Hey guys
After setting up some snort rules and stuff, i noticed that Snortsam is not removing the blocks correctly.
With the name change from eth0 to eno1, its not removing iptables correctly.
After setting up some snort rules and stuff, i noticed that Snortsam is not removing the blocks correctly.
With the name change from eth0 to eno1, its not removing iptables correctly.
2016/05/04, 22:17:19, -, 1, iptables, Info: UnBlocking ip 112.169.100.157
2016/05/04, 22:17:19, -, 1, iptables, Error: Command2 /sbin/iptables -D INPUT -i eth0 -s 112.169.100.157 -j DROP Failed
2016/05/04, 22:17:19, -, 1, iptables, Error: Command2 /sbin/iptables -D INPUT -i eth0 -d 112.169.100.157 -j DROP Failed
Does this have anything to do with it not removing?
Share this post:
Accepted Answer
I'm sure I replied to this a couple of days ago. My /etc/snortsam looks like:
I am wondering if you have installed a funny version of snort:
You could try running the script:
### DO NOT EDIT THIS FILE ###
# This file is managed by webconfig.
# It may also be overwritten by a future upgrade.
# Add custom configuration options to /etc/snortsam-user.conf instead.
# IP and password of your Snort sensor.
accept 127.0.0.1
bindip 127.0.0.1
# IP Tables plug-in:
# You have to specify the adapter to block on (for example, eth0) and you can
# optionally add a logging option.
iptables enp0s3 syslog.info
# Logging:
# Log level (0 = none/1 = sparse/2 = normal/3 = verbose):
loglevel 2
# Log file location (no logging occurs if this is not specified).
logfile /var/log/snortsam
# Daemonize
daemon
# Roll-back configuration:
# The "rollbackthreshold" command accepts two numbers separated by a '/'.
# The first is the number of blocking requests and the second number
# represents the number of seconds. So for example, if you set the first
# number to 10 and the second to 30, then the threshold will be crossed if
# your machine receives more than 10 blocked requests within 30 seconds.
rollbackthreshold 10/30
# This is the number of hosts (unique blocked IPs) to rollback if the above
# threshold is reached or surpassed.
rollbackhosts 20
# White list:
# Add a "dontblock" command for each hostname/IP (or network) address that
# should *never* be blocked.
# Don't block reserved private IP blocks:
dontblock 10.0.0.0/8
dontblock 172.16.0.0/12
dontblock 192.168.0.0/16
# User extra configuration / white list:
include /etc/snortsam.d/whitelist.conf
# Webconfig, DNS and ClearCenter system monitoring service
include /etc/snortsam.d/dns-whitelist.conf
include /etc/snortsam.d/clearcenter-whitelist.conf
include /etc/snortsam.d/webconfig-whitelist.conf
include /etc/snortsam.d/system-autowhitelist.conf
So I suspect yours has not initialised correctly. I am not sure, however, how it is initialised.I am wondering if you have installed a funny version of snort:
yum list snort*
You could try running the script:
/usr/clearos/apps/intrusion_prevention/deploy/install
This should rewrite your snortsam conf., and perhaps starting the app will initialise the interface correctly. Responses (3)
-
Accepted Answer
-
Accepted Answer
I've looked in the .conf, couldn't find anything of use :/
edit:
# iptables <adapter> <logoption>
#
# This plugin will call the iptables executable in order to block the host by
# adding a rule to the active rule set. You have to specify the adapter to
# block on (for example, eth0) and you can optionally add a log option.
#
# Example: iptables eth0 syslog.info
Could this be it? -
Accepted Answer
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »