Forums

Richard
Richard
Offline
Resolved
0 votes
I'm still a beginner on all non-Windows computing so please be gentle :)

I have been running my ClearOS gateway for a few weeks now, primarily to protect my kids from the bad stuff on the Internet using DansGuardian and I'm really happy with it but have run into a problem.

I installed the Intrusion Detection add-in and it seems to be causing a problem with http://www.codecademy.com - my som wants to learn Python for his Raspberry Pi and he is trying to use CodeCademy but Snort seems to see it as an attack and stops it loading.

The 'secure' log contains entries like this:

Mar 24 09:14:36 proxy snort[6683]: [1:1350:7] GPL WEB_SERVER python access attempt [Classification: Web Application Attack] [Priority: 1] {TCP} 192.168.1.25:52802 -> 173.194.34.163:80
Mar 24 09:14:37 proxy snort[6683]: [1:1350:7] GPL WEB_SERVER python access attempt [Classification: Web Application Attack] [Priority: 1] {TCP} 192.168.1.25:52802 -> 173.194.34.163:80
Mar 24 09:14:37 proxy snort[6683]: [1:1350:7] GPL WEB_SERVER python access attempt [Classification: Web Application Attack] [Priority: 1] {TCP} 192.168.1.25:52802 -> 173.194.34.163:80
Mar 24 09:14:37 proxy snort[6683]: [1:1350:7] GPL WEB_SERVER python access attempt [Classification: Web Application Attack] [Priority: 1] {TCP} 192.168.1.25:32860 -> 173.194.34.163:80
Mar 24 09:14:37 proxy snort[6683]: [1:1350:7] GPL WEB_SERVER python access attempt [Classification: Web Application Attack] [Priority: 1] {TCP} 192.168.1.25:32861 -> 173.194.34.163:80
Mar 24 09:14:38 proxy snort[6683]: [1:1350:7] GPL WEB_SERVER python access attempt [Classification: Web Application Attack] [Priority: 1] {TCP} 192.168.1.25:36886 -> 184.72.245.30:80


The port numbers used seem to differ each time so I can't just open those ports.

I've tried searching for ways to configure snort to allow this but can't find anything I can understand so I am considering uninstalling the Intrusion Detection but I can't even find how to do that! Do I need to re-install the entire ClearOS, or can someone help, please?

Thanks.

Richard
Sunday, March 24 2013, 09:18 AM
Share this post:
Responses (5)
  • Accepted Answer

    Richard
    Richard
    Offline
    Sunday, March 24 2013, 07:02 PM - #Permalink
    Resolved
    0 votes
    Nick, again, thanks for your help. I may even get my head around this system at this rate!

    I'll wait 24 hours and see if it works - if not I'll keep trying to find the solution and post back if I do.

    Richard
    The reply is currently minimized Show
  • Accepted Answer

    Sunday, March 24 2013, 12:44 PM - #Permalink
    Resolved
    0 votes
    I forgot about that. Yes there is something, I think in the syswatch daemon, which does that. The problem was that if you lost your WAN interface then snort would fail and not restart when the WAN came up. Now it is automatically restarted if it is installed.

    You can remove it by with something like:
    rpm -e snort snort-gpl-rules app-intrusion-detection-core app-intrusion-detection --nodeps
    To remove the intrusion prevention do something like:
    rpm -e app-intrusion-prevention app-intrusion-prevention-core --nodeps


    Note that it could take a day for the block which snortsam added to be removed. It can be manually removed but I can't offhand remember the proper way. I could do it by hacking some firewall rules.
    The reply is currently minimized Show
  • Accepted Answer

    Richard
    Richard
    Offline
    Sunday, March 24 2013, 10:04 AM - #Permalink
    Resolved
    0 votes
    I don't think this is the problem, but something is restarting snort. I stopped it manually, confirmed it using

    service --status-all


    and a few minutes later it was running again. I guess that is a good thing (to have the security services restart) but what causes that?

    Richard
    The reply is currently minimized Show
  • Accepted Answer

    Richard
    Richard
    Offline
    Sunday, March 24 2013, 09:55 AM - #Permalink
    Resolved
    0 votes
    Nick, as always, thanks for your help - I really appreciate it!

    OK, I have commented the python rules out as you suggest and have disabled the web server rules as I don't have a web server. I have restarted snort and it doesn't log any errors trying to run codecademy but that still doesn't work.

    I've also stopped snort and am trying this without it running and that, too, doesn't work. What else could this be?

    Thanks again!

    Richard
    The reply is currently minimized Show
  • Accepted Answer

    Sunday, March 24 2013, 09:40 AM - #Permalink
    Resolved
    0 votes
    First off, if you have no blocking messages in /var/log/snortsam then these are only detection warnings and you can ignore them if you want. Having said that I can see the rule contains blocking information so I would think a block is being activated. So plan b.

    You can see the rule number being activated is 1350 so do:
    grep 1350 /etc/snort.d/rules/gpl/*.rules
    This says the rule is in web_server.rules. Open /etc/snort.d/rules/gpl/*.rules/web_server.rules, find the matching rule and either delete it or comment it out by putting a # in front of it. Save the file and restart snort with a:
    service snort restart
    or use the webconfig.

    Alternatively are you running a web server? If you are not there is no point in running the "Web server exploits" rules in the webconfig.
    The reply is currently minimized Show
Your Reply