I'm still a beginner on all non-Windows computing so please be gentle
I have been running my ClearOS gateway for a few weeks now, primarily to protect my kids from the bad stuff on the Internet using DansGuardian and I'm really happy with it but have run into a problem.
I installed the Intrusion Detection add-in and it seems to be causing a problem with http://www.codecademy.com - my som wants to learn Python for his Raspberry Pi and he is trying to use CodeCademy but Snort seems to see it as an attack and stops it loading.
The 'secure' log contains entries like this:
The port numbers used seem to differ each time so I can't just open those ports.
I've tried searching for ways to configure snort to allow this but can't find anything I can understand so I am considering uninstalling the Intrusion Detection but I can't even find how to do that! Do I need to re-install the entire ClearOS, or can someone help, please?
Thanks.
Richard
I have been running my ClearOS gateway for a few weeks now, primarily to protect my kids from the bad stuff on the Internet using DansGuardian and I'm really happy with it but have run into a problem.
I installed the Intrusion Detection add-in and it seems to be causing a problem with http://www.codecademy.com - my som wants to learn Python for his Raspberry Pi and he is trying to use CodeCademy but Snort seems to see it as an attack and stops it loading.
The 'secure' log contains entries like this:
Mar 24 09:14:36 proxy snort[6683]: [1:1350:7] GPL WEB_SERVER python access attempt [Classification: Web Application Attack] [Priority: 1] {TCP} 192.168.1.25:52802 -> 173.194.34.163:80
Mar 24 09:14:37 proxy snort[6683]: [1:1350:7] GPL WEB_SERVER python access attempt [Classification: Web Application Attack] [Priority: 1] {TCP} 192.168.1.25:52802 -> 173.194.34.163:80
Mar 24 09:14:37 proxy snort[6683]: [1:1350:7] GPL WEB_SERVER python access attempt [Classification: Web Application Attack] [Priority: 1] {TCP} 192.168.1.25:52802 -> 173.194.34.163:80
Mar 24 09:14:37 proxy snort[6683]: [1:1350:7] GPL WEB_SERVER python access attempt [Classification: Web Application Attack] [Priority: 1] {TCP} 192.168.1.25:32860 -> 173.194.34.163:80
Mar 24 09:14:37 proxy snort[6683]: [1:1350:7] GPL WEB_SERVER python access attempt [Classification: Web Application Attack] [Priority: 1] {TCP} 192.168.1.25:32861 -> 173.194.34.163:80
Mar 24 09:14:38 proxy snort[6683]: [1:1350:7] GPL WEB_SERVER python access attempt [Classification: Web Application Attack] [Priority: 1] {TCP} 192.168.1.25:36886 -> 184.72.245.30:80
The port numbers used seem to differ each time so I can't just open those ports.
I've tried searching for ways to configure snort to allow this but can't find anything I can understand so I am considering uninstalling the Intrusion Detection but I can't even find how to do that! Do I need to re-install the entire ClearOS, or can someone help, please?
Thanks.
Richard
Share this post:
Responses (5)
-
Accepted Answer
-
Accepted Answer
I forgot about that. Yes there is something, I think in the syswatch daemon, which does that. The problem was that if you lost your WAN interface then snort would fail and not restart when the WAN came up. Now it is automatically restarted if it is installed.
You can remove it by with something like:
To remove the intrusion prevention do something like:rpm -e snort snort-gpl-rules app-intrusion-detection-core app-intrusion-detection --nodeps
rpm -e app-intrusion-prevention app-intrusion-prevention-core --nodeps
Note that it could take a day for the block which snortsam added to be removed. It can be manually removed but I can't offhand remember the proper way. I could do it by hacking some firewall rules. -
Accepted Answer
-
Accepted Answer
Nick, as always, thanks for your help - I really appreciate it!
OK, I have commented the python rules out as you suggest and have disabled the web server rules as I don't have a web server. I have restarted snort and it doesn't log any errors trying to run codecademy but that still doesn't work.
I've also stopped snort and am trying this without it running and that, too, doesn't work. What else could this be?
Thanks again!
Richard -
Accepted Answer
First off, if you have no blocking messages in /var/log/snortsam then these are only detection warnings and you can ignore them if you want. Having said that I can see the rule contains blocking information so I would think a block is being activated. So plan b.
You can see the rule number being activated is 1350 so do:
This says the rule is in web_server.rules. Open /etc/snort.d/rules/gpl/*.rules/web_server.rules, find the matching rule and either delete it or comment it out by putting a # in front of it. Save the file and restart snort with a:grep 1350 /etc/snort.d/rules/gpl/*.rules
or use the webconfig.service snort restart
Alternatively are you running a web server? If you are not there is no point in running the "Web server exploits" rules in the webconfig.
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »