I noticed on one of my COS 6.4 systems that snort rules were being triggered but the IPs were never blocked, so I investigated snortsam. I'm getting output like so:
I tried several different systems, put them through the paces and got the same results. So I did some forum searches and found I'm not the only one with the problem, but most of the threads were with 6.2 - 6.4.
In snortsam.conf, commenting out
#include /etc/snortsam.d/clearcenter-whitelist.conf
#include /etc/snortsam.d/webconfig-whitelist.conf
Still returns:
All my COS 6 systems are on 6.4, so all bugfixes should be in. Is there a solution that I've missed?
I've gotten mixed reads on it with the reduced rulesets and Peter mentioning that a free IDS might be worse than none. In any case, I'm not proud of myself that I didn't catch this till now. :blush:
To the COS team, is there an official word on intrusion detection in COS 6.4?
Error: [/etc/snortsam.conf: 52] Config file '/etc/snortsam.d/webconfig-whitelist.conf' not found or inaccessible!
Parsing config file /etc/snortsam.d/system-autowhitelist.conf...
Checking for existing state file "/var/db/snortsam.state".
Found. Reading state file.
Error: Could not bind socket.
I tried several different systems, put them through the paces and got the same results. So I did some forum searches and found I'm not the only one with the problem, but most of the threads were with 6.2 - 6.4.
In snortsam.conf, commenting out
#include /etc/snortsam.d/clearcenter-whitelist.conf
#include /etc/snortsam.d/webconfig-whitelist.conf
Still returns:
Found. Reading state file.
Error: Could not bind socket.
All my COS 6 systems are on 6.4, so all bugfixes should be in. Is there a solution that I've missed?
I've gotten mixed reads on it with the reduced rulesets and Peter mentioning that a free IDS might be worse than none. In any case, I'm not proud of myself that I didn't catch this till now. :blush:
To the COS team, is there an official word on intrusion detection in COS 6.4?
Share this post:
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »