Guardian not logging or blocking, how to troubleshoot?

Questions to IPFire Addons.
nateso49
Posts: 2

Guardian not logging or blocking, how to troubleshoot?

Postby nateso49 » March 8th, 2017, 1:48 am

After Guardian 2.0 I noticed that it was no longer adding IPs to iptables, nor the WUI.
snort seems to be working fine... logging hits from rules into /var/log/messages.
I noticed that guardian was not logging anything, for a while:
-rwxrwxrwx 1 root root 0 Oct 31 23:20 /var/log/guardian/guardian.log

Looking in /var/ipfire/guardian/guardian.conf it is monitoring a file that does not exist:
Monitor_SNORT = /var/log/snort/alert
Only files in /var/log/snort/ are like snort.log.1488934696

Anybody else have this issue? Is snort or guardian wrong?
What am I missing?
Nate

UPDATE: Have tired uninstalling reinstalling snort & guardian
Looking in /var/log/pakfire/install-guardian.log
usr/local/bin/guardian.pl
usr/local/bin/guardian_block.sh
usr/local/bin/guardian_unblock.sh

do not exist/are not installed. ?

Is no one experiencing this?

UPDATE: Forced snort to write to log; -A fast in /etc/init.d/snort

And wrote own script /etc/fcron.hourly/):

iptables -F GUARDIAN
ip=$(cat /var/log/snort/alert |grep -oE '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' |grep -v 192.168.1 | sort |uniq)
for i in $ip ; do iptables -A GUARDIAN -s $i -j DROP ; done

User avatar
jlima8900
Posts: 8

Re: Guardian not logging or blocking, how to troubleshoot?

Postby jlima8900 » March 20th, 2017, 2:54 pm

@nateso49

Same here.
Is the option for selecting Guardian available in the GUI toguether with RED BLUE GREEN networks?
In my case is not visible there.

Regards
Attachments
Guardian missing.PNG
Guardian missing.PNG (10.43 KiB) Viewed 383 times
Capture.PNG

nateso49
Posts: 2

Re: Guardian not logging or blocking, how to troubleshoot?

Postby nateso49 » March 20th, 2017, 3:44 pm

Yes, I see networks. have tried just RED. no go.
guardian running but not working. I have tried to trace but don't have enough knowledge.

User avatar
jlima8900
Posts: 8

Re: Guardian not logging or blocking, how to troubleshoot?

Postby jlima8900 » March 20th, 2017, 5:15 pm

Yes i see, according to the wiki there should be a icon there for guardian as refered on the link below:
http://wiki.ipfire.org/en/configuration/services/ids?s[]=ids
Under Services it is showing Guardian service running.
Is your situation anything similaron the GUI as well ?
I also checked the same folders you did and the result is the same as yours.
I am running Core 109 fresh install.
I was trying to file a bug but I cant find the right component .
Attachments
terminal.PNG
terminal.PNG (5.76 KiB) Viewed 359 times
services.PNG
Last edited by jlima8900 on March 21st, 2017, 6:49 pm, edited 1 time in total.

bloater99
Posts: 416

Re: Guardian not logging or blocking, how to troubleshoot?

Postby bloater99 » March 21st, 2017, 1:14 pm

Guys, Guardian was moved to its own section a couple of versions ago:
guardian.png
Image

Image

User avatar
jlima8900
Posts: 8

Re: Guardian not logging or blocking, how to troubleshoot?

Postby jlima8900 » March 21st, 2017, 6:13 pm

@bloater99

I do also have that field on the WEBUI as you can see bellow on the screenshot.
Still the logs arent there, on the IDS logs field there is no activity whatsoever.
Please if you can see what we are doing wrong please let us know.
And thanks for the intervention.
Attachments
Capture1.PNG
guardian.PNG

User avatar
H&M
Posts: 350
Location: Europe

Re: Guardian not logging or blocking, how to troubleshoot?

Postby H&M » March 21st, 2017, 8:19 pm

Hi,

Guardian is logging in /var/log/messages.

Use grep to filter or the WEBUI :

Logs -> System Logs -> Section: Guardian -> then hit Update

This is equivalent with

cat /var/log/messages | grep guardian | grep ... day displayed in WEBUI

HTH

Edwin
Posts: 60

Re: Guardian not logging or blocking, how to troubleshoot?

Postby Edwin » March 21st, 2017, 9:26 pm

Hi,

Using the VRT Subscription rules, I don't get any logging as well.
Using the Emergingthreats rules all seems to work well.

Regards,
Edwin.
Image
Image

User avatar
jlima8900
Posts: 8

Re: Guardian not logging or blocking, how to troubleshoot?

Postby jlima8900 » March 22nd, 2017, 10:27 pm

I can confirm the same is happening but not logging as much as expected.

Edwin wrote:Hi,

Using the VRT Subscription rules, I don't get any logging as well.
Using the Emergingthreats rules all seems to work well.

Regards,
Edwin.

bloater99
Posts: 416

Re: Guardian not logging or blocking, how to troubleshoot?

Postby bloater99 » March 23rd, 2017, 12:59 pm

Apparently the VRT rules do not work. I can't remember where I read this, but it's in some post here. I would imagine the IPFire team should acknowledge this somewhere prominently, like a sticky in the forums, or on the wiki, etc. With some explanation why and when to expect a fix. This seems like a more important thing to focus on then a captive portal IMO.
Image

Image

Edwin
Posts: 60

Re: Guardian not logging or blocking, how to troubleshoot?

Postby Edwin » March 23rd, 2017, 6:17 pm

Yep, we talked about this earlier.
See viewtopic.php?f=27&t=17610
I didn't file a bug-report then, because I wasn't sure it is a bug.

regards,
Edwin.
Image
Image

Edwin
Posts: 60

Re: Guardian not logging or blocking, how to troubleshoot?

Postby Edwin » March 26th, 2017, 10:24 am

Someone made a ticket on bugzilla for this problem (in 2015) on core88 and core89. The ticket didn't get resolved, status still is "new".
I started using IPFire during Core100 (I think) and for me it is great software. I don't know anymore when I started using the payed VRT rules, but they seemed to work properly. In Core105 the VRT-rules stopped and I went back to emerging threats rules. Since there weren't much complaints on this forum about this issue I experienced, I assumed it it must be a problem in my setup. Well maybe it is not just me.
So now I like to know: Is there anyone with working VRT-rules on IPFire?

Regards,
Edwin.
Image
Image

User avatar
FischerM
Community Developer
Community Developer
Posts: 537

Re: Guardian not logging or blocking, how to troubleshoot?

Postby FischerM » March 26th, 2017, 3:05 pm

Hi,

which Snort version are you using => what does '/var/log/messages' say when you reboot 'snort' (you can find output in LOGS / SYSTEM LOGS / Intrusion Detection)?

Best,
Matthias

User avatar
H&M
Posts: 350
Location: Europe

Re: Guardian not logging or blocking, how to troubleshoot?

Postby H&M » March 26th, 2017, 3:41 pm

Hi,

I confirm: only ET rules fire up although I use both ET and Snort VRT for registered users. (and some old rules wrote by me for Snort)

Thank you for raising this - I did not noticed it.

+1 user confirms the problem

Thank you
H&M

Edwin
Posts: 60

Re: Guardian not logging or blocking, how to troubleshoot?

Postby Edwin » March 26th, 2017, 8:24 pm

Hi,

I am on core109, but I am aware of this behavior since core105 .
When I start snort the logfile says many things, a lot that I don't understand. I don't see any errors or strange looking entries (to me). The log says that the version of snort is "Version 2.9.9.0 GRE (Build 56)".
I am running IDS on RED, GREEN and BLUE and I use Guardian as well.
Is there something specific I can look for?

Regards,
Edwin.

Edit:
Well, there are lots of "flowbits key warnings" in the log. like:
22:35:49 snort[19690]: WARNING: flowbits key 'file.mny' is set but not ever checked.

I dunno if it is important, but it's the only odd entry I can find in the log.
Image
Image


Return to “Addons”



Who is online

Users browsing this forum: No registered users and 1 guest