EFW Support

Support => General Support => Topic started by: sstillwell on Saturday 26 December 2009, 03:36:07 am



Title: Intrusion Protection System enabled, but shows as "Off"
Post by: sstillwell on Saturday 26 December 2009, 03:36:07 am
I've got Intrusion Protection enabled, with a good number of rule sets set to "Block" (red shield).  It was working fine last night.

This morning, even though it's still enabled on the Services > Intrusion Protection page, the System > Dashboard page shows it as "Off"

Is it running?  The last logged attack event was at about 2 AM this morning my time...it's 10 AM now.  I've performed a number of actions that at least the policy rules should complain about (logging into FTP, etc.), but no report in the logs.  I'm thinking it really is shut down...how do I find where the problem is and fix it? 

When I disable, save and restart, enable, save and restart, I get no error messages, nor does the Dashboard ever show it as On, so I'm kinda stumped.

IPS isn't a a very valuable feature if you can't rely on it continuing to run.  False sense of security is worse than no security.

Scott

*EDIT* Oops, sorry...this is Endian Community 2.3 running on a VMware image...12 GB HDD, 3 NICs (RED/GRN/ORA), with 256 MB RAM.  Two NICs (RED/GRN) are connected to physical NICs via VMware virtual switches, the third (ORA) is connected to an internal VMware switch.  The firewall is serving as an internet gateway, plus a virtualized DMZ for a few virtual machines that users need external access to.  Connectivity seems fine so far (otherwise I couldn't be posting this...), but IPS is down, as I said.


Title: Re: Intrusion Protection System enabled, but shows as "Off"
Post by: sstillwell on Saturday 26 December 2009, 04:05:30 am
Update:  If I log into the console and manually start the snort daemon (/etc/init.d/snort start), then it shows up in the dashboard and the status page as running.  Evidently something in the web UI is convincing it not to start the daemon to begin with.

However...even when running it's not alerting on traffic that it should log.  *sigh*

In the meantime I've turned off automatic updating of rules.

Ideas?


Title: Re: Intrusion Protection System enabled, but shows as "Off"
Post by: sstillwell on Saturday 26 December 2009, 04:25:27 am
Starting IPS/Snort in debug mode yields:

2009-12-25 11:18:59,790 - restartsnort.py[18247] - DEBUG - Initialize uplinks Pool with prefix '{'ETC_D': '/var/efw', 'VAR_D': '/var/efw', 'USR_D': '/var/efw', 'USER_D': '/var/efw', 'RUN_D': '/var/efw'}'.
2009-12-25 11:18:59,795 - restartsnort.py[18247] - DEBUG - Scanning for uplinks in '/var/efw/uplinks'...
2009-12-25 11:18:59,796 - restartsnort.py[18247] - DEBUG - Inizialize uplink 'main' with prefix '{'ETC_D': '/var/efw', 'VAR_D': '/var/efw', 'USR_D': '/var/efw', 'USER_D': '/var/efw', 'RUN_D': '/var/efw'}'.
2009-12-25 11:18:59,797 - restartsnort.py[18247] - DEBUG - Update information of uplink 'main'
2009-12-25 11:18:59,801 - restartsnort.py[18247] - DEBUG - Checking for vanished uplinks in '/var/efw/uplinks'...
2009-12-25 11:18:59,801 - restartsnort.py[18247] - DEBUG - {'UPDATE_SCHEDULE': 'daily', 'ORANGE_ADDRESS': '192.168.xx.yy, 'DNS_SERVERS': '208.67.222.222,208.67.220.220', 'SNORT_RULES_URL': 'http://www.emergingthreats.net/rules/emerging.rules.tar.gz', 'BLUE_ADDRESS': '', 'HOME_NET': '192.168.xx.yy/24,192.168.xx.yy/24', 'ENABLED': '1', 'GREEN_IPS': '192.168.xx.yy/24', 'GREEN_DEV': 'br0', 'GREEN_ADDRESS': '192.168.xx.yy', 'CONFIG_TYPE': '3', 'GREEN_NETMASK': '255.255.255.0', 'ORANGE_NETMASK': '255.255.255.0', 'BLUE_BROADCAST': '', 'RULE_FILES': ['/etc/snort/processed.rules'], 'ORANGE_BROADCAST': '192.168.xx.yy', 'RULESTYPE': 'community', 'GREEN_NETADDRESS': '192.168.xx.yy', 'ORANGE_NETADDRESS': '192.168.xx.yy', 'ORANGE_DEV': 'br1', 'BLUE_NETADDRESS': '', 'POSTGRESQL': 'off', 'GREEN_CIDR': '24', 'BLUE_CIDR': '', 'SNORT_DEFAULT_POLICY': 'alert', 'BLUE_NETMASK': '', 'ORANGE_CIDR': '24', 'BLUE_DEV': 'br2', 'ENABLED_RULES': '', 'GREEN_BROADCAST': '192.168.xx.yy', 'BLUE_IPS': '', 'ORANGE_IPS': '192.168.xx.yy/24'}
2009-12-25 11:18:59,805 - restartsnort.py[18247] - DEBUG - Write config file /etc/sysconfig/snort
2009-12-25 11:18:59,805 - restartsnort.py[18247] - DEBUG - Save old settings file /etc/sysconfig/snort
2009-12-25 11:18:59,824 - restartsnort.py[18247] - DEBUG - Write config file /etc/snort/snort.conf
2009-12-25 11:18:59,827 - restartsnort.py[18247] - DEBUG - Save old settings file /etc/snort/snort.conf
2009-12-25 11:18:59,863 - restartsnort.py[18247] - DEBUG - Write config file /etc/snort/vars
2009-12-25 11:18:59,864 - restartsnort.py[18247] - DEBUG - Save old settings file /etc/snort/vars
2009-12-25 11:18:59,868 - restartsnort.py[18247] - DEBUG - POLICIES: {'/etc/snort/rules/auto/emerging-dshield.rules': 'drop', '/etc/snort/rules/auto/emerging-user_agents.rules': 'drop', '/etc/snort/rules/auto/emerging-malware.rules': 'drop', '/etc/snort/rules/auto/emerging-p2p.rules': 'alert', '/etc/snort/rules/auto/emerging-virus.rules': 'drop', '/etc/snort/rules/auto/emerging-web_sql_injection.rules': 'drop', '/etc/snort/rules/auto/emerging-attack_response.rules': 'drop', '/etc/snort/rules/auto/emerging-inappropriate.rules': 'drop', '/etc/snort/rules/auto/emerging-tor.rules': 'drop', '/etc/snort/rules/auto/emerging-web_specific_apps.rules': 'drop', '/etc/snort/rules/auto/emerging-web_server.rules': 'drop', '/etc/snort/rules/auto/emerging-web.rules': 'drop', '/etc/snort/rules/auto/emerging.rules': 'drop', '/etc/snort/rules/auto/emerging-scan.rules': 'drop', '/etc/snort/rules/auto/emerging-exploit.rules': 'drop', '/etc/snort/rules/auto/emerging-botcc.rules': 'drop', '/etc/snort/rules/auto/emerging-web_client.rules': 'drop', '/etc/snort/rules/auto/emerging-drop.rules': 'drop', '/etc/snort/rules/auto/emerging-voip.rules': 'drop', '/etc/snort/rules/auto/emerging-current_events.rules': 'drop', '/etc/snort/rules/auto/emerging-policy.rules': 'alert', '/etc/snort/rules/auto/emerging-dos.rules': 'drop', '/etc/snort/rules/auto/emerging-game.rules': 'drop', '/etc/snort/rules/auto/emerging-rbn.rules': 'drop', '/etc/snort/rules/auto/emerging-compromised.rules': 'drop'}
2009-12-25 11:18:59,872 - restartsnort.py[18247] - DEBUG - EXCEPTIONS: {'2005868': 'drop', '2005662': 'drop', '2005660': 'drop', '2005661': 'drop', '2005865': 'drop', '2005658': 'drop', '2001929': 'drop', '2001928': 'drop', '2005869': 'drop', '2005866': 'drop', '2006969': 'drop', '2010473': 'drop', '2002731': 'drop', '2004405': 'drop', '2004016': 'drop', '2004407': 'drop', '2002070': 'drop', '2005967': 'drop', '2004406': 'drop', '2009010': 'drop', '2008725': 'drop', '2005969': 'drop', '2005968': 'drop', '2004658': 'drop', '2004659': 'drop', '2005870': 'drop', '2004654': 'drop', '2004655': 'drop', '2004656': 'drop', '2004657': 'drop', '2006973': 'drop', '2006972': 'drop', '2006971': 'drop', '2006970': 'drop', '2003508': 'drop', '2005659': 'drop', '2006974': 'drop', '2005657': 'drop', '2005867': 'drop', '2003885': 'drop', '2004015': 'drop', '2004408': 'drop', '2005972': 'drop', '2004404': 'drop', '2005970': 'drop', '2005971': 'drop', '2004403': 'drop', '2003686': 'drop', '2004014': 'drop', '2003685': 'drop', '2004012': 'drop', '2004013': 'drop', '2004011': 'drop'}
2009-12-25 11:18:59,875 - restartsnort.py/enabled_rule_targets[18247] - DEBUG - Save old settings file /etc/snort/processed.rules
2009-12-25 11:18:59,876 - restartsnort.py/enabled_rule_targets[18247] - DEBUG - Default Policy: alert
2009-12-25 11:18:59,877 - restartsnort.py/enabled_rule_targets[18247] - DEBUG - Stop snort
snort (pid 11428) is running...
Stopping snort:                                            [  OK  ]
snort is stopped
2009-12-25 11:19:00,189 - restartsnort.py/enabled_rule_targets[18247] - DEBUG - Start snort
2009-12-25 11:19:00,197 - restartsnort.py/enabled_rule_targets[18247] - INFO - Starting SNORT...
Starting snort:                                            [  OK  ]