Guardian not logging or blocking, how to troubleshoot?

Questions to IPFire Addons.
User avatar
jlima8900
Posts: 10
Joined: January 17th, 2015, 1:38 pm

Re: Guardian not logging or blocking, how to troubleshoot?

Post by jlima8900 » March 28th, 2017, 8:09 pm

Hi,

I have deleted the content of the /etc/snort/rules/*.* then disabled guardian and remove all network selection, then saved and restarted guardian, then selected the RED BLUE GREEN and updated the community rules as per the order starting with emerging threaths and so on and it seems to have "fixed it"

Regards and Thanks

Edwin
Posts: 104
Joined: March 19th, 2016, 12:02 pm

Re: Guardian not logging or blocking, how to troubleshoot?

Post by Edwin » March 28th, 2017, 9:45 pm

Hi jlima8900,

Thanks for your reply.
A few versions back I tried, more or less, what you describe. I also tried starting over with a complete fresh install (core107 I believe it was). Both didn't fix my problem then.
Can you confirm that VRT-rules work for you now?
If so, I will gladly try the procedure you describe!

Regards,
Edwin.
Image
Image

User avatar
jlima8900
Posts: 10
Joined: January 17th, 2015, 1:38 pm

Re: Guardian not logging or blocking, how to troubleshoot?

Post by jlima8900 » March 29th, 2017, 11:36 am

@Edwin,

It is working for the moment with Emerging threaths only
it merged the 3 diferent free sources (so i need to select all the new ones manually :/ ) and i will let it run for a while to see if the rules are trigered .

For the moment only emerging ones are being triggered.

Anyway this procedure does not affect anything in IPfire it is perfectly safe.
You can just download the rules again :)

Regards
Attachments
attacks.PNG

User avatar
jlima8900
Posts: 10
Joined: January 17th, 2015, 1:38 pm

Re: Guardian not logging or blocking, how to troubleshoot?

Post by jlima8900 » March 31st, 2017, 11:38 am

Nope stiil messing up the detections when adding the vrt rules simply stopped showing them....
:-[ (sigh)

Edwin
Posts: 104
Joined: March 19th, 2016, 12:02 pm

Re: Guardian not logging or blocking, how to troubleshoot?

Post by Edwin » April 1st, 2017, 8:50 am

Okay, thanks for sharing.
So IDS with VRT rules on IPFire do not work.
I have no clue how to diagnose this problem. I can only hope this issue gets the attention from someone who does.

Regards,
Edwin.

Edit: just created a report on Bugzilla about this.
Image
Image

bloater99
Posts: 476
Joined: October 13th, 2014, 3:47 pm

Re: Guardian not logging or blocking, how to troubleshoot?

Post by bloater99 » April 3rd, 2017, 2:09 pm

Edwin wrote:Okay, thanks for sharing.
So IDS with VRT rules on IPFire do not work.
I have no clue how to diagnose this problem. I can only hope this issue gets the attention from someone who does.

Regards,
Edwin.

Edit: just created a report on Bugzilla about this.
Thank you, I asked about it a few times but was largely ignored. Maybe if they hear it from multiple users and through bugzilla, it will get on their radar. For all I know, maybe it is on their radar, but their silence on the matter leaves us in the dark.

I went ahead and disabled the community and vrt rules to see if that decreases the load on snort. They aren't working anyway.
Image

Image

User avatar
H&M
Posts: 431
Joined: May 29th, 2014, 9:38 pm
Location: Europe

Re: Guardian not logging or blocking, how to troubleshoot?

Post by H&M » June 8th, 2017, 8:11 pm

Hi,

It seems all solved after last night rules update (I have a script that updates rules every night)

I see hits from malware-cnc.rules

Code: Select all

[**] [1:31136:2] MALWARE-CNC Win.Trojan.ZeroAccess inbound connection [**]
[Classification: A Network Trojan was Detected] [Priority: 1]
06/08-23:00:10.375998 
UDP TTL:113 TOS:0x4 ID:2059 IpLen:20 DgmLen:44
Len: 16
[Xref => http://www.virustotal.com/file/50cdd9f6c5629630c8d8a3a4fe7d929d3c6463b2f9407d9a90703047e7db7ff9/analysis/]

Malware_CNC rule file is from SourceFire

So it works...

Best regards,
H&M

PS: script for update is here: viewtopic.php?f=27&t=8323&start=30#p107708

Edwin
Posts: 104
Joined: March 19th, 2016, 12:02 pm

Re: Guardian not logging or blocking, how to troubleshoot?

Post by Edwin » June 14th, 2017, 7:21 pm

Hi,

Looks promising.
So yesterday I switched back to Sourcefire VRT rules with subscription instead of the emerging rules, deselected the emerging rules in use and selected a lot of the sourcefire rules (including malware-cnc). Since then there is an empty IDS-log. I'll give it another 24 hours, if the log is still empty by tomorrow evening I'll switch back to emerging rules.

Do you have some more hits on the sourcefire rules?

(Ah well, now I can't update the rules anymore,

Code: Select all

--2017-06-14 21:31:50--  https://www.snort.org/rules/snortrules-snapshot-2983.tar.gz?oinkcode=xxxxx
Resolving www.snort.org... 104.16.62.75, 104.16.65.75, 104.16.66.75, ...
Connecting to www.snort.org|104.16.62.75|:443... connected.
HTTP request sent, awaiting response... 403 Forbidden
2017-06-14 21:31:50 ERROR 403: Forbidden.


changing oinkcode didn't help.)

Regards,
Edwin.

Edit:
I changed /srv/web/ipfire/cgi-bin/ids.cgi that it would download snortrules-snapshot-2990.tar.gz. Downloading from browser works, updating from WUI results in same error (with snapshot-2990 of course).
Image
Image

Edwin
Posts: 104
Joined: March 19th, 2016, 12:02 pm

Re: Guardian not logging or blocking, how to troubleshoot?

Post by Edwin » June 20th, 2017, 5:26 pm

So, after the (smooth) upgrade to Core111, update of the VRT rules worked again. Last update: Thu Jun 15 21:36:06 2017.
I selected the VRT rules with subscription and selected a lot of VRT rules. The IDS logging is now empty for two days on a row. I hope I am wrong here, but VRT rules still don't work with IPFire. The bugtrack record I submitted about this seems to be ignored. I think it is better to remove the choice to select the VRT rules from the WUI.

Regards,
Edwin.
Image
Image

User avatar
H&M
Posts: 431
Joined: May 29th, 2014, 9:38 pm
Location: Europe

Re: Guardian not logging or blocking, how to troubleshoot?

Post by H&M » June 21st, 2017, 9:21 pm

Hi,
Here all works fine: 2 examples from VRT rules triggered in a row:
VRT-Snort rules triggered core111.PNG
Besides those I have hits for PCAnywhere response ID 2100566, and quite a few SNMP attacks with ID 2101411...

Best regards,
H&M

User avatar
Arne.F
Core Developer
Core Developer
Posts: 7935
Joined: May 7th, 2006, 8:57 am
Location: BS <-> NDH
Contact:

Re: Guardian not logging or blocking, how to troubleshoot?

Post by Arne.F » June 22nd, 2017, 8:43 am

I changed /srv/web/ipfire/cgi-bin/ids.cgi that it would download snortrules-snapshot-2990.tar.gz. Downloading from browser works, updating from WUI results in same error (with snapshot-2990 of course).
After a download the oinkcode is blocked for a time (i think it was 15min) and cannot download again.
Arne

Support the project on the IPFire whishlist!

Image

Image

Image
PS: I will not answer support questions via email and ignore IPFire related messages on my non IPFire.org mail addresses.

Edwin
Posts: 104
Joined: March 19th, 2016, 12:02 pm

Re: Guardian not logging or blocking, how to troubleshoot?

Post by Edwin » June 26th, 2017, 8:16 pm

Hi,

So I have selected almost all VRT (subscription) rules for some days now and I have almost one IDS log entry a day. It's always the same rule:

Code: Select all

Date:	06/26 21:26:02 	Name:	FILE-IDENTIFY Microsoft Office Publisher file magic detected
Priority:	3 	Type:	Misc activity
I don't use or have MS-office, but I am kind of glad I have some hits eventually. I am not yet convinced that VRT rules are working. Is there a way to test if some of the other rules work as well?

Regards,
Edwin.
Image
Image

User avatar
H&M
Posts: 431
Joined: May 29th, 2014, 9:38 pm
Location: Europe

Re: Guardian not logging or blocking, how to troubleshoot?

Post by H&M » June 27th, 2017, 8:54 pm

Hi,

I don't use PCAnywhere either but IDS detects attacks for it.
In other words: some bad guys out there throw anything they have against my IDS in the hope they find a weak point.

Yes, VRT barely generate any alerts: less than 10 per day while ET generate hundreds.
This is why I use ET + VRT + some rules created by me...

Hope it helps.
H&M

democles
Posts: 21
Joined: June 4th, 2015, 5:01 pm
Location: Belgium

Re: Guardian not logging or blocking, how to troubleshoot?

Post by democles » December 29th, 2017, 6:56 pm

Hi,

I was wondering if some improvements had been found.... I'm on core 116 and only ET rules seems to work...can someone confirm this?
Many thanks !

Best wishes for 2018 to you all!
democles, never to old to learn 8)

ffolk
Posts: 11
Joined: June 22nd, 2012, 2:01 am

Re: Guardian not logging or blocking, how to troubleshoot?

Post by ffolk » May 3rd, 2018, 1:45 pm

i confirm on 120 that only ET works. With sourcefire no success.

Post Reply

Who is online

Users browsing this forum: No registered users and 1 guest