.4/README.sfportscan

I see snort seeing the issue

May 10 00:16:32 node1 snort[19590]: [1:1390:5] GPL SHELLCODE x86 inc ebx NOOP [Classification: Executable Code was Detected] [Priority: 1] {UDP} my.test.ip:37374 -> my.wan.ip:43699

May 10 00:16:32 node1 snort[19590]: [1:1390:5] GPL SHELLCODE x86 inc ebx NOOP [Classification: Executable Code was Detected] [Priority: 1] {UDP} my.test.ip:37374 -> my.wan.ip:43699

May 10 00:17:47 node1 snort[19590]: [1:1390:5] GPL SHELLCODE x86 inc ebx NOOP [Classification: Executable Code was Detected] [Priority: 1] {UDP} my.test.ip:40620 -> my.wan.ip:43642

May 10 00:17:47 node1 snort[19590]: [1:1390:5] GPL SHELLCODE x86 inc ebx NOOP [Classification: Executable Code was Detected] [Priority: 1] {UDP} my.test.ip:40620 -> my.wan.ip:43642

May 10 00:17:47 node1 snort[19590]: [1:1390:5] GPL SHELLCODE x86 inc ebx NOOP [Classification: Executable Code was Detected] [Priority: 1] {UDP} my.test.ip:40620 -> my.wan.ip:43642

May 10 00:17:48 node1 snort[19590]: [1:1390:5] GPL SHELLCODE x86 inc ebx NOOP [Classification: Executable Code was Detected] [Priority: 1] {UDP} my.test.ip:40620 -> my.wan.ip:43642

May 10 00:17:49 node1 snort[19590]: [1:1390:5] GPL SHELLCODE x86 inc ebx NOOP [Classification: Executable Code was Detected] [Priority: 1] {UDP} my.test.ip:40620 -> my.wan.ip:37069

May 10 00:17:49 node1 snort[19590]: [1:1390:5] GPL SHELLCODE x86 inc ebx NOOP [Classification: Executable Code was Detected] [Priority: 1] {UDP} my.test.ip:40620 -> my.wan.ip:37069

May 10 00:17:49 node1 snort[19590]: [1:1390:5] GPL SHELLCODE x86 inc ebx NOOP [Classification: Executable Code was Detected] [Priority: 1] {UDP} my.test.ip:40620 -> my.wan.ip:37069

May 10 00:17:49 node1 snort[19590]: [1:1390:5] GPL SHELLCODE x86 inc ebx NOOP [Classification: Executable Code was Detected] [Priority: 1] {UDP} my.test.ip:40620 -> my.wan.ip:370697BV9VAMW 

Though this was a port scan with NMAP

GRC's Shields up scan is not blocked like it was on 5.x either.

I have tried this. Testing with nmap and the ip address never gets blocked.

Hi Robert, to test successfully you need to use the 'service snort restart' and 'service snortsam restart' commands to manage the servies... If you specify from the command line directly it will not bind to the corerct WAN interface and subsequently be listening inside the firewall with no alerts

P.S all snort warnings are logged in /var/log/secure...the bad ones are automatically blocked via snortsam, and displayed in the webconfig.

Ticking web-client exploits causes a fatal error

May  9 23:55:03 node1 snort[18806]: FATAL ERROR: /etc/snort.d/rules/gpl/web-client.rules(118) ***PortVar Lookup failed on '$FILE_DATA_PORTS'.

Adding

portvar FILE_DATA_PORTS [$HTTP_PORTS,110,143]

somewhere in /etc/snort.conf fixes this though i still do not see anything getting blocked.

I just though I would confirm reguarding the launching issue and sure enough as soon as i was killing snort clearsync or what ever I see it was refered to earlier kicked in and relanuched it.

SnortSam, v 2.69.

Copyright (c) 2001-2009 Frank Knobbe <frank@knobbe.us>. All rights reserved.



Plugin 'fwsam': v 2.5, by Frank Knobbe

Plugin 'fwexec': v 2.7, by Frank Knobbe

Plugin 'pix': v 2.9, by Frank Knobbe

Plugin 'ciscoacl': v 2.12, by Ali Basel <alib@sabanciuniv.edu>

Plugin 'cisconullroute': v 2.5, by Frank Knobbe

Plugin 'cisconullroute2': v 2.2, by Wouter de Jong <maddog2k@maddog2k.net>

Plugin 'netscreen': v 2.10, by Frank Knobbe

Plugin 'ipchains': v 2.8, by Hector A. Paterno <apaterno@dsnsecurity.com>

Plugin 'iptables': v 2.9, by Fabrizio Tivano <fabrizio@sad.it>, Luis Marichal <luismarichal@gmail.com>

Plugin 'ebtables': v 2.4, by Bruno Scatolin <ipsystems@uol.com.br>

Plugin 'watchguard': v 2.7, by Thomas Maier <thomas.maier@arcos.de>

Plugin 'email': v 2.12, by Frank Knobbe

Plugin 'email-blocks-only': v 2.12, by Frank Knobbe

Plugin 'snmpinterfacedown': v 2.3, by Ali BASEL <ali@basel.name.tr>

Plugin 'forward': v 2.8, by Frank Knobbe



Parsing config file /etc/snortsam.conf...

Linking plugin 'iptables'...

Parsing config file /etc/snortsam.d/whitelist.conf...

Parsing config file /etc/snortsam.d/dns-whitelist.conf...

Error: [/etc/snortsam.conf: 51] Config file '/etc/snortsam.d/clearcenter-whitelist.conf' not found or inaccessible!

Error: [/etc/snortsam.conf: 52] Config file '/etc/snortsam.d/webconfig-whitelist.conf' not found or inaccessible!

Error: [/etc/snortsam.conf: 53] Config file '/etc/snort/system-autowhitelist.conf' not found or inaccessible!

Checking for existing state file "/var/db/snortsam.state".

Found. Reading state file.

Starting to listen for Snort alerts.

So back to the first issue how can I get this to work correctly.

EDIT:-

Before its mentioned yes its enabled as far as im away "scan Network scan detection 17 TICK"