Welcome, Guest. Please login or register.
Did you miss your activation email?
Thursday 05 December 2024, 05:07:33 pm

Login with username, password and session length

Visit the official Endian Community Mailinglist  HERE
14261 Posts in 4377 Topics by 6517 Members
Latest Member: Sandro
Search:     Advanced search
+  EFW Support
|-+  Support
| |-+  General Support
| | |-+  Intrusion Protection System enabled, but shows as "Off"
0 Members and 1 Guest are viewing this topic. « previous next »
Pages: [1] Go Down Print
Author Topic: Intrusion Protection System enabled, but shows as "Off"  (Read 14522 times)
sstillwell
Jr. Member
*
Offline Offline

Posts: 5


« on: Saturday 26 December 2009, 03:36:07 am »

I've got Intrusion Protection enabled, with a good number of rule sets set to "Block" (red shield).  It was working fine last night.

This morning, even though it's still enabled on the Services > Intrusion Protection page, the System > Dashboard page shows it as "Off"

Is it running?  The last logged attack event was at about 2 AM this morning my time...it's 10 AM now.  I've performed a number of actions that at least the policy rules should complain about (logging into FTP, etc.), but no report in the logs.  I'm thinking it really is shut down...how do I find where the problem is and fix it? 

When I disable, save and restart, enable, save and restart, I get no error messages, nor does the Dashboard ever show it as On, so I'm kinda stumped.

IPS isn't a a very valuable feature if you can't rely on it continuing to run.  False sense of security is worse than no security.

Scott

*EDIT* Oops, sorry...this is Endian Community 2.3 running on a VMware image...12 GB HDD, 3 NICs (RED/GRN/ORA), with 256 MB RAM.  Two NICs (RED/GRN) are connected to physical NICs via VMware virtual switches, the third (ORA) is connected to an internal VMware switch.  The firewall is serving as an internet gateway, plus a virtualized DMZ for a few virtual machines that users need external access to.  Connectivity seems fine so far (otherwise I couldn't be posting this...), but IPS is down, as I said.
Logged
sstillwell
Jr. Member
*
Offline Offline

Posts: 5


« Reply #1 on: Saturday 26 December 2009, 04:05:30 am »

Update:  If I log into the console and manually start the snort daemon (/etc/init.d/snort start), then it shows up in the dashboard and the status page as running.  Evidently something in the web UI is convincing it not to start the daemon to begin with.

However...even when running it's not alerting on traffic that it should log.  *sigh*

In the meantime I've turned off automatic updating of rules.

Ideas?
Logged
sstillwell
Jr. Member
*
Offline Offline

Posts: 5


« Reply #2 on: Saturday 26 December 2009, 04:25:27 am »

Starting IPS/Snort in debug mode yields:

2009-12-25 11:18:59,790 - restartsnort.py[18247] - DEBUG - Initialize uplinks Pool with prefix '{'ETC_D': '/var/efw', 'VAR_D': '/var/efw', 'USR_D': '/var/efw', 'USER_D': '/var/efw', 'RUN_D': '/var/efw'}'.
2009-12-25 11:18:59,795 - restartsnort.py[18247] - DEBUG - Scanning for uplinks in '/var/efw/uplinks'...
2009-12-25 11:18:59,796 - restartsnort.py[18247] - DEBUG - Inizialize uplink 'main' with prefix '{'ETC_D': '/var/efw', 'VAR_D': '/var/efw', 'USR_D': '/var/efw', 'USER_D': '/var/efw', 'RUN_D': '/var/efw'}'.
2009-12-25 11:18:59,797 - restartsnort.py[18247] - DEBUG - Update information of uplink 'main'
2009-12-25 11:18:59,801 - restartsnort.py[18247] - DEBUG - Checking for vanished uplinks in '/var/efw/uplinks'...
2009-12-25 11:18:59,801 - restartsnort.py[18247] - DEBUG - {'UPDATE_SCHEDULE': 'daily', 'ORANGE_ADDRESS': '192.168.xx.yy, 'DNS_SERVERS': '208.67.222.222,208.67.220.220', 'SNORT_RULES_URL': 'http://www.emergingthreats.net/rules/emerging.rules.tar.gz', 'BLUE_ADDRESS': '', 'HOME_NET': '192.168.xx.yy/24,192.168.xx.yy/24', 'ENABLED': '1', 'GREEN_IPS': '192.168.xx.yy/24', 'GREEN_DEV': 'br0', 'GREEN_ADDRESS': '192.168.xx.yy', 'CONFIG_TYPE': '3', 'GREEN_NETMASK': '255.255.255.0', 'ORANGE_NETMASK': '255.255.255.0', 'BLUE_BROADCAST': '', 'RULE_FILES': ['/etc/snort/processed.rules'], 'ORANGE_BROADCAST': '192.168.xx.yy', 'RULESTYPE': 'community', 'GREEN_NETADDRESS': '192.168.xx.yy', 'ORANGE_NETADDRESS': '192.168.xx.yy', 'ORANGE_DEV': 'br1', 'BLUE_NETADDRESS': '', 'POSTGRESQL': 'off', 'GREEN_CIDR': '24', 'BLUE_CIDR': '', 'SNORT_DEFAULT_POLICY': 'alert', 'BLUE_NETMASK': '', 'ORANGE_CIDR': '24', 'BLUE_DEV': 'br2', 'ENABLED_RULES': '', 'GREEN_BROADCAST': '192.168.xx.yy', 'BLUE_IPS': '', 'ORANGE_IPS': '192.168.xx.yy/24'}
2009-12-25 11:18:59,805 - restartsnort.py[18247] - DEBUG - Write config file /etc/sysconfig/snort
2009-12-25 11:18:59,805 - restartsnort.py[18247] - DEBUG - Save old settings file /etc/sysconfig/snort
2009-12-25 11:18:59,824 - restartsnort.py[18247] - DEBUG - Write config file /etc/snort/snort.conf
2009-12-25 11:18:59,827 - restartsnort.py[18247] - DEBUG - Save old settings file /etc/snort/snort.conf
2009-12-25 11:18:59,863 - restartsnort.py[18247] - DEBUG - Write config file /etc/snort/vars
2009-12-25 11:18:59,864 - restartsnort.py[18247] - DEBUG - Save old settings file /etc/snort/vars
2009-12-25 11:18:59,868 - restartsnort.py[18247] - DEBUG - POLICIES: {'/etc/snort/rules/auto/emerging-dshield.rules': 'drop', '/etc/snort/rules/auto/emerging-user_agents.rules': 'drop', '/etc/snort/rules/auto/emerging-malware.rules': 'drop', '/etc/snort/rules/auto/emerging-p2p.rules': 'alert', '/etc/snort/rules/auto/emerging-virus.rules': 'drop', '/etc/snort/rules/auto/emerging-web_sql_injection.rules': 'drop', '/etc/snort/rules/auto/emerging-attack_response.rules': 'drop', '/etc/snort/rules/auto/emerging-inappropriate.rules': 'drop', '/etc/snort/rules/auto/emerging-tor.rules': 'drop', '/etc/snort/rules/auto/emerging-web_specific_apps.rules': 'drop', '/etc/snort/rules/auto/emerging-web_server.rules': 'drop', '/etc/snort/rules/auto/emerging-web.rules': 'drop', '/etc/snort/rules/auto/emerging.rules': 'drop', '/etc/snort/rules/auto/emerging-scan.rules': 'drop', '/etc/snort/rules/auto/emerging-exploit.rules': 'drop', '/etc/snort/rules/auto/emerging-botcc.rules': 'drop', '/etc/snort/rules/auto/emerging-web_client.rules': 'drop', '/etc/snort/rules/auto/emerging-drop.rules': 'drop', '/etc/snort/rules/auto/emerging-voip.rules': 'drop', '/etc/snort/rules/auto/emerging-current_events.rules': 'drop', '/etc/snort/rules/auto/emerging-policy.rules': 'alert', '/etc/snort/rules/auto/emerging-dos.rules': 'drop', '/etc/snort/rules/auto/emerging-game.rules': 'drop', '/etc/snort/rules/auto/emerging-rbn.rules': 'drop', '/etc/snort/rules/auto/emerging-compromised.rules': 'drop'}
2009-12-25 11:18:59,872 - restartsnort.py[18247] - DEBUG - EXCEPTIONS: {'2005868': 'drop', '2005662': 'drop', '2005660': 'drop', '2005661': 'drop', '2005865': 'drop', '2005658': 'drop', '2001929': 'drop', '2001928': 'drop', '2005869': 'drop', '2005866': 'drop', '2006969': 'drop', '2010473': 'drop', '2002731': 'drop', '2004405': 'drop', '2004016': 'drop', '2004407': 'drop', '2002070': 'drop', '2005967': 'drop', '2004406': 'drop', '2009010': 'drop', '2008725': 'drop', '2005969': 'drop', '2005968': 'drop', '2004658': 'drop', '2004659': 'drop', '2005870': 'drop', '2004654': 'drop', '2004655': 'drop', '2004656': 'drop', '2004657': 'drop', '2006973': 'drop', '2006972': 'drop', '2006971': 'drop', '2006970': 'drop', '2003508': 'drop', '2005659': 'drop', '2006974': 'drop', '2005657': 'drop', '2005867': 'drop', '2003885': 'drop', '2004015': 'drop', '2004408': 'drop', '2005972': 'drop', '2004404': 'drop', '2005970': 'drop', '2005971': 'drop', '2004403': 'drop', '2003686': 'drop', '2004014': 'drop', '2003685': 'drop', '2004012': 'drop', '2004013': 'drop', '2004011': 'drop'}
2009-12-25 11:18:59,875 - restartsnort.py/enabled_rule_targets[18247] - DEBUG - Save old settings file /etc/snort/processed.rules
2009-12-25 11:18:59,876 - restartsnort.py/enabled_rule_targets[18247] - DEBUG - Default Policy: alert
2009-12-25 11:18:59,877 - restartsnort.py/enabled_rule_targets[18247] - DEBUG - Stop snort
snort (pid 11428) is running...
Stopping snort:                                            [  OK  ]
snort is stopped
2009-12-25 11:19:00,189 - restartsnort.py/enabled_rule_targets[18247] - DEBUG - Start snort
2009-12-25 11:19:00,197 - restartsnort.py/enabled_rule_targets[18247] - INFO - Starting SNORT...
Starting snort:                                            [  OK  ]
Logged
Pages: [1] Go Up Print 
« previous next »
Jump to:  

Page created in 0.063 seconds with 18 queries.
Powered by SMF 1.1 RC2 | SMF © 2001-2005, Lewis Media Design by 7dana.com