Forums

Subscribe via email Subscribe via email
Subscribe via rss
Guest
or Ask a Question
Add a reply View Replies (7) →
Nick Howitt
Nick Howitt
Offline

Snort auto-configuration problem?

Resolved
0 votes
Hi,

I was under the impression that ClearOS auto-configured /etc/snort.conf with the ipvar HOME_NET set to your WAN IP, LAN and EXTRALANS subnets.

I rebuilt my system last week and as I brought the system up it originally got a private IP from my cable modem/router. I switched the router to bridge mode and eventually it got another private IP eth0 before it switched to a public IP, but I was wondering why I was so longer getting any snort alerts. I've just looked at my snort.conf and the WAN IP was not in the HOME_NET variable. I've gone through the logs and the time stamp on snort.conf is from when I got the message "eth0: link is not ready" after I switched the router to bridge mode. This means it did not auto-configure when it got the second private IP address or the public one. ClearOS had real difficulties with these changes anyway and I had to down and up the interface a couple of times during the process. At one time had no IP. Perhaps this is when the WAN IP got removed.

Is there a bug here with the auto-configuration or does ClearOS no longer pull in the WAN IP onto HOME_NET?

TIA,

Nick
In Intrusion Detection and Prevention
Saturday, March 29 2014, 08:21 PM
Subscribe via email
Share this post:
Responses (7)

  • Accepted Answer

    Nick Howitt
    Nick Howitt
    Offline
    Tuesday, April 22 2014, 06:40 PM - #Permalink
    Resolved
    0 votes
    The fix links into the network-connected event so should run automatically any time the WAN IP changes. For me it is hardly ever. It only changed this time because ClearOS knocked out my MACADDR line from the ifcfg file which I put there when I changed NIC's (actually motherboards). I a fairly happy to leave it hard coded in snort.conf but the fix should be pushed through. The change was committed and bug closed on 1st April so I would have liked to have seen it.

    BTW you can probably pick up your network configuration a lot easier if you include "functions-automagic" in your script.. You can see an example of this in /etc/init.d/slapd. You can then just use $AUTOMAGIC_LANIPS and $AUTOMAGIC_EXTIPS.
    The reply is currently minimized Show

  • Accepted Answer

    Philippe Eveleigh
    Philippe Eveleigh
    Offline
    Tuesday, April 22 2014, 05:48 PM - #Permalink
    Resolved
    0 votes
    I agree the problem requires fixing at the source but decided to create a temporary fix for the problem. The following script: Re: Does the kernel support ipset? has a temporary solution for this problem. The pluging: tie-ti1-snort-network-addresses included in the zip file will attempt to identify and fix this problem. Once the problem fixed, it will also be a good solution to monitor the problem if it ever occurs again having also email capabilities (another plug-in for the same script)

    Here is the plug-in code if you wish to retrofit it in your own script:

    # TIE: Update Snort network addresses plug-in function
    
#
    
# doSnortNetworkAddressesPlugin()
    
# Temporary fix for problem identified by Nick see:
    
# http://www.clearfoundation.com/component/option,com_kunena/Itemid,232/catid,8/func,view/id,60799/
    
#
    
SNORT_NETWORK_ADDRESSES_PLUGIN_VERSION=1.0 # Script version
    

    
IPCALC=/bin/ipcalc
    
DO_SNORT_NETWORK_ADDRESSES_PLUGIN_ENABLED="$TRUE"
    
doSnortNetworkAddressesPlugin() {
    
  doDebug "Enter function doSnortNetworkAddressesPlugin() ..."
    

    
  if [[ ! -x "$IPCALC" ]]; then 
    
    doWarning "doSnortNetworkAddressesPlugin() "$IPCALC" executable does not exist or is improperly configured. Can not check the snort network addresses being protecting"
    
    doDebug "Exit function doSnortNetworkAddressesPlugin() missing executable "$IPCALC". Can not check SNORT config: "$SNORT_CONF" ipvar HOME_NET variable"
    
    return "$FAILED"
    
  fi
    

    
  local serverNetworkAddresses=""
    
  local missingNetworkAddress="$FALSE"
    
  # Retrieve list of nics
    
  local nics="$(ifconfig | grep -E "encap:Ethernet|encap:Point-to-Point" | cut -d' ' -f1)"
    

    
  for i in ${nics[@]}; do
    
    local ip="$(ifconfig "$i" | sed -rn 's/.*r:([^ ]+) .*/\1/p')" # Retrieve ip from ifconfig
    
    local netmask="$(ifconfig "$i" | sed -rn 's/.*k:([^ ]+).*/\1/p')" # Retrieve netmask from ifconfig
    

    
    if doExist "$ip" && doExist "$netmask"; then
    
      if ! eval "$("$IPCALC" -np "$ip" "$netmask")"; then # Convert ip to network ip and netmask to prefix
    
        doError "doSnortNetworkAddressesPlugin() Was not able to execute command: "$IPCALC" -np "$ip" "$netmask""
    
        doDebug "Exit function doSnortNetworkAddressesPlugin() with exit code: "$FAILED""
    
        return "$FAILED"
    
      fi
    
      doDebug "doSnortNetworkAddressesPlugin() Found Interface: "$i", IP Address: "$ip", Netmask: "$netmask", Network: "$NETWORK", Prefix: "$PREFIX""
    

    
      if [[ "$PREFIX" -eq 32 ]]; then
    
        serverNetworkAddresses="$serverNetworkAddresses","$NETWORK" # Prefix probably would work but not necessary
    
      else
    
        serverNetworkAddresses="$serverNetworkAddresses","$NETWORK"\\/"$PREFIX"
    
      fi
    

    
      if [[ $(grep "^ *ipvar HOME_NET.*$NETWORK" "$SNORT_CONF" | wc -l) -eq 0 ]]; then
    
        missingNetworkAddress="$TRUE"
    
        doWarning "doSnortNetworkAddressesPlugin() Found "$SNORT_CONF" Network Addresses ipvar HOME_NET variable:"
    
        doWarning ""$(grep "^ *ipvar HOME_NET " "$SNORT_CONF")"" # There is a character retrieved from the grep making my logging function fail.
    
        doWarning "doSnortNetworkAddressesPlugin() Was not able to find one of the following current network addresses: "$serverNetworkAddresses","$NETWORK"/"$PREFIX" in file: "$SNORT_CONF""
    
      fi
    
    else
    
      doDebug "doSnortNetworkAddressesPlugin() Found Interface: "$i" with no IP Address."
    
    fi
    
  done
    

    
  # No changes
    
  if ! "$missingNetworkAddress"; then
    
    doDebug "Exit function doSnortNetworkAddressesPlugin() with exit code: "$SUCCESS""
    
    return "$SUCCESS"
    
  fi
    

    
  # Substitute current addresses for new ones
    
  local snortNetworkAddresses="$(grep "^ *ipvar HOME_NET " "$SNORT_CONF")"  
    
  local snortNetworkAddresses=${snortNetworkAddresses//\//\\\/}
    
  local snortNetworkAddresses=${snortNetworkAddresses//[/\\[}
    
  local snortNetworkAddresses=${snortNetworkAddresses//]/\\]}
    
  sed -i -r "s/$snortNetworkAddresses/ipvar HOME_NET \[${serverNetworkAddresses:1}\]/" "$SNORT_CONF"
    
  doWarning "doSnortNetworkAddressesPlugin() Replace "$SNORT_CONF" Network Addresses ipvar HOME_NET variable with: "${serverNetworkAddresses:1}""
    
  local stdErr="$(service snort restart 2>&1 > /dev/null)"
    
  if [[ "$?" -eq 0 ]]; then
    
    doNotice "doSnortNetworkAddressesPlugin() Snort Service Restarted..."
    
  else
    
    doError "Ouch ... failed to start Snort"
    
    if doExist "$stdErr"; then
    
      doDebug "doSnortNetworkAddressesPlugin() "$stdErr""
    
    fi
    
    doDebug "Exit function doSnortNetworkAddressesPlugin() with exit code: "$FAILED""
    
    return "$FAILED"
    
  fi
    

    
  doDebug "Exit function doSnortNetworkAddressesPlugin() with exit code: "$SUCCESS""
    
  return "$SUCCESS"
    
}
    The reply is currently minimized Show

  • Accepted Answer

    Nick Howitt
    Nick Howitt
    Offline
    Tuesday, April 22 2014, 11:49 AM - #Permalink
    Resolved
    0 votes
    @Pete Baldwin,

    Rather than spam the bug, do you know when the fix is going to be released? It was fixed three weeks ago in git-hub but has not yet been pushed into testing. (I rebooted yesterday got eventually a new IP and it obviously went wrong again)
    The reply is currently minimized Show

  • Accepted Answer

    Nick Howitt
    Nick Howitt
    Offline
    Monday, March 31 2014, 05:05 PM - #Permalink
    Resolved
    0 votes
    Hi Tim,
    Clearsync is running and must have been at some time as my WAN IP was removed from HOME_NET. The failure seems to have occurred when my WAN failed to get an IP address during my upgrade. I've put more details in bug 1640 including the syswatch, system and messages logs. I tried to sanitize the logs in the bug but I posted everything from boot up to when I finally got a working public WAN IP. In the logs you can see a lot of clearsync transactions. I've tried but I can't follow the php code enough to find where snort.conf is updated as I can't really read php.
    Nick
    The reply is currently minimized Show

  • Accepted Answer

    Tim Burgess
    Tim Burgess
    Offline
    Monday, March 31 2014, 04:54 PM - #Permalink
    Resolved
    0 votes
    The clearsyncd service maintains consistency across services...and when a configuration change is made to the firewall or network, it calls a trigger script to amend the appropriate configuration files.

    See the contents of /etc/clearsyncd.d/

    It would seem snort autoconfigure eventually gets called from here
    /var/clearos/events/network_configuration/intrusion_detection

    and the auto_configure() function here
    /usr/clearos/apps/intrusion_detection/libraries/Snort.php

    Code looks like it should pull in your WAN IP (External role defined)...first queston is the clearsyncd service running?
    The reply is currently minimized Show

  • Accepted Answer

    Philippe Eveleigh
    Philippe Eveleigh
    Offline
    Monday, March 31 2014, 02:59 AM - #Permalink
    Resolved
    0 votes
    Good catch Nick, found the same problem with the wan ip address not being promoted in the configuration file.
    The reply is currently minimized Show

  • Accepted Answer

    Nick Howitt
    Nick Howitt
    Offline
    Sunday, March 30 2014, 08:04 PM - #Permalink
    Resolved
    0 votes
    Searching over bug history, the WAN IP should definitely be added so I've failed a bug.
    The reply is currently minimized Show
Your Reply