Hi,
I was under the impression that ClearOS auto-configured /etc/snort.conf with the ipvar HOME_NET set to your WAN IP, LAN and EXTRALANS subnets.
I rebuilt my system last week and as I brought the system up it originally got a private IP from my cable modem/router. I switched the router to bridge mode and eventually it got another private IP eth0 before it switched to a public IP, but I was wondering why I was so longer getting any snort alerts. I've just looked at my snort.conf and the WAN IP was not in the HOME_NET variable. I've gone through the logs and the time stamp on snort.conf is from when I got the message "eth0: link is not ready" after I switched the router to bridge mode. This means it did not auto-configure when it got the second private IP address or the public one. ClearOS had real difficulties with these changes anyway and I had to down and up the interface a couple of times during the process. At one time had no IP. Perhaps this is when the WAN IP got removed.
Is there a bug here with the auto-configuration or does ClearOS no longer pull in the WAN IP onto HOME_NET?
TIA,
Nick
I was under the impression that ClearOS auto-configured /etc/snort.conf with the ipvar HOME_NET set to your WAN IP, LAN and EXTRALANS subnets.
I rebuilt my system last week and as I brought the system up it originally got a private IP from my cable modem/router. I switched the router to bridge mode and eventually it got another private IP eth0 before it switched to a public IP, but I was wondering why I was so longer getting any snort alerts. I've just looked at my snort.conf and the WAN IP was not in the HOME_NET variable. I've gone through the logs and the time stamp on snort.conf is from when I got the message "eth0: link is not ready" after I switched the router to bridge mode. This means it did not auto-configure when it got the second private IP address or the public one. ClearOS had real difficulties with these changes anyway and I had to down and up the interface a couple of times during the process. At one time had no IP. Perhaps this is when the WAN IP got removed.
Is there a bug here with the auto-configuration or does ClearOS no longer pull in the WAN IP onto HOME_NET?
TIA,
Nick
Share this post:
Responses (7)
-
Accepted Answer
The fix links into the network-connected event so should run automatically any time the WAN IP changes. For me it is hardly ever. It only changed this time because ClearOS knocked out my MACADDR line from the ifcfg file which I put there when I changed NIC's (actually motherboards). I a fairly happy to leave it hard coded in snort.conf but the fix should be pushed through. The change was committed and bug closed on 1st April so I would have liked to have seen it.
BTW you can probably pick up your network configuration a lot easier if you include "functions-automagic" in your script.. You can see an example of this in /etc/init.d/slapd. You can then just use $AUTOMAGIC_LANIPS and $AUTOMAGIC_EXTIPS. -
Accepted Answer
I agree the problem requires fixing at the source but decided to create a temporary fix for the problem. The following script: Re: Does the kernel support ipset? has a temporary solution for this problem. The pluging: tie-ti1-snort-network-addresses included in the zip file will attempt to identify and fix this problem. Once the problem fixed, it will also be a good solution to monitor the problem if it ever occurs again having also email capabilities (another plug-in for the same script)
Here is the plug-in code if you wish to retrofit it in your own script:
# TIE: Update Snort network addresses plug-in function
#
# doSnortNetworkAddressesPlugin()
# Temporary fix for problem identified by Nick see:
# http://www.clearfoundation.com/component/option,com_kunena/Itemid,232/catid,8/func,view/id,60799/
#
SNORT_NETWORK_ADDRESSES_PLUGIN_VERSION=1.0 # Script version
IPCALC=/bin/ipcalc
DO_SNORT_NETWORK_ADDRESSES_PLUGIN_ENABLED="$TRUE"
doSnortNetworkAddressesPlugin() {
doDebug "Enter function doSnortNetworkAddressesPlugin() ..."
if [[ ! -x "$IPCALC" ]]; then
doWarning "doSnortNetworkAddressesPlugin() "$IPCALC" executable does not exist or is improperly configured. Can not check the snort network addresses being protecting"
doDebug "Exit function doSnortNetworkAddressesPlugin() missing executable "$IPCALC". Can not check SNORT config: "$SNORT_CONF" ipvar HOME_NET variable"
return "$FAILED"
fi
local serverNetworkAddresses=""
local missingNetworkAddress="$FALSE"
# Retrieve list of nics
local nics="$(ifconfig | grep -E "encap:Ethernet|encap:Point-to-Point" | cut -d' ' -f1)"
for i in ${nics[@]}; do
local ip="$(ifconfig "$i" | sed -rn 's/.*r[^ ]+) .*/\1/p')" # Retrieve ip from ifconfig
local netmask="$(ifconfig "$i" | sed -rn 's/.*k[^ ]+).*/\1/p')" # Retrieve netmask from ifconfig
if doExist "$ip" && doExist "$netmask"; then
if ! eval "$("$IPCALC" -np "$ip" "$netmask")"; then # Convert ip to network ip and netmask to prefix
doError "doSnortNetworkAddressesPlugin() Was not able to execute command: "$IPCALC" -np "$ip" "$netmask""
doDebug "Exit function doSnortNetworkAddressesPlugin() with exit code: "$FAILED""
return "$FAILED"
fi
doDebug "doSnortNetworkAddressesPlugin() Found Interface: "$i", IP Address: "$ip", Netmask: "$netmask", Network: "$NETWORK", Prefix: "$PREFIX""
if [[ "$PREFIX" -eq 32 ]]; then
serverNetworkAddresses="$serverNetworkAddresses","$NETWORK" # Prefix probably would work but not necessary
else
serverNetworkAddresses="$serverNetworkAddresses","$NETWORK"\\/"$PREFIX"
fi
if [[ $(grep "^ *ipvar HOME_NET.*$NETWORK" "$SNORT_CONF" | wc -l) -eq 0 ]]; then
missingNetworkAddress="$TRUE"
doWarning "doSnortNetworkAddressesPlugin() Found "$SNORT_CONF" Network Addresses ipvar HOME_NET variable:"
doWarning ""$(grep "^ *ipvar HOME_NET " "$SNORT_CONF")"" # There is a character retrieved from the grep making my logging function fail.
doWarning "doSnortNetworkAddressesPlugin() Was not able to find one of the following current network addresses: "$serverNetworkAddresses","$NETWORK"/"$PREFIX" in file: "$SNORT_CONF""
fi
else
doDebug "doSnortNetworkAddressesPlugin() Found Interface: "$i" with no IP Address."
fi
done
# No changes
if ! "$missingNetworkAddress"; then
doDebug "Exit function doSnortNetworkAddressesPlugin() with exit code: "$SUCCESS""
return "$SUCCESS"
fi
# Substitute current addresses for new ones
local snortNetworkAddresses="$(grep "^ *ipvar HOME_NET " "$SNORT_CONF")"
local snortNetworkAddresses=${snortNetworkAddresses//\//\\\/}
local snortNetworkAddresses=${snortNetworkAddresses//[/\\[}
local snortNetworkAddresses=${snortNetworkAddresses//]/\\]}
sed -i -r "s/$snortNetworkAddresses/ipvar HOME_NET \[${serverNetworkAddresses:1}\]/" "$SNORT_CONF"
doWarning "doSnortNetworkAddressesPlugin() Replace "$SNORT_CONF" Network Addresses ipvar HOME_NET variable with: "${serverNetworkAddresses:1}""
local stdErr="$(service snort restart 2>&1 > /dev/null)"
if [[ "$?" -eq 0 ]]; then
doNotice "doSnortNetworkAddressesPlugin() Snort Service Restarted..."
else
doError "Ouch ... failed to start Snort"
if doExist "$stdErr"; then
doDebug "doSnortNetworkAddressesPlugin() "$stdErr""
fi
doDebug "Exit function doSnortNetworkAddressesPlugin() with exit code: "$FAILED""
return "$FAILED"
fi
doDebug "Exit function doSnortNetworkAddressesPlugin() with exit code: "$SUCCESS""
return "$SUCCESS"
}
-
Accepted Answer
-
Accepted Answer
Hi Tim,
Clearsync is running and must have been at some time as my WAN IP was removed from HOME_NET. The failure seems to have occurred when my WAN failed to get an IP address during my upgrade. I've put more details in bug 1640 including the syswatch, system and messages logs. I tried to sanitize the logs in the bug but I posted everything from boot up to when I finally got a working public WAN IP. In the logs you can see a lot of clearsync transactions. I've tried but I can't follow the php code enough to find where snort.conf is updated as I can't really read php.
Nick -
Accepted Answer
The clearsyncd service maintains consistency across services...and when a configuration change is made to the firewall or network, it calls a trigger script to amend the appropriate configuration files.
See the contents of /etc/clearsyncd.d/
It would seem snort autoconfigure eventually gets called from here
/var/clearos/events/network_configuration/intrusion_detection
and the auto_configure() function here
/usr/clearos/apps/intrusion_detection/libraries/Snort.php
Code looks like it should pull in your WAN IP (External role defined)...first queston is the clearsyncd service running? -
Accepted Answer
-
Accepted Answer
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »