EFW Support

Support => General Support => Topic started by: mbower on Thursday 04 November 2010, 10:21:15 am


Title: Intrusion Prevention System can't fetch updates
Post by: mbower on Thursday 04 November 2010, 10:21:15 am
I have ran the fix for bug #0003177. (can't post links?!?)

Still running into the problem.

Thanks!

Title: Re: Intrusion Prevention System can't fetch updates
Post by: bradb21 on Thursday 04 November 2010, 10:59:40 am
I noticed the same issue tonight.

Title: Re: Intrusion Prevention System can't fetch updates
Post by: john_cic on Saturday 06 November 2010, 12:18:42 pm
I am having the same issue on 2.3 installations of Endian Firewall.

I tired updating the new URL as per bug#0003177 to no avail.

I found this in the messages logs after restarting Intrusion Prevention service and attempting to manually update rules:

Quote
Nov  6 12:14:17 PROXY1 sudo:   nobody : 3 incorrect password attempts ; TTY=unknown ; PWD=/home/httpd/cgi-bin ; USER=root ; COMMAND=en-client --check
Nov  6 12:14:17 PROXY1 sudo:   nobody : TTY=unknown ; PWD=/home/httpd/cgi-bin ; USER=root ; COMMAND=/usr/bin/monit status
Nov  6 12:15:27 PROXY1 sudo:   nobody : TTY=unknown ; PWD=/home/httpd/cgi-bin ; USER=root ; COMMAND=/usr/local/bin/restartsnort.py
Nov  6 12:15:27 PROXY1 sudo:   nobody : TTY=unknown ; PWD=/home/httpd/cgi-bin ; USER=root ; COMMAND=/usr/local/bin/restartsnort.py
Nov  6 12:15:45 PROXY1 sudo:   nobody : TTY=unknown ; PWD=/home/httpd/cgi-bin ; USER=root ; COMMAND=/usr/local/bin/restartsnortrules.py no-restart
Nov  6 12:15:45 PROXY1 sudo:   nobody : TTY=unknown ; PWD=/home/httpd/cgi-bin ; USER=root ; COMMAND=/usr/local/bin/restartsnort.py
Nov  6 12:15:49 PROXY1 snort[9933]: Reading from iptables
Nov  6 12:15:49 PROXY1 snort[9933]: Running in IDS mode
Nov  6 12:15:49 PROXY1 snort[9933]:
Nov  6 12:15:49 PROXY1 snort[9933]:         --== Initializing Snort ==--
Nov  6 12:15:49 PROXY1 snort[9933]: Initializing Output Plugins!
Nov  6 12:15:49 PROXY1 snort[9933]: Initializing Preprocessors!
Nov  6 12:15:49 PROXY1 snort[9933]: Initializing Plug-ins!
Nov  6 12:15:49 PROXY1 snort[9933]: Parsing Rules file "/etc/snort/snort.conf"
Nov  6 12:15:49 PROXY1 snort[9933]: Var 'DNS_SERVERS' redefined
Nov  6 12:15:49 PROXY1 snort[9933]: PortVar 'HTTP_PORTS' defined :
Nov  6 12:15:49 PROXY1 snort[9933]:  [ 80 3128 8080 ]
Nov  6 12:15:49 PROXY1 snort[9933]:
Nov  6 12:15:49 PROXY1 snort[9933]: PortVar 'SHELLCODE_PORTS' defined :
Nov  6 12:15:49 PROXY1 snort[9933]:  [ 0:79 81:65535 ]
Nov  6 12:15:49 PROXY1 snort[9933]:
Nov  6 12:15:49 PROXY1 snort[9933]: PortVar 'ORACLE_PORTS' defined :
Nov  6 12:15:49 PROXY1 snort[9933]:  [ 1521 ]
Nov  6 12:15:49 PROXY1 snort[9933]:
Nov  6 12:15:49 PROXY1 snort[9933]: PortVar 'SSH_PORTS' defined :
Nov  6 12:15:49 PROXY1 snort[9933]:  [ 22 222 ]
Nov  6 12:15:49 PROXY1 snort[9933]:
Nov  6 12:15:49 PROXY1 snort[9933]: /etc/snort/snort.conf(23) PortVar 'SSH_PORTS', already defined.
Nov  6 12:15:49 PROXY1 snort[9933]: PortVar 'SSH_PORTS' defined :
Nov  6 12:15:49 PROXY1 snort[9933]:  [ 22 222 ]
Nov  6 12:15:49 PROXY1 snort[9933]:
Nov  6 12:15:49 PROXY1 snort[9933]: Detection:
Nov  6 12:15:49 PROXY1 snort[9933]:    Search-Method = Low-Mem-Q
Nov  6 12:15:49 PROXY1 snort[9933]: Tagged Packet Limit: 256
Nov  6 12:15:49 PROXY1 snort[9933]: Loading dynamic engine /usr/lib/libsf_engine.so...
Nov  6 12:15:49 PROXY1 snort[9933]: done
Nov  6 12:15:49 PROXY1 snort[9933]: Loading all dynamic preprocessor libs from /usr/lib/snort_dynamicpreprocessor/...
Nov  6 12:15:49 PROXY1 snort[9933]:   Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_dce2_preproc.so...
Nov  6 12:15:49 PROXY1 snort[9933]: done
Nov  6 12:15:49 PROXY1 snort[9933]:   Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_dcerpc_preproc.so...
Nov  6 12:15:49 PROXY1 snort[9933]: done
Nov  6 12:15:49 PROXY1 snort[9933]:   Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_ftptelnet_preproc.so...
Nov  6 12:15:49 PROXY1 snort[9933]: done
Nov  6 12:15:49 PROXY1 snort[9933]:   Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_dns_preproc.so...
Nov  6 12:15:49 PROXY1 snort[9933]: done
Nov  6 12:15:49 PROXY1 snort[9933]:   Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_smtp_preproc.so...
Nov  6 12:15:49 PROXY1 snort[9933]: done
Nov  6 12:15:49 PROXY1 snort[9933]:   Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_ssh_preproc.so...
Nov  6 12:15:49 PROXY1 snort[9933]: done
Nov  6 12:15:49 PROXY1 snort[9933]:   Loading dynamic preprocessor library /usr/lib/snort_dynamicpreprocessor//libsf_ssl_preproc.so...
Nov  6 12:15:49 PROXY1 snort[9933]: done
Nov  6 12:15:49 PROXY1 snort[9933]:   Finished Loading all dynamic preprocessor libs from /usr/lib/snort_dynamicpreprocessor/
Nov  6 12:15:49 PROXY1 snort[9933]: Log directory = /var/log/snort
Nov  6 12:15:49 PROXY1 snort[9933]: Frag3 global config:
Nov  6 12:15:49 PROXY1 snort[9933]:     Max frags: 65536
Nov  6 12:15:49 PROXY1 snort[9933]:     Fragment memory cap: 4194304 bytes
Nov  6 12:15:49 PROXY1 snort[9933]: Frag3 engine config:
Nov  6 12:15:49 PROXY1 snort[9933]:     Target-based policy: FIRST
Nov  6 12:15:49 PROXY1 snort[9933]:     Fragment timeout: 60 seconds
Nov  6 12:15:49 PROXY1 snort[9933]:     Fragment min_ttl:   1
Nov  6 12:15:49 PROXY1 snort[9933]:     Fragment Problems: 1
Nov  6 12:15:49 PROXY1 snort[9933]:     Overlap Limit:     0
Nov  6 12:15:49 PROXY1 snort[9933]:     Min fragment Length:     0
Nov  6 12:15:49 PROXY1 snort[9933]: Stream5 global config:
Nov  6 12:15:49 PROXY1 snort[9933]:     Track TCP sessions: ACTIVE
Nov  6 12:15:49 PROXY1 snort[9933]:     Max TCP sessions: 8192
Nov  6 12:15:49 PROXY1 snort[9933]:     Memcap (for reassembly packet storage): 8388608
Nov  6 12:15:49 PROXY1 snort[9933]:     Track UDP sessions: INACTIVE
Nov  6 12:15:49 PROXY1 snort[9933]:     Track ICMP sessions: INACTIVE
Nov  6 12:15:49 PROXY1 snort[9933]:     Log info if session memory consumption exceeds 1048576
Nov  6 12:15:49 PROXY1 snort[9933]: Stream5 TCP Policy config:
Nov  6 12:15:49 PROXY1 snort[9933]:     Reassembly Policy: FIRST
Nov  6 12:15:49 PROXY1 snort[9933]:     Timeout: 30 seconds
Nov  6 12:15:49 PROXY1 snort[9933]:     Min ttl:  1
Nov  6 12:15:49 PROXY1 snort[9933]:     Maximum number of bytes to queue per session: 1048576
Nov  6 12:15:49 PROXY1 snort[9933]:     Maximum number of segs to queue per session: 2621
Nov  6 12:15:49 PROXY1 snort[9933]:     Options:
Nov  6 12:15:49 PROXY1 snort[9933]:         Static Flushpoint Sizes: YES
Nov  6 12:15:49 PROXY1 snort[9933]:     Reassembly Ports:
Nov  6 12:15:49 PROXY1 snort[9933]:       21 client (Footprint)
Nov  6 12:15:49 PROXY1 snort[9933]:       23 client (Footprint)
Nov  6 12:15:49 PROXY1 snort[9933]:       25 client (Footprint)
Nov  6 12:15:49 PROXY1 snort[9933]:       42 client (Footprint)
Nov  6 12:15:49 PROXY1 snort[9933]:       53 client (Footprint)
Nov  6 12:15:49 PROXY1 snort[9933]:       80 client (Footprint)
Nov  6 12:15:49 PROXY1 snort[9933]:       110 client (Footprint)
Nov  6 12:15:49 PROXY1 snort[9933]:       111 client (Footprint)
Nov  6 12:15:49 PROXY1 snort[9933]:       135 client (Footprint)
Nov  6 12:15:49 PROXY1 snort[9933]:       136 client (Footprint)
Nov  6 12:15:49 PROXY1 snort[9933]:       137 client (Footprint)
Nov  6 12:15:49 PROXY1 snort[9933]:       139 client (Footprint)
Nov  6 12:15:49 PROXY1 snort[9933]:       143 client (Footprint)
Nov  6 12:15:49 PROXY1 snort[9933]:       445 client (Footprint)
Nov  6 12:15:49 PROXY1 snort[9933]:       513 client (Footprint)
Nov  6 12:15:49 PROXY1 snort[9933]:       514 client (Footprint)
Nov  6 12:15:49 PROXY1 snort[9933]:       1433 client (Footprint)
Nov  6 12:15:49 PROXY1 snort[9933]:       1521 client (Footprint)
Nov  6 12:15:49 PROXY1 snort[9933]:       2401 client (Footprint)
Nov  6 12:15:49 PROXY1 snort[9933]:       3306 client (Footprint)
Nov  6 12:15:49 PROXY1 snort[9933]: HttpInspect Config:
Nov  6 12:15:49 PROXY1 snort[9933]:     GLOBAL CONFIG
Nov  6 12:15:49 PROXY1 snort[9933]:       Max Pipeline Requests:    0
Nov  6 12:15:49 PROXY1 snort[9933]:       Inspection Type:          STATELESS
Nov  6 12:15:49 PROXY1 snort[9933]:       Detect Proxy Usage:       NO
Nov  6 12:15:49 PROXY1 snort[9933]:       IIS Unicode Map Filename: /etc/snort/unicode.map
Nov  6 12:15:49 PROXY1 snort[9933]:       IIS Unicode Map Codepage: 1252
Nov  6 12:15:49 PROXY1 snort[9933]:     DEFAULT SERVER CONFIG:
Nov  6 12:15:49 PROXY1 snort[9933]:       Server profile: All
Nov  6 12:15:49 PROXY1 snort[9933]:       Ports: 80 3128 8080
Nov  6 12:15:49 PROXY1 snort[9933]:       Server Flow Depth: 0
Nov  6 12:15:49 PROXY1 snort[9933]:       Client Flow Depth: 300
Nov  6 12:15:49 PROXY1 snort[9933]:       Max Chunk Length: 500000
Nov  6 12:15:49 PROXY1 snort[9933]:       Max Header Field Length: 0
Nov  6 12:15:49 PROXY1 snort[9933]:       Max Number Header Fields: 0
Nov  6 12:15:49 PROXY1 snort[9933]:       Inspect Pipeline Requests: YES
Nov  6 12:15:49 PROXY1 snort[9933]:       URI Discovery Strict Mode: NO
Nov  6 12:15:49 PROXY1 snort[9933]:       Allow Proxy Usage: NO
Nov  6 12:15:49 PROXY1 snort[9933]:       Disable Alerting: YES
Nov  6 12:15:49 PROXY1 snort[9933]:       Oversize Dir Length: 0
Nov  6 12:15:49 PROXY1 snort[9933]:       Only inspect URI: NO
Nov  6 12:15:49 PROXY1 snort[9933]:       Normalize HTTP Headers: NO
Nov  6 12:15:49 PROXY1 snort[9933]:       Normalize HTTP Cookies: NO
Nov  6 12:15:49 PROXY1 snort[9933]:       Ascii: YES alert: NO
Nov  6 12:15:49 PROXY1 snort[9933]:       Double Decoding: YES alert: YES
Nov  6 12:15:49 PROXY1 snort[9933]:       %U Encoding: YES alert: YES
Nov  6 12:15:49 PROXY1 snort[9933]:       Bare Byte: YES alert: YES
Nov  6 12:15:49 PROXY1 snort[9933]:       Base36: OFF
Nov  6 12:15:49 PROXY1 snort[9933]:       UTF 8: YES alert: NO
Nov  6 12:15:49 PROXY1 snort[9933]:       IIS Unicode: YES alert: YES
Nov  6 12:15:49 PROXY1 snort[9933]:       Multiple Slash: YES alert: NO
Nov  6 12:15:50 PROXY1 snort[9933]:       IIS Backslash: YES alert: NO
Nov  6 12:15:50 PROXY1 snort[9933]:       Directory Traversal: YES alert: NO
Nov  6 12:15:50 PROXY1 snort[9933]:       Web Root Traversal: YES alert: YES
Nov  6 12:15:50 PROXY1 snort[9933]:       Apache WhiteSpace: YES alert: YES
Nov  6 12:15:50 PROXY1 snort[9933]:       IIS Delimiter: YES alert: YES
Nov  6 12:15:50 PROXY1 snort[9933]:       IIS Unicode Map: GLOBAL IIS UNICODE MAP CONFIG
Nov  6 12:15:50 PROXY1 snort[9933]:       Non-RFC Compliant Characters: 0x00
Nov  6 12:15:50 PROXY1 snort[9933]:       Whitespace Characters: 0x09 0x0b 0x0c 0x0d
Nov  6 12:15:50 PROXY1 snort[9933]: rpc_decode arguments:
Nov  6 12:15:50 PROXY1 snort[9933]:     Ports to decode RPC on: 111 32771
Nov  6 12:15:50 PROXY1 snort[9933]:     alert_fragments: INACTIVE
Nov  6 12:15:50 PROXY1 snort[9933]:     alert_large_fragments: ACTIVE
Nov  6 12:15:50 PROXY1 snort[9933]:     alert_incomplete: ACTIVE
Nov  6 12:15:50 PROXY1 snort[9933]:     alert_multiple_requests: ACTIVE
Nov  6 12:15:50 PROXY1 snort[9933]: Portscan Detection Config:
Nov  6 12:15:50 PROXY1 snort[9933]:     Detect Protocols:  TCP UDP ICMP IP
Nov  6 12:15:50 PROXY1 snort[9933]:     Detect Scan Type:  portscan portsweep decoy_portscan distributed_portscan
Nov  6 12:15:50 PROXY1 snort[9933]:     Sensitivity Level: Low
Nov  6 12:15:50 PROXY1 snort[9933]:     Memcap (in bytes): 10000000
Nov  6 12:15:50 PROXY1 snort[9933]:     Number of Nodes:   36900
Nov  6 12:15:50 PROXY1 snort[9933]: FTPTelnet Config:
Nov  6 12:15:50 PROXY1 snort[9933]:     GLOBAL CONFIG
Nov  6 12:15:50 PROXY1 snort[9933]:       Inspection Type: stateful
Nov  6 12:15:50 PROXY1 snort[9933]:       Check for Encrypted Traffic: YES alert: YES
Nov  6 12:15:50 PROXY1 snort[9933]:       Continue to check encrypted data: NO
Nov  6 12:15:50 PROXY1 snort[9933]:     TELNET CONFIG:
Nov  6 12:15:50 PROXY1 snort[9933]:       Ports: 23
Nov  6 12:15:50 PROXY1 snort[9933]:       Are You There Threshold: 200
Nov  6 12:15:50 PROXY1 snort[9933]:       Normalize: YES
Nov  6 12:15:50 PROXY1 snort[9933]:       Detect Anomalies: NO
Nov  6 12:15:50 PROXY1 snort[9933]:     FTP CONFIG:
Nov  6 12:15:50 PROXY1 snort[9933]:       FTP Server: default
Nov  6 12:15:50 PROXY1 snort[9933]:         Ports: 21
Nov  6 12:15:50 PROXY1 snort[9933]:         Check for Telnet Cmds: YES alert: YES
Nov  6 12:15:50 PROXY1 snort[9933]:         Ignore Telnet Cmd Operations: OFF
Nov  6 12:15:50 PROXY1 snort[9933]:         Identify open data channels: YES
Nov  6 12:15:50 PROXY1 snort[9933]:       FTP Client: default
Nov  6 12:15:50 PROXY1 snort[9933]:         Check for Bounce Attacks: YES alert: YES
Nov  6 12:15:50 PROXY1 snort[9933]:         Check for Telnet Cmds: YES alert: YES
Nov  6 12:15:50 PROXY1 snort[9933]:         Ignore Telnet Cmd Operations: OFF
Nov  6 12:15:50 PROXY1 snort[9933]:         Max Response Length: 256
Nov  6 12:15:50 PROXY1 snort[9933]: SMTP Config:
Nov  6 12:15:50 PROXY1 snort[9933]:     Ports: 25 587 691
Nov  6 12:15:50 PROXY1 snort[9933]:     Inspection Type: Stateful
Nov  6 12:15:50 PROXY1 snort[9933]:     Normalize: EXPN RCPT VRFY
Nov  6 12:15:50 PROXY1 snort[9933]:     Ignore Data: No
Nov  6 12:15:50 PROXY1 snort[9933]:     Ignore TLS Data: No
Nov  6 12:15:50 PROXY1 snort[9933]:     Ignore SMTP Alerts: No
Nov  6 12:15:50 PROXY1 snort[9933]:     Max Command Line Length: Unlimited
Nov  6 12:15:50 PROXY1 snort[9933]:     Max Specific Command Line Length:
Nov  6 12:15:50 PROXY1 snort[9933]:        ETRN:500 EXPN:255 HELO:500 HELP:500 MAIL:260
Nov  6 12:15:50 PROXY1 snort[9933]:        RCPT:300 VRFY:255
Nov  6 12:15:50 PROXY1 snort[9933]:     Max Header Line Length: Unlimited
Nov  6 12:15:50 PROXY1 snort[9933]:     Max Response Line Length: Unlimited
Nov  6 12:15:50 PROXY1 snort[9933]:     X-Link2State Alert: Yes
Nov  6 12:15:50 PROXY1 snort[9933]:     Drop on X-Link2State Alert: No
Nov  6 12:15:50 PROXY1 snort[9933]:     Alert on commands: None
Nov  6 12:15:50 PROXY1 snort[9933]: DCE/RPC Decoder config:
Nov  6 12:15:50 PROXY1 snort[9933]:     Autodetect ports ENABLED
Nov  6 12:15:50 PROXY1 snort[9933]:     SMB fragmentation ENABLED
Nov  6 12:15:50 PROXY1 snort[9933]:     DCE/RPC fragmentation ENABLED
Nov  6 12:15:50 PROXY1 snort[9933]:     Max Frag Size: 3000 bytes
Nov  6 12:15:50 PROXY1 snort[9933]:     Memcap: 100000 KB
Nov  6 12:15:50 PROXY1 snort[9933]:     Alert if memcap exceeded DISABLED
Nov  6 12:15:50 PROXY1 snort[9933]:     Reassembly increment: DISABLED
Nov  6 12:15:50 PROXY1 snort[9933]: DNS config:
Nov  6 12:15:50 PROXY1 snort[9933]:     DNS Client rdata txt Overflow Alert: ACTIVE
Nov  6 12:15:50 PROXY1 snort[9933]:     Obsolete DNS RR Types Alert: INACTIVE
Nov  6 12:15:50 PROXY1 snort[9933]:     Experimental DNS RR Types Alert: INACTIVE
Nov  6 12:15:50 PROXY1 snort[9933]:     Ports:
Nov  6 12:15:50 PROXY1 snort[9933]:  53
Nov  6 12:15:50 PROXY1 snort[9933]:
Nov  6 12:15:50 PROXY1 snort[9933]:
Nov  6 12:15:50 PROXY1 snort[9933]: +++++++++++++++++++++++++++++++++++++++++++++++++++
Nov  6 12:15:50 PROXY1 snort[9933]: Initializing rule chains...
Nov  6 12:15:50 PROXY1 snort[9933]: Warning: /etc/snort/processed.rules(52) => threshold (in rule) is deprecated; use detection_filter instead.
Nov  6 12:15:51 PROXY1 snort[9933]: FATAL ERROR: /etc/snort/processed.rules(2003) => Content data needs to be enclosed in quotation marks (")!
Nov  6 12:16:02 PROXY1 sudo:   nobody : TTY=unknown ; PWD=/home/httpd/cgi-bin ; USER=root ; COMMAND=/usr/local/bin/restartsnortrules.py no-restart
Nov  6 12:16:02 PROXY1 sudo:   nobody : TTY=unknown ; PWD=/home/httpd/cgi-bin ; USER=root ; COMMAND=/usr/local/bin/fetchsnortrules.py --force

Title: Re: Intrusion Prevention System can't fetch updates
Post by: john_cic on Saturday 06 November 2010, 06:17:18 pm
I followed instructions from http://bugs.endian.com/view.php?id=3248 and was able to download and install latest updates.

Snort still isn't starting properly though..
Quote
FATAL ERROR: /etc/snort/processed.rules(2013) => Content data needs to be enclosed in quotation marks (")!

I have found this http://www.cipherdyne.org//2009/05/handling-escaped-semicolons-in-snort-rules-with-fwsnort.html but haven't tried it yet.

Can anyone confirm that this is the same issue they are having?


Powered by SMF 1.1 RC2 | SMF © 2001-2005, Lewis Media