Hello
One would like to help:
How do increase lock time on screen prevensão intruder? Wish it would be longer hours,
thank you
One would like to help:
How do increase lock time on screen prevensão intruder? Wish it would be longer hours,
thank you
Share this post:
Responses (4)
-
Accepted Answer
Thanks Peter for pointing me in right direction. I read the the request tracker entry and I also utilized the "Wish List" functionality to add a couple "wishes".
If anybody else wants to chime in or vote up(or down) or add recommendations, better idea, etc:
Add a "Black List" to Intrusion Prevention:
http://www.clearfoundation.com/Wishlist/comment/912-Intrusion-Prevention-quotBlack-Listquot.html
Add ability to adjust default IPS rule "block length" (globally):
http://www.clearfoundation.com/Wishlist/comment/913-Intrusion-Prevention-configurable-block-time.html
... and I'll do some reading on Suricata. Sounds interesting from quick Google. -
Accepted Answer
- There's a related request in the tracker @ http://tracker.clearfoundation.com/view.php?id=609
- You can add feature requests via the "Wish List" system @ http://www.clearfoundation.com/Wishlist/ClearFoundation.html
Personally, I think a complete revamp using Suricata would be best -- that idea was thrown around for the ClearOS 7 roadmap! -
Accepted Answer
Peter Baldwin wrote:
Unfortunately, the lockout time parameter is embedded in the individual intrusion detection rules. Here's an example, one of the rules in /etc/snort.d/rules/gpl/exploit.rules looks like:
alert udp $EXTERNAL_NET any -> $HOME_NET 67 (msg:"GPL EXPLOIT bootp x86 linux overflow"; content:"A90|C0 A8 01 01|/bin/sh|00|"; reference:cve,1999-0389; reference:cve,1999-0798; reference:cve,1999-0799; classtype:attempted-admin; sid:319; rev:5; fwsam: src, 86400 seconds;)
The bold part is where the lockout time is set. If you are running the ClearCenter Intrusion Protection list, there are nearly 1,000 entries like this (out of a total of 13,500+ intrusion detection rules)!
I came searching on this same question ... already basically seeing what you wrote ahead of time Peter (i.e., that the 86400 was on each individual rule).
It would be a nice feature to "parameterize" with a setting in the webgui for at least the paid IDS/IPS subscribers ... or even if not in the webgui via .conf file or something.
Alternatively, via the webgui give the user the option to add the IP to a permanent "black" list (i.e., the converse of the whitelist ... that would permanently block the IP until/unless otherwise removed)?
Is this achievable? Can I submit this feature request? If so, how? -
Accepted Answer
Unfortunately, the lockout time parameter is embedded in the individual intrusion detection rules. Here's an example, one of the rules in /etc/snort.d/rules/gpl/exploit.rules looks like:
alert udp $EXTERNAL_NET any -> $HOME_NET 67 (msg:"GPL EXPLOIT bootp x86 linux overflow"; content:"A90|C0 A8 01 01|/bin/sh|00|"; reference:cve,1999-0389; reference:cve,1999-0798; reference:cve,1999-0799; classtype:attempted-admin; sid:319; rev:5; fwsam: src, 86400 seconds;)
The bold part is where the lockout time is set. If you are running the ClearCenter Intrusion Protection list, there are nearly 1,000 entries like this (out of a total of 13,500+ intrusion detection rules)!
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »