Welcome, Guest. Please login or register.
Did you miss your activation email?
Wednesday 20 November 2024, 07:52:51 am

Login with username, password and session length

CLICK HERE for the The official Endian Roadmap and Issue tracker
14258 Posts in 4377 Topics by 6515 Members
Latest Member: hulteends
Search:     Advanced search
+  EFW Support
|-+  Support
| |-+  General Support
| | |-+  [EFW 2.3 Community] IDS Bug
0 Members and 1 Guest are viewing this topic. « previous next »
Pages: [1] Go Down Print
Author Topic: [EFW 2.3 Community] IDS Bug  (Read 8007 times)
mrkroket
Hero Member
*****
Offline Offline

Posts: 495


« on: Tuesday 20 July 2010, 01:28:55 am »

I think this is old, but just in case:
I don't know if still happens on EFW 2.4.

Problem:
When enabled, IDS only detect some few alerts, of this kind:
snort[11978]: [125:7:1] (ftp_telnet) FTP traffic encrypted[Priority: 3]: {TCP} X.X.X.X:21 -> 192.168.X.X:50390
The red number is always a low number Sid. These are built-in rules, the rules shown on Web GUI all have Sid over 2000000.
If you don't have any rule Sid >2M, it can be this bug.


What cause it:
In some situations the IDS (Intrusion Detection System) stops applying almost any rule. It only uses some low level rules (FTP related).
You'll notice it because on IDS reports you only have some FTP alerts, and nothing more.

This is caused by a wrong setting. In /var/efw/snort/settings there is a parameter called ENABLED_RULES. It should point the rule directories that will be applied. I should point the dirs created on /etc/snort/rules. But for some reason it is empty. This makes that the restart script bypass these directories, and apply no rules.


How to fix it:
Edit the /usr/local/bin/restartsnort.py file. At about line 128, on function enabled_rule_targets(), there is a section that says

Quote
    enabled_targets = config_values.get('ENABLED_RULES', "")
    if enabled_targets == "":
        return []

There is some cases that the value of ENABLED_RULES is empty, don't know why.
So i change that part, and place instead:
Quote
    enabled_targets = config_values.get('ENABLED_RULES', "")
    if enabled_targets == "":
        enabled_targets = "auto,custom"
Changed the return [] line for the enabled_targets = "auto,custom" line.
Warning, editing the script files are potentially dangerous, do it only if you are sure. Check indent, some scripts are sensitive to trailing spaces.

This forces the directories auto and custom when the ENABLED_RULES parameter is empty.
Logged
Pages: [1] Go Up Print 
« previous next »
Jump to:  

Page created in 0.141 seconds with 19 queries.
Powered by SMF 1.1 RC2 | SMF © 2001-2005, Lewis Media Design by 7dana.com