|
Title: Endian 2.3 and Intrusion Detection/Prevention Post by: danodemano on Monday 05 October 2009, 06:02:30 am I have been having this problem and can't seem to figure out what's going on. I cannot get the Intrusion prevention to start, it just wont. I keep messing with it and as soon as I fetch the rules, it dies. A look in the "messages" log usually shows something like this:
Code: Oct 4 14:57:40 gateway snort[28084]: FATAL ERROR: Warning: /etc/snort/processed.rules(7064) => Unknown keyword ' http_h*ader' in rule! But if I go in to the rule and try to fix that line, as soon as I restart the Intrusion prevention is just overwrites my file regardless if I have auto update turned on or not. I presume this is the reason I cannot start the Intrusion Prevention but I cannot figure out how to fix it. If I disable the "fetch update rules automatically" it will start up however the processed.rules file is empty save a header that says Code: # created by restartsnort -> process_rules so I suspect that it doesn't have any rules? Anyone have any thoughts on this? Thanks, Dan Title: Re: Endian 2.3 and Intrusion Detection/Prevention Post by: StephanSch on Monday 05 October 2009, 06:45:42 am On a short watch at the 2.3 some days ago I think I have seen that you can enable/disable rules on the webinterface now.
Title: Re: Endian 2.3 and Intrusion Detection/Prevention Post by: danodemano on Monday 05 October 2009, 07:19:34 am Wow....I feel stupid now. I remember reading that myself now that you mention it. As it turns out, the offending rule was:
Code: alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC WordPress plug-in ial path disclosure"; flow:established,to_server; uricontent:"/wp-content/plugins/"; nocase; content:!"|0d 0a|Referer|3a 20|"; nocase; http_er; cltype:attempted-recon; reference:url,seclists.org/fulldisclosure/2009/Sep/0387.html; reference:url,doc.emergingthreats.net/2009996; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SQL_INJECTION/WEB_Wordpress; sid:2009996; rev:3;) Thanks!! Title: Re: Endian 2.3 and Intrusion Detection/Prevention Post by: Halfwalker on Wednesday 07 October 2009, 07:10:02 am Hrm - my 2.3rc1 is a little different. Intrusion Detection appears to start OK, and updates the rules OK. At least, it says it did. The Dashboard however, that shows that Intrusion Detection is OFF. I disabled the rule mentioned above, but no go.
So, which is it ? On or off ? There don't appear to be any logs for it. D. <Edit> I take it back. Now the Dashboard is showing it as on, so it appears to be working fine. I guess there a small delay before status was updated. danodemano - how did you work out the offending rule that was causing the trouble ? Title: Re: Endian 2.3 and Intrusion Detection/Prevention Post by: danodemano on Wednesday 07 October 2009, 09:11:27 am LOL, it was not easy at all. I looked in the messages log and found what was causing the problem in the processed.rules file but since this is generated off the rules in another folder, I still didn't know where it was. What I ended up doing was SCPing ALL the rules files down, opening them all in notepad++, and searching for the http_header mentioned in the error. It turned up in only one file. Once I found which file it was in, I got the SID and went into the Endian admin and searched for it in the rules file that I had found it in. It too turned up only a single hit so I disabled it and all was well!
Title: Re: Endian 2.3 and Intrusion Detection/Prevention Post by: mrkroket on Friday 16 October 2009, 01:31:51 am Related to this:
http://bugs.endian.it/view.php?id=2227 It seems that if we update Snort it will renew the offending rule. Title: Re: Endian 2.3 and Intrusion Detection/Prevention Post by: danodemano on Friday 16 October 2009, 06:56:44 pm Yes, it appears to be a bad rule coming down the pipe. This is why I have not updated my rules. ;D
|