Hi
Running clearos community 6.3 + Intrusion Protection Updates
Problem:
Intrusion detected and blocked,, but only for one second.
Same for all blocks/rules
Example
Actuale rule
Running clearos community 6.3 + Intrusion Protection Updates
Problem:
Intrusion detected and blocked,, but only for one second.
Same for all blocks/rules
Example
2012/08/21, 11:54:37, 127.0.0.1, 3, snortsam, Accepted connection from 127.0.0.1.
2012/08/21, 11:54:37, 127.0.0.1, 2, snortsam, Blocking host 190.120.226.129 completely for 1 seconds (Sig_ID: 3000001).
2012/08/21, 11:54:37, -, 3, iptables, Info: Blocking ip 190.120.226.129
2012/08/21, 11:54:37, -, 3, iptables, Info: Command /sbin/iptables -I FORWARD -i eth0 -s 190.120.226.129 -j DROP Executed Successfully
2012/08/21, 11:54:37, -, 3, iptables, Info: Command2 /sbin/iptables -I INPUT -i eth0 -s 190.120.226.129 -j DROP Executed Successfully
2012/08/21, 11:54:37, -, 3, iptables, Info: Command /sbin/iptables -I FORWARD -i eth0 -d 190.120.226.129 -j DROP Executed Successfully
2012/08/21, 11:54:37, -, 3, iptables, Info: Command2 /sbin/iptables -I INPUT -i eth0 -d 190.120.226.129 -j DROP Executed Successfully
2012/08/21, 11:54:38, -, 2, snortsam, Removing 1 sec complete block for host 190.120.226.129.
2012/08/21, 11:54:38, -, 1, iptables, Info: UnBlocking ip 190.120.226.129
2012/08/21, 11:54:38, -, 3, iptables, Info: Command /sbin/iptables -D FORWARD -i eth0 -s 190.120.226.129 -j DROP Executed Successfully
2012/08/21, 11:54:38, -, 3, iptables, Info: Command2 /sbin/iptables -D INPUT -i eth0 -s 190.120.226.129 -j DROP Executed Successfully
2012/08/21, 11:54:38, -, 3, iptables, Info: Command /sbin/iptables -D FORWARD -i eth0 -d 190.120.226.129 -j DROP Executed Successfully
2012/08/21, 11:54:38, -, 3, iptables, Info: Command2 /sbin/iptables -D INPUT -i eth0 -d 190.120.226.129 -j DROP Executed Successfully
2012/08/21, 12:02:23, 127.0.0.1, 3, snortsam, Accepted connection from 127.0.0.1.
2012/08/21, 12:02:23, 127.0.0.1, 2, snortsam, Blocking host 190.120.226.129 completely for 1 seconds (Sig_ID: 3000001).
2012/08/21, 12:02:23, -, 3, iptables, Info: Blocking ip 190.120.226.129
2012/08/21, 12:02:23, -, 3, iptables, Info: Command /sbin/iptables -I FORWARD -i eth0 -s 190.120.226.129 -j DROP Executed Successfully
2012/08/21, 12:02:23, -, 3, iptables, Info: Command2 /sbin/iptables -I INPUT -i eth0 -s 190.120.226.129 -j DROP Executed Successfully
2012/08/21, 12:02:23, -, 3, iptables, Info: Command /sbin/iptables -I FORWARD -i eth0 -d 190.120.226.129 -j DROP Executed Successfully
2012/08/21, 12:02:23, -, 3, iptables, Info: Command2 /sbin/iptables -I INPUT -i eth0 -d 190.120.226.129 -j DROP Executed Successfully
2012/08/21, 12:02:24, -, 2, snortsam, Removing 1 sec complete block for host 190.120.226.129.
Actuale rule
alert tcp any any -> any 22 ( msg:"SSH potential brute force attack"; flow:to_server; flags:S; threshold:type threshold, track by_src, count 6, seconds 30; classtype:suspicious-login; sid:3000001; rev:5; fwsam: src, 1 day
Share this post:
Responses (3)
-
Accepted Answer
Now it work, after changing all rules from "...... fwsam: xxx, 1 day" to " ....fwsam: xxx, 86400 sec
I'm not a programer, but maybe the truble is in snortsam.c ?
{ case 'm': if(c2=='o') /* for month... */
tdu*=(60*60*24*30); /* ...use 30 days */
else
tdu*=60; /* minutes */
case 's': break; /* seconds */
case 'h': tdu*=(60*60); /* hours */
break;
case 'd': tdu*=(60*60*24); /* days */
break;
case 'w': tdu*=(60*60*24*7); /* week */
break;
case 'y': tdu*=(60*60*24*365); /* year */
break;
I also get rid of some network error (dropping conection) by changing to intel's latest driver. (e1000e v. 2.0.0.1 )
Only error in my logfiles is now hundred's of this lines
Sep 21 16:56:51 mysystem engine: error: PHP deprecated: /usr/clearos/apps/firewall/libraries/Firewall.php (422): Function eregi() is deprecated
Sep 21 16:56:51 mysystem engine: error: PHP deprecated: /usr/clearos/apps/firewall/libraries/Firewall.php (645): Function ereg() is deprecated -
Accepted Answer
-
Accepted Answer
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »