Forums

Subscribe via email Subscribe via email
Subscribe via rss
Guest
or Ask a Question
Add a reply View Replies (3) →
Johnny Brusevold
Johnny Brusevold
Offline

Snortsam block truble

Resolved
0 votes
Hi

Running clearos community 6.3 + Intrusion Protection Updates

Problem:
Intrusion detected and blocked,, but only for one second.
Same for all blocks/rules

Example
2012/08/21, 11:54:37, 127.0.0.1, 3, snortsam, Accepted connection from 127.0.0.1.

2012/08/21, 11:54:37, 127.0.0.1, 2, snortsam, Blocking host 190.120.226.129 completely for 1 seconds (Sig_ID: 3000001).

2012/08/21, 11:54:37, -, 3, iptables, Info: Blocking ip 190.120.226.129

2012/08/21, 11:54:37, -, 3, iptables, Info: Command /sbin/iptables -I FORWARD -i eth0  -s 190.120.226.129 -j DROP Executed Successfully

2012/08/21, 11:54:37, -, 3, iptables, Info: Command2 /sbin/iptables -I INPUT -i eth0  -s 190.120.226.129 -j DROP Executed Successfully

2012/08/21, 11:54:37, -, 3, iptables, Info: Command /sbin/iptables -I FORWARD -i eth0  -d 190.120.226.129 -j DROP Executed Successfully

2012/08/21, 11:54:37, -, 3, iptables, Info: Command2 /sbin/iptables -I INPUT -i eth0  -d 190.120.226.129 -j DROP Executed Successfully

2012/08/21, 11:54:38, -, 2, snortsam, Removing 1 sec complete block for host 190.120.226.129.

2012/08/21, 11:54:38, -, 1, iptables, Info: UnBlocking ip 190.120.226.129

2012/08/21, 11:54:38, -, 3, iptables, Info: Command /sbin/iptables -D FORWARD -i eth0  -s 190.120.226.129 -j DROP Executed Successfully

2012/08/21, 11:54:38, -, 3, iptables, Info: Command2 /sbin/iptables -D INPUT -i eth0  -s 190.120.226.129 -j DROP Executed Successfully

2012/08/21, 11:54:38, -, 3, iptables, Info: Command /sbin/iptables -D FORWARD -i eth0  -d 190.120.226.129 -j DROP Executed Successfully

2012/08/21, 11:54:38, -, 3, iptables, Info: Command2 /sbin/iptables -D INPUT -i eth0  -d 190.120.226.129 -j DROP Executed Successfully

2012/08/21, 12:02:23, 127.0.0.1, 3, snortsam, Accepted connection from 127.0.0.1.

2012/08/21, 12:02:23, 127.0.0.1, 2, snortsam, Blocking host 190.120.226.129 completely for 1 seconds (Sig_ID: 3000001).

2012/08/21, 12:02:23, -, 3, iptables, Info: Blocking ip 190.120.226.129

2012/08/21, 12:02:23, -, 3, iptables, Info: Command /sbin/iptables -I FORWARD -i eth0  -s 190.120.226.129 -j DROP Executed Successfully

2012/08/21, 12:02:23, -, 3, iptables, Info: Command2 /sbin/iptables -I INPUT -i eth0  -s 190.120.226.129 -j DROP Executed Successfully

2012/08/21, 12:02:23, -, 3, iptables, Info: Command /sbin/iptables -I FORWARD -i eth0  -d 190.120.226.129 -j DROP Executed Successfully

2012/08/21, 12:02:23, -, 3, iptables, Info: Command2 /sbin/iptables -I INPUT -i eth0  -d 190.120.226.129 -j DROP Executed Successfully

2012/08/21, 12:02:24, -, 2, snortsam, Removing 1 sec complete block for host 190.120.226.129.


Actuale rule


alert tcp any any -> any 22 ( msg:"SSH potential brute force attack"; flow:to_server; flags:S; threshold:type threshold, track by_src, count 6, seconds 30; classtype:suspicious-login; sid:3000001; rev:5; fwsam: src, 1 day;)
In Intrusion Detection and Prevention
Tuesday, August 21 2012, 12:03 PM
Subscribe via email
Share this post:
Responses (3)

  • Accepted Answer

    Johnny Brusevold
    Johnny Brusevold
    Offline
    Saturday, September 22 2012, 01:34 AM - #Permalink
    Resolved
    0 votes
    Now it work, after changing all rules from "...... fwsam: xxx, 1 day;)" to " ....fwsam: xxx, 86400 sec;)

    I'm not a programer, but maybe the truble is in snortsam.c ?

    			{	case 'm':	if(c2=='o')				/* for month... */
    
								tdu*=(60*60*24*30);	/* ...use 30 days */
    
							else
    
								tdu*=60;			/* minutes */
    
				case 's':	break;					/* seconds */
    
				case 'h':	tdu*=(60*60);			/* hours */
    
							break;
    
				case 'd':	tdu*=(60*60*24);		/* days */
    
							break;
    
				case 'w':	tdu*=(60*60*24*7);		/* week */
    
							break;
    
				case 'y':	tdu*=(60*60*24*365);	/* year */
    
							break;


    I also get rid of some network error (dropping conection) by changing to intel's latest driver. (e1000e v. 2.0.0.1 )


    Only error in my logfiles is now hundred's of this lines

    Sep 21 16:56:51 mysystem engine: error: PHP deprecated: /usr/clearos/apps/firewall/libraries/Firewall.php (422): Function eregi() is deprecated
    Sep 21 16:56:51 mysystem engine: error: PHP deprecated: /usr/clearos/apps/firewall/libraries/Firewall.php (645): Function ereg() is deprecated
    The reply is currently minimized Show

  • Accepted Answer

    Johnny Brusevold
    Johnny Brusevold
    Offline
    Wednesday, August 22 2012, 10:13 PM - #Permalink
    Resolved
    0 votes
    I dont know


    ClearOs webinterface reports

    Date Aug 22 2012
    Time 23:55:52 CEST
    Time Zone Europe/Oslo



    Terminal

    Wed 22 Aug 2012 11:55:52 PM CEST
    The reply is currently minimized Show

  • Accepted Answer

    Legacy Disabled
    Legacy Disabled
    Offline
    Wednesday, August 22 2012, 08:58 PM - #Permalink
    Resolved
    0 votes
    That's weird. I wonder if it's a clock issue? Grasping at straws.
    The reply is currently minimized Show
Your Reply