Search found 83 matches

by TimF
September 29th, 2018, 2:42 pm
Forum: IPFire in General
Topic: Snort not working [Solved]
Replies: 21
Views: 2656

Re: Snort not working

It look like that's the problem. You should be able to juts add the lines to the file. if you then run: snort -c /etc/snort/snort.conf -T it will check the rules for errors; hopefully it will say they're OK. Then do: /etc/init.d/snort restart and snort should start working again. The update script s...
by TimF
September 28th, 2018, 3:18 pm
Forum: IPFire in General
Topic: Snort not working [Solved]
Replies: 21
Views: 2656

Re: Snort not working

OK. Can you have a look at /etc/snort/snort.conf and check that it has the line include /etc/snort/rules/classification.config in it. I think there's a bug the the IDS WUI that can corrupt the end of this file under some circumstances. Also look at /etc/snort/rules/emerging-exploit.rules, around lin...
by TimF
September 27th, 2018, 7:12 pm
Forum: IPFire in General
Topic: Snort not working [Solved]
Replies: 21
Views: 2656

Re: Snort not working

What's happening is that the /etc/snort/rules/classification.config file doesn't contain the information on the classtype misc-activity. I don't know why this is happening since this file should be downloaded with the rules. Can you tell me what the date of this file is and what the contents are. (I...
by TimF
September 26th, 2018, 9:46 pm
Forum: IPFire in General
Topic: IDS, Intrusion Detection System. What rule provider is best and what rules are best?
Replies: 7
Views: 2600

Re: IDS, Intrusion Detection System. What rule provider is best and what rules are best?

Hi, The answer to your questions is (unsurprisingly) it depends. (Warning - long post coming up) First some definitions for the sake of discussion: Ruleset - a complete set of rules coming in a single download. Contains a number of rulefiles. These are what you select in the pulldown on the WUI. Rul...
by TimF
September 17th, 2018, 3:40 pm
Forum: IPFire in General
Topic: What is Mail Service for?
Replies: 4
Views: 944

Re: What is Mail Service for?

It's used if you've got WIO sending you emails when systems go on/offline.

My automatic Snort rule update script also uses it.

It may be used for other things as well, but these are the ones I know about.
by TimF
August 28th, 2018, 7:14 pm
Forum: IPFire in General
Topic: IDS Rule updater - with rule state persistance
Replies: 58
Views: 8849

Re: IDS Rule updater - with rule state persistance

@JonM snort-update.pl should be removed if you're using the latest version of the script.

I'm not sure where the other line came from, but it should be able to be removed.

@Drexbengel48 I've edited the file - hopefully correctly.
by TimF
August 27th, 2018, 1:50 pm
Forum: IPFire in General
Topic: IDS Rule updater - with rule state persistance
Replies: 58
Views: 8849

Re: IDS Rule updater - with rule state persistance

The entry for snort-update.pl should have been removed by the installer - I've corrected it. The output from running it looks OK. The Emerging Threats rules are updated around midnight (UK time) on weekdays so the true test that it's working OK should come tonight. Hopefully tomorrow you'll be able ...
by TimF
August 26th, 2018, 1:27 pm
Forum: IPFire in General
Topic: IDS Rule updater - with rule state persistance
Replies: 58
Views: 8849

Re: IDS Rule updater - with rule state persistance

Hi xPliZit_xs, Have you any idea why it's stopped working in 123? If not a couple of things to check - Have a look at the crontab - log in as root and run fcrontab -l (lower case L). There should be a reference to snort-update.pl ( ids-update.pl for the new version), probably near the bottom. A poss...
by TimF
August 17th, 2018, 3:21 pm
Forum: IPFire in General
Topic: IDS Rule updater - with rule state persistance
Replies: 58
Views: 8849

Re: IDS Rule updater - with rule state persistance

I've now uploaded a new version. I'm not entirely sure the installer will work correctly, so it's on a branch at the moment. You can find it at: https://github.com/timfprogs/ipfidsupdate/tree/version3 The major change is in the handling of community rules. While it's true that the Talos VRT rules co...
by TimF
July 21st, 2018, 12:24 pm
Forum: IPFire in General
Topic: IDS Rule updater - with rule state persistance
Replies: 58
Views: 8849

Re: IDS Rule updater - with rule state persistance

Hopefully it's fixed now.

A minor problem with the code which is meant to stop downloading files if the latest version is already installed.
by TimF
July 10th, 2018, 5:14 pm
Forum: IPFire in General
Topic: IDS logs do no work
Replies: 1
Views: 485

Re: IDS logs do no work

I think this is a difference between the Talos VRT and Emerging Threats rule sets. Both rule sets include rules that look at the characteristics of the traffic passing through Snort, however the Emerging Threats ruleset includes rules that just look for known suspect IP addresses. If you see rules b...
by TimF
July 10th, 2018, 5:03 pm
Forum: IPFire in General
Topic: URL Filter Not Working
Replies: 7
Views: 1514

Re: URL Filter Not Working

My understanding is that the transparent proxy will not work for https connections - which is the majority of connections these days. It's a function of the way that https works. This means that the URL filter doesn't work.
by TimF
June 26th, 2018, 9:52 pm
Forum: IPFire in General
Topic: IDS Rule updater - with rule state persistance
Replies: 58
Views: 8849

Re: IDS Rule updater - with rule state persistance

I think I've fixed the problem - it was reading a null string for the downlink speed from the QOS settings and not handling it properly. The lack of the log page and empty email subject is due to the language cache not being updated (the last thing the installer does). Running update-lang-cache from...
by TimF
June 26th, 2018, 4:56 pm
Forum: IPFire in General
Topic: IDS Rule updater - with rule state persistance
Replies: 58
Views: 8849

IDS Rule updater - with rule state persistance

I've now got a script running that will not only download Snort rule updates automatically, but will also persist the state of existing rules. So if you want to enable all the rules and still have them enabled after an update, you can now do this (but don't - it's a really bad idea to enable all the...
by TimF
June 9th, 2018, 7:01 pm
Forum: IPFire in General
Topic: Snort Rules Update
Replies: 81
Views: 26949

Re: Snort Rules Update

I've now got my script to update the rules while preserving the current list of enabled and disabled rules. It's not quite ready to share yet - I want to do a little more testing. I also need to work out how to share it, since there's too much code to put in a box on this forum. I'm currently expect...