Title: [EFW 2.3 Community] IDS Bug Post by: mrkroket on Tuesday 20 July 2010, 01:28:55 am I think this is old, but just in case:
I don't know if still happens on EFW 2.4. Problem: When enabled, IDS only detect some few alerts, of this kind: snort[11978]: [125:7:1] (ftp_telnet) FTP traffic encrypted[Priority: 3]: {TCP} X.X.X.X:21 -> 192.168.X.X:50390 The red number is always a low number Sid. These are built-in rules, the rules shown on Web GUI all have Sid over 2000000. If you don't have any rule Sid >2M, it can be this bug. What cause it: In some situations the IDS (Intrusion Detection System) stops applying almost any rule. It only uses some low level rules (FTP related). You'll notice it because on IDS reports you only have some FTP alerts, and nothing more. This is caused by a wrong setting. In /var/efw/snort/settings there is a parameter called ENABLED_RULES. It should point the rule directories that will be applied. I should point the dirs created on /etc/snort/rules. But for some reason it is empty. This makes that the restart script bypass these directories, and apply no rules. How to fix it: Edit the /usr/local/bin/restartsnort.py file. At about line 128, on function enabled_rule_targets(), there is a section that says Quote enabled_targets = config_values.get('ENABLED_RULES', "") if enabled_targets == "": return [] There is some cases that the value of ENABLED_RULES is empty, don't know why. So i change that part, and place instead: Quote enabled_targets = config_values.get('ENABLED_RULES', "") Changed the return [] line for the enabled_targets = "auto,custom" line.if enabled_targets == "": enabled_targets = "auto,custom" Warning, editing the script files are potentially dangerous, do it only if you are sure. Check indent, some scripts are sensitive to trailing spaces. This forces the directories auto and custom when the ENABLED_RULES parameter is empty. |