Forums

t1ck3ts
t1ck3ts
Offline
Resolved
0 votes
Hey guys

After setting up some snort rules and stuff, i noticed that Snortsam is not removing the blocks correctly.
With the name change from eth0 to eno1, its not removing iptables correctly.

2016/05/04, 22:17:19, -, 1, iptables, Info: UnBlocking ip 112.169.100.157
2016/05/04, 22:17:19, -, 1, iptables, Error: Command2 /sbin/iptables -D INPUT -i eth0 -s 112.169.100.157 -j DROP Failed
2016/05/04, 22:17:19, -, 1, iptables, Error: Command2 /sbin/iptables -D INPUT -i eth0 -d 112.169.100.157 -j DROP Failed
Does this have anything to do with it not removing?
Wednesday, May 04 2016, 08:00 PM
Share this post:

Accepted Answer

Friday, May 06 2016, 01:14 PM - #Permalink
Resolved
0 votes
I'm sure I replied to this a couple of days ago. My /etc/snortsam looks like:
### DO NOT EDIT THIS FILE ###
# This file is managed by webconfig.
# It may also be overwritten by a future upgrade.
# Add custom configuration options to /etc/snortsam-user.conf instead.

# IP and password of your Snort sensor.
accept 127.0.0.1
bindip 127.0.0.1

# IP Tables plug-in:
# You have to specify the adapter to block on (for example, eth0) and you can
# optionally add a logging option.
iptables enp0s3 syslog.info

# Logging:
# Log level (0 = none/1 = sparse/2 = normal/3 = verbose):
loglevel 2

# Log file location (no logging occurs if this is not specified).
logfile /var/log/snortsam

# Daemonize
daemon

# Roll-back configuration:
# The "rollbackthreshold" command accepts two numbers separated by a '/'.
# The first is the number of blocking requests and the second number
# represents the number of seconds. So for example, if you set the first
# number to 10 and the second to 30, then the threshold will be crossed if
# your machine receives more than 10 blocked requests within 30 seconds.
rollbackthreshold 10/30

# This is the number of hosts (unique blocked IPs) to rollback if the above
# threshold is reached or surpassed.
rollbackhosts 20

# White list:
# Add a "dontblock" command for each hostname/IP (or network) address that
# should *never* be blocked.

# Don't block reserved private IP blocks:
dontblock 10.0.0.0/8
dontblock 172.16.0.0/12
dontblock 192.168.0.0/16

# User extra configuration / white list:
include /etc/snortsam.d/whitelist.conf

# Webconfig, DNS and ClearCenter system monitoring service
include /etc/snortsam.d/dns-whitelist.conf
include /etc/snortsam.d/clearcenter-whitelist.conf
include /etc/snortsam.d/webconfig-whitelist.conf
include /etc/snortsam.d/system-autowhitelist.conf
So I suspect yours has not initialised correctly. I am not sure, however, how it is initialised.

I am wondering if you have installed a funny version of snort:
yum list snort*


You could try running the script:
/usr/clearos/apps/intrusion_prevention/deploy/install
This should rewrite your snortsam conf., and perhaps starting the app will initialise the interface correctly.
The reply is currently minimized Show
Responses (3)
  • Accepted Answer

    t1ck3ts
    t1ck3ts
    Offline
    Friday, May 06 2016, 01:30 PM - #Permalink
    Resolved
    0 votes
    Thanks Nick

    I looked into a clean snortsam.conf and just edited what i needed to out of that.

    Thanks again :)
    The reply is currently minimized Show
  • Accepted Answer

    t1ck3ts
    t1ck3ts
    Offline
    Wednesday, May 04 2016, 09:22 PM - #Permalink
    Resolved
    0 votes
    I've looked in the .conf, couldn't find anything of use :/

    edit:

    # iptables <adapter> <logoption>
    #
    # This plugin will call the iptables executable in order to block the host by
    # adding a rule to the active rule set. You have to specify the adapter to
    # block on (for example, eth0) and you can optionally add a log option.
    #
    # Example: iptables eth0 syslog.info


    Could this be it?
    The reply is currently minimized Show
  • Accepted Answer

    Wednesday, May 04 2016, 08:50 PM - #Permalink
    Resolved
    0 votes
    Yes it does, but I have not got as far as ClearOS 7.x so I'm not sure how to fix without a lot of digging. On 6.x it looks like a parameter in /etc/snortsam.conf so I'd expect 7.x to be the same. Really I would have expected ClearOS to look after it.
    The reply is currently minimized Show
Your Reply