Intrusion Detection Showing stopped - but apparently running

[Guest]

[S3@N]

We've got an odd problem with EFW Community 2.5.1.  We have enabled IDS but the status tab shows it as STOPPED.  The System tab will show it as ON for a while and then go to OFF.  Logging into the console and running PS shows that snort is running.  If I tail /var/messages I can see that something is trying to start SNORT periodically and snort is eventually outputting 'FATAL ERROR: Failed to Lock PID File "/var/run//snort_ifb0.pid" for PID "nnnn"'

So it looks to me like a basic logic bug in the interface and that Snort is actually running but as the logic is wrong and it's being detected as STOPPED it is being restarted because it is enabled.

One thing to note - we upgraded from 2.4.  When we hit problems we deleted and recreated all the standard rules so the install should now be clean.

Any suggestions?

Thanks!

[Ricard]

same problem here. There is an open bug:

bugs.endian com/view.php?id=3248

[Ricard]

well, I'm not sure if that bug is really open...  Although this is annoying, because don't give any security about the snort state.

There is a way to test snort just by visiting  testmyids.com
Then, after some delay, one can see in the Live Logs:

   GPL ATTACK_RESPONSE id check returned root [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 217.160.51.31:80



Hope this failure in the snort state can be solved.  Now one should go to "intrusion prevention" and click in "Save" to know the right state

[S3@N]

OK - found the problem.

The system was created using a backup of a live system running 2.4 which was then upgraded to 2.5.1.  There is a known issue with Endian in that when restored from a backup into a new system it will add new interfaces (bugs.endian.com/view.php?id=3311).  So we had our internal interface on eth5 (and br0).  

The Endian interface uses monit to generate the status information (see monit status).  Monit reads /var/run/snort.conf for snort monitoring and this is hardcoded to eth0.  In our case snort was running against br0 - not sure why it wasn't eth5...  Either way it wasn't right.

So rather than fix the snort.conf file - we have worked on the assumption that if there is one hardcoded eth0 in the system there may be more.  As we're on VMware it's simple to add a new network card (in our case this was eth8) then rename it by editing /etc/businfotab to make it eth0.  We then changed the green interface to use the new interface and finally deleted the old card (eth5).

This appears to have addressed the obvious issue with the status being misreported, snort is running against eth0 and we are now seeing a few reports coming through - so far so good!

So I guess the key things to take away from all of this are:
1) Watch your network device names when restoring from a backup
2) You need eth0 as your green interface

[Ricard]

thank you

[Tursi]

Hi !

using Endian community 3.3.21 OS on some miniPC with two ethernets.

trying to enable Intrusion detection system but although the switch is green, the status says its OFF.

Is there any bug or additional configuration needed to get this working ?

Or was the support for IDS canceled on community edition ?

Can someone please help ?

Thanks,

David.

[Tursi]

Ok so if anyone would read this in the future...

the problem was with community.rules set

while trying to test the config:

snort -T console -q -c /etc/snort/snort.conf -i eht0
ERROR: /var/signatures/snort/processed/custom/snort3-community.rules(16) Unknown rule option: 'service'.
Fatal Error, Quitting..

deleted community rule set trough gui and now everything works !