Welcome, Guest. Please login or register.
Did you miss your activation email?
Sunday 29 December 2024, 04:54:27 am

Login with username, password and session length

CLICK HERE for the The official Endian Roadmap and Issue tracker
14262 Posts in 4377 Topics by 6517 Members
Latest Member: Sandro
Search:     Advanced search
+  EFW Support
|-+  Support
| |-+  General Support
| | |-+  Endian 2.3 and Intrusion Detection/Prevention
0 Members and 2 Guests are viewing this topic. « previous next »
Pages: [1] Go Down Print
Author Topic: Endian 2.3 and Intrusion Detection/Prevention  (Read 30160 times)
danodemano
Full Member
***
Offline Offline

Gender: Male
Posts: 47


WWW
« on: Monday 05 October 2009, 06:02:30 am »

I have been having this problem and can't seem to figure out what's going on.  I cannot get the Intrusion prevention to start, it just wont.  I keep messing with it and as soon as I fetch the rules, it dies.  A look in the "messages" log usually shows something like this:

Code:
Oct  4 14:57:40 gateway snort[28084]: FATAL ERROR: Warning: /etc/snort/processed.rules(7064) => Unknown keyword ' http_h*ader' in rule!

But if I go in to the rule and try to fix that line, as soon as I restart the Intrusion prevention is just overwrites my file regardless if I have auto update turned on or not.  I presume this is the reason I cannot start the Intrusion Prevention but I cannot figure out how to fix it.  If I disable the "fetch update rules automatically" it will start up however the processed.rules file is empty save a header that says

Code:
# created by restartsnort -> process_rules

so I suspect that it doesn't have any rules?  Anyone have any thoughts on this?
Thanks,
Dan
Logged
StephanSch
Full Member
***
Offline Offline

Gender: Male
Posts: 57


« Reply #1 on: Monday 05 October 2009, 06:45:42 am »

On a short watch at the 2.3 some days ago I think I have seen that you can enable/disable rules on the webinterface now.
Logged
danodemano
Full Member
***
Offline Offline

Gender: Male
Posts: 47


WWW
« Reply #2 on: Monday 05 October 2009, 07:19:34 am »

Wow....I feel stupid now.  I remember reading that myself now that you mention it.  As it turns out, the offending rule was:
Code:
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC WordPress plug-in ial path disclosure"; flow:established,to_server; uricontent:"/wp-content/plugins/"; nocase; content:!"|0d 0a|Referer|3a 20|"; nocase; http_er; cltype:attempted-recon; reference:url,seclists.org/fulldisclosure/2009/Sep/0387.html; reference:url,doc.emergingthreats.net/2009996; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Wordpress; sid:2009996; rev:3;)
In the emerging-web_specific_apps.rules file.
Thanks!!
Logged
Halfwalker
Jr. Member
*
Offline Offline

Posts: 2


« Reply #3 on: Wednesday 07 October 2009, 07:10:02 am »

Hrm - my 2.3rc1 is a little different.  Intrusion Detection appears to start OK, and updates the rules OK.  At least, it says it did.  The Dashboard however, that shows that Intrusion Detection is OFF.  I disabled the rule mentioned above, but no go.

So, which is it ?  On or off ?  There don't appear to be any logs for it.

D.

<Edit>  I take it back.  Now the Dashboard is showing it as on, so it appears to be working fine.  I guess there a small delay before status was updated.

danodemano - how did you work out the offending rule that was causing the trouble ?
Logged
danodemano
Full Member
***
Offline Offline

Gender: Male
Posts: 47


WWW
« Reply #4 on: Wednesday 07 October 2009, 09:11:27 am »

LOL, it was not easy at all.  I looked in the messages log and found what was causing the problem in the processed.rules file but since this is generated off the rules in another folder, I still didn't know where it was.  What I ended up doing was SCPing ALL the rules files down, opening them all in notepad++, and searching for the http_header mentioned in the error.  It turned up in only one file.  Once I found which file it was in, I got the SID and went into the Endian admin and searched for it in the rules file that I had found it in.  It too turned up only a single hit so I disabled it and all was well!
Logged
mrkroket
Hero Member
*****
Offline Offline

Posts: 495


« Reply #5 on: Friday 16 October 2009, 01:31:51 am »

Related to this:
http://bugs.endian.it/view.php?id=2227

It seems that if we update Snort it will renew the offending rule.
Logged
danodemano
Full Member
***
Offline Offline

Gender: Male
Posts: 47


WWW
« Reply #6 on: Friday 16 October 2009, 06:56:44 pm »

Yes, it appears to be a bad rule coming down the pipe.  This is why I have not updated my rules.   Grin
Logged
Pages: [1] Go Up Print 
« previous next »
Jump to:  

Page created in 0.109 seconds with 20 queries.
Powered by SMF 1.1 RC2 | SMF © 2001-2005, Lewis Media Design by 7dana.com