Welcome, Guest. Please login or register.
Did you miss your activation email?
Sunday 24 November 2024, 06:07:56 am

Login with username, password and session length

CLICK HERE for the The official Endian Roadmap and Issue tracker
14261 Posts in 4377 Topics by 6517 Members
Latest Member: Sandro
Search:     Advanced search
+  EFW Support
|-+  Support
| |-+  General Support
| | |-+  Intrusion Detection Showing stopped - but apparently running
0 Members and 4 Guests are viewing this topic. « previous next »
Pages: [1] Go Down Print
Author Topic: Intrusion Detection Showing stopped - but apparently running  (Read 76880 times)
S3@N
Full Member
***
Offline Offline

Posts: 11


« on: Thursday 06 June 2013, 02:11:54 am »

We've got an odd problem with EFW Community 2.5.1.  We have enabled IDS but the status tab shows it as STOPPED.  The System tab will show it as ON for a while and then go to OFF.  Logging into the console and running PS shows that snort is running.  If I tail /var/messages I can see that something is trying to start SNORT periodically and snort is eventually outputting 'FATAL ERROR: Failed to Lock PID File "/var/run//snort_ifb0.pid" for PID "nnnn"'

So it looks to me like a basic logic bug in the interface and that Snort is actually running but as the logic is wrong and it's being detected as STOPPED it is being restarted because it is enabled.

One thing to note - we upgraded from 2.4.  When we hit problems we deleted and recreated all the standard rules so the install should now be clean.

Any suggestions?

Thanks!
Logged
Ricard
Full Member
***
Offline Offline

Posts: 11


« Reply #1 on: Friday 07 June 2013, 01:53:57 am »

same problem here. There is an open bug:

bugs.endian com/view.php?id=3248




Logged
Ricard
Full Member
***
Offline Offline

Posts: 11


« Reply #2 on: Tuesday 18 June 2013, 04:12:45 am »

well, I'm not sure if that bug is really open...  Although this is annoying, because don't give any security about the snort state.

There is a way to test snort just by visiting  testmyids.com
Then, after some delay, one can see in the Live Logs:

   GPL ATTACK_RESPONSE id check returned root [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 217.160.51.31:80



Hope this failure in the snort state can be solved.  Now one should go to "intrusion prevention" and click in "Save" to know the right state Sad





Logged
S3@N
Full Member
***
Offline Offline

Posts: 11


« Reply #3 on: Thursday 04 July 2013, 07:59:39 pm »

OK - found the problem.

The system was created using a backup of a live system running 2.4 which was then upgraded to 2.5.1.  There is a known issue with Endian in that when restored from a backup into a new system it will add new interfaces (bugs.endian.com/view.php?id=3311).  So we had our internal interface on eth5 (and br0).  

The Endian interface uses monit to generate the status information (see monit status).  Monit reads /var/run/snort.conf for snort monitoring and this is hardcoded to eth0.  In our case snort was running against br0 - not sure why it wasn't eth5...  Either way it wasn't right.

So rather than fix the snort.conf file - we have worked on the assumption that if there is one hardcoded eth0 in the system there may be more.  As we're on VMware it's simple to add a new network card (in our case this was eth8) then rename it by editing /etc/businfotab to make it eth0.  We then changed the green interface to use the new interface and finally deleted the old card (eth5).

This appears to have addressed the obvious issue with the status being misreported, snort is running against eth0 and we are now seeing a few reports coming through - so far so good!

So I guess the key things to take away from all of this are:
1) Watch your network device names when restoring from a backup
2) You need eth0 as your green interface
Logged
Ricard
Full Member
***
Offline Offline

Posts: 11


« Reply #4 on: Wednesday 04 September 2013, 01:25:32 pm »

thank you
Logged
Tursi
Jr. Member
*
Offline Offline

Posts: 2



« Reply #5 on: Monday 27 March 2023, 01:18:22 am »

Hi !

using Endian community 3.3.21 OS on some miniPC with two ethernets.

trying to enable Intrusion detection system but although the switch is green, the status says its OFF.

Is there any bug or additional configuration needed to get this working ?

Or was the support for IDS canceled on community edition ?

Can someone please help ?

Thanks,

David.
Logged
Tursi
Jr. Member
*
Offline Offline

Posts: 2



« Reply #6 on: Monday 27 March 2023, 02:11:26 am »

Ok so if anyone would read this in the future...

the problem was with community.rules set

while trying to test the config:

snort -T console -q -c /etc/snort/snort.conf -i eht0
ERROR: /var/signatures/snort/processed/custom/snort3-community.rules(16) Unknown rule option: 'service'.
Fatal Error, Quitting..

deleted community rule set trough gui and now everything works !
Logged
Pages: [1] Go Up Print 
« previous next »
Jump to:  

Page created in 0.094 seconds with 18 queries.
Powered by SMF 1.1 RC2 | SMF © 2001-2005, Lewis Media Design by 7dana.com