Hello,
i am running Clearos 6 community edition on a PPPoE connection and i noticed some time ago that the intrusion prevention system is empty, usually it was full of banned IPs. So i started researching. First thing that i noticed was that in the snortsam log snortsam, Snort station 127.0.0.1 using wrong password, trying to re-sync... after that i played around with it and added a password to it and now then snort starts i don't get that message, i don't get anything at all.
When snort starts i've seen in the log that it mentions eth0 wich is the card on wich the ppp connection works, so i changed in the snort.conf the ext interface from any to ppp0 and got an error.
Could it be that snort watches eth0 and all the data goes throu ppp0 so that's why it doesn't see anything>?
i am running Clearos 6 community edition on a PPPoE connection and i noticed some time ago that the intrusion prevention system is empty, usually it was full of banned IPs. So i started researching. First thing that i noticed was that in the snortsam log snortsam, Snort station 127.0.0.1 using wrong password, trying to re-sync... after that i played around with it and added a password to it and now then snort starts i don't get that message, i don't get anything at all.
When snort starts i've seen in the log that it mentions eth0 wich is the card on wich the ppp connection works, so i changed in the snort.conf the ext interface from any to ppp0 and got an error.
Could it be that snort watches eth0 and all the data goes throu ppp0 so that's why it doesn't see anything>?
Share this post:
Responses (6)
-
Accepted Answer
The default ClearOS rules are old and pretty ineffective. I also don't believe they contain any blocking rules, just detection rules. If you want blocking rules you'll need a subscription of some sort or you have to go to somewhere like Emerging Threats and use their block rules.
You are welcome to create the /etc/sid-block.map file but you'll have to look up how to populate it
[edit]
There are some blocking rules in the the default rules. "grep fwsam /etc/snort.d/rules/gpl -R" will show them.
[/edit] -
Accepted Answer
Nick Howitt wrote:
@oasisone,
The rule with an sid of 1280 is in the rpc.rules file but it is a detection only rule and not a blocking rule. You need to either edit the rule to add an "fwsam ....." bit or create an /etc/sid-block.map file and fill it accordingly if you want rule 1280 to trigger a block.
Thank you for answering, this was the first line i found in the log so i pasted it directly. The idea was that snort is detecting some sort of bad activity but it seems not to communicate to snortsam or for some reason it just doesn't want to add blocks to the list. For sure, i don't have a /etc/sid-block.map file, should i create one? -
Accepted Answer
-
Accepted Answer
Hello,
the thing is that i remember it working. I even had a subscription for intrusion detection updates.
Anyway, i see in secure.log
Dec 5 08:41:48 clearos snort[2546]: [1:1280:9] GPL RPC portmap listing UDP 111 [Classification: Decode of an RPC Query] [Priority: 2] {UDP} 216.218.206.103:34209 -> MY.IP.HERE:111
so snort is doing something but clearly not the right thing. Could it be that maybe snortsam doesn't have access to iptables or where it writes down the banned IP;s?
PS: i even reinstalled both packages one week ago and the results are still the same. -
Accepted Answer
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »