I noticed on one of my COS 6.4 systems that snort rules were being triggered but the IPs were never blocked, so I investigated snortsam. I'm getting output like so:

Error: [/etc/snortsam.conf: 52] Config file '/etc/snortsam.d/webconfig-whitelist.conf' not found or inaccessible!

Parsing config file /etc/snortsam.d/system-autowhitelist.conf...

Checking for existing state file "/var/db/snortsam.state".

Found. Reading state file.

Error: Could not bind socket.

I tried several different systems, put them through the paces and got the same results. So I did some forum searches and found I'm not the only one with the problem, but most of the threads were with 6.2 - 6.4.

In snortsam.conf, commenting out
#include /etc/snortsam.d/clearcenter-whitelist.conf
#include /etc/snortsam.d/webconfig-whitelist.conf

Still returns:

Found. Reading state file.

Error: Could not bind socket.

All my COS 6 systems are on 6.4, so all bugfixes should be in. Is there a solution that I've missed?

I've gotten mixed reads on it with the reduced rulesets and Peter mentioning that a free IDS might be worse than none. In any case, I'm not proud of myself that I didn't catch this till now. :blush:

To the COS team, is there an official word on intrusion detection in COS 6.4?