FritzBox hinter IPFire mit Guardian

Tripwire, Guardian, Snort, Squidclamav
User avatar
FischerM
Community Developer
Community Developer
Posts: 648
Joined: November 2nd, 2011, 12:28 pm

Re: FritzBox hinter IPFire mit Guardian

Post by FischerM » August 18th, 2017, 12:36 pm

Hi,
HM233 wrote:snort.conf ist aber nicht leer.
Was steht denn drin? Und welche Rechte hat die Datei?

Was sagt:

Code: Select all

ls /etc/snort/ -l
Meine Vermutung: Entweder liegt in '/etc/snort' keine 'snort.conf' oder die Datei hat die falschen Rechte.
Zur Not kannst Du Dir ein Original von hier runterladen.

Muss nach '/etc/snort' und sollte dort noch passende Rechte bekommen:

Code: Select all

chown -R nobody:nobody /etc/snort
HTH,
Matthias

HM233
Posts: 12
Joined: June 9th, 2017, 5:07 am

Re: FritzBox hinter IPFire mit Guardian

Post by HM233 » August 20th, 2017, 4:44 am

Hallo,

ich habe nun /etc/snort/snort.conf durch das Original (Link aus Deinem letzten Post) ersetzt und die Rechte mit

Code: Select all

chown -R nobody:nobody /etc/snort
angepasst. Dann ipfire neu gebootet und nun wird der Status im Menü unter Status, Services wieder richtig angezeigt, d.h. bei Intrusion Detection System wird nun RUNNING angezeigt ;)

Es scheint also irgendeine Konfiguration in meiner alten /etc/snort/snort.conf gestanden zu haben, so dass snort nicht gestartet werden konnte?

Gruss,
HM233

User avatar
FischerM
Community Developer
Community Developer
Posts: 648
Joined: November 2nd, 2011, 12:28 pm

Re: FritzBox hinter IPFire mit Guardian

Post by FischerM » August 20th, 2017, 5:31 am

Moin,

Zu Deiner Frage: IMHO ja. ;)

Was sagen die 'snort-logs? Wenn jetzt 'snort' definitiv läuft, gefiltert und von 'guardian' entsprechende 'snort'-alerts geblockt werden, sollte Alles wieder in Ordnung sein...

Die alte 'snort.conf' hast du nicht zufällig noch irgendwo? Dann könntest du per 'diff' mal nachsehen, worin die Unterschiede bestanden.

Gruß,
Matthias

HM233
Posts: 12
Joined: June 9th, 2017, 5:07 am

Re: FritzBox hinter IPFire mit Guardian

Post by HM233 » August 20th, 2017, 3:59 pm

Hallo,

doch, die alte snort.conf hatte ich noch gespeichert. Die Unterschiede liegen lediglich in den ein- und auskommentierten snort-Regeln, d.h.

Code: Select all

[root@ipfire snort]# diff snort.conf snort.conf.orig 
525,572d524
< include $RULE_PATH/community.rules
< # include $RULE_PATH/emerging-activex.rules
< # include $RULE_PATH/emerging-attack_response.rules
< # include $RULE_PATH/emerging-botcc.portgrouped.rules
< # include $RULE_PATH/emerging-botcc.rules
< # include $RULE_PATH/emerging-chat.rules
< # include $RULE_PATH/emerging-ciarmy.rules
< # include $RULE_PATH/emerging-compromised.rules
< # include $RULE_PATH/emerging-current_events.rules
< # include $RULE_PATH/emerging-deleted.rules
< # include $RULE_PATH/emerging-dns.rules
< # include $RULE_PATH/emerging-dos.rules
< # include $RULE_PATH/emerging-drop.rules
< # include $RULE_PATH/emerging-dshield.rules
< # include $RULE_PATH/emerging-exploit.rules
< # include $RULE_PATH/emerging-ftp.rules
< # include $RULE_PATH/emerging-games.rules
< # include $RULE_PATH/emerging-icmp.rules
< # include $RULE_PATH/emerging-icmp_info.rules
< # include $RULE_PATH/emerging-imap.rules
< include $RULE_PATH/emerging-inappropriate.rules
< include $RULE_PATH/emerging-info.rules
< # include $RULE_PATH/emerging-malware.rules
< include $RULE_PATH/emerging-misc.rules
< # include $RULE_PATH/emerging-mobile_malware.rules
< # include $RULE_PATH/emerging-netbios.rules
< # include $RULE_PATH/emerging-p2p.rules
< # include $RULE_PATH/emerging-policy.rules
< # include $RULE_PATH/emerging-pop3.rules
< # include $RULE_PATH/emerging-rbn-malvertisers.rules
< # include $RULE_PATH/emerging-rbn.rules
< # include $RULE_PATH/emerging-rpc.rules
< # include $RULE_PATH/emerging-scada.rules
< include $RULE_PATH/emerging-scan.rules
< # include $RULE_PATH/emerging-shellcode.rules
< # include $RULE_PATH/emerging-smtp.rules
< # include $RULE_PATH/emerging-snmp.rules
< # include $RULE_PATH/emerging-sql.rules
< # include $RULE_PATH/emerging-telnet.rules
< # include $RULE_PATH/emerging-tftp.rules
< # include $RULE_PATH/emerging-tor.rules
< # include $RULE_PATH/emerging-trojan.rules
< # include $RULE_PATH/emerging-user_agents.rules
< # include $RULE_PATH/emerging-voip.rules
< # include $RULE_PATH/emerging-web_client.rules
< include $RULE_PATH/emerging-web_server.rules
< # include $RULE_PATH/emerging-web_specific_apps.rules
< # include $RULE_PATH/emerging-worm.rules
Ich habe bisher nicht viel Ahnung von den einzelnen snort-Regeln; vermutlich habe ich es geschafft durch mein Herumexperimentieren (Ein- und Ausschalten von Regeln im GUI von ipfire) eine Kombination von Regeln einzustellen, die zu einer snort.conf geführt hat, die dann einen Fehler beim Starten von snort verursacht.

Gruss, HM233

Post Reply

Who is online

Users browsing this forum: No registered users and 1 guest