* Home Help Login Register

Welcome, Guest. Please login or register.
Did you miss your activation email?
Friday 01 November 2024, 11:21:17 am

Login with username, password and session length

Download the latest community FREE version  HERE
14248 Posts in 4376 Topics by 6515 Members
Latest Member: hulteends
Search:     Advanced search
+  EFW Support
|-+  Support
| |-+  General Support
| | |-+  snort only drops custom rules 		0 Members and 1 Guest are viewing this topic. « previous next »
Pages: [1] Go Down Print
Author Topic: snort only drops custom rules  (Read 11747 times)
vazromju
Jr. Member
*
Offline Offline

Posts: 5
« on: Thursday 29 November 2012, 09:20:17 am »
 Huh
Hello.
This is my first question to the forum.
Thank you very much for the oportunity, and support.

I have been running EFW 2.5 (community edition) for 4 months without troubles, but only Snort.
I had troubles with Snort because I have added a  of custom rules trying to avoid certain known vulnerability in the php application it is running in a internal webserver, and I wanted to drop the connection directly.
With a little history with it, I can't activate the shield in the GUI, but I found that if I drop the rule directly on the CLI it is droped.
The only problem I had after this was that if snort is configured to auto-update the rules, this rule stop working and I have to "save and restart" snort in the GUI, to begin working again.

Today I have a more serious problem.
After testing and seeing that all is working as expected and not too much false positives, and all of them controled, I have decided to drop all the rules.
I have selected all the rules, and mark the shield, save and restart and begin testing.

The test I have done have been easy: trying to chat from Green to Facebook chat, with a firewall rule that is inspecting http and https.
The problem is that snort logs the chat, but it doesn' t drop the connection.
As you will understand I have restarted snort, killed snort and pid, and run it in debug mode, restart the machine, and nothing.
/var/log/messages the only I see is that it says:

Code:
Nov 28 02:55:50 machine snort[8181]: Enabling inline operation
Nov 28 02:55:50 machine snort[8181]: Running in IDS mode
(........)
Nov 28 03:20:13 machine snort[15958]: Writing PID "15958" to file "/var/run//snort_eth0.pid"
Nov 28 03:20:13 machine snort[15958]: Cannot set uid and gid when running Snort in inline mode.
Nov 28 03:20:13 machine snort[15958]: Setting the Packet Processor to decode packets from iptables

I am not a Snort expert, but I am a little lost with the second line "Running in IDS mode"

I have also found in /var/efw/snort/settings a line that said:
Code:
SNORT_DEFAULT_POLICY=alert

and I have changed it to:
Code:
SNORT_DEFAULT_POLICY=drop

But still the same.

Can someone help me to get the right direction to address this issue?
Any help will be appreciated.

Thank you very much,
Juan
Logged
vazromju
Jr. Member
*
Offline Offline

Posts: 5
« Reply #1 on: Thursday 06 December 2012, 04:04:21 am »
Hi,
I have more information.

This is the behaivour.

Built EFW community from scratch.
Opened Facebook and opened buddy list. Got an alert from snort.

Went to Snort rules and block buddy list (auto-emerging-chat.rules, block all the group)

tried to open buddy list from facebook and dropped. Working allright.

Went to Snort rules and return to alert.
tried to open buddy list, and working.

Went to Snort rules and block the rule.
Never more working.


....  Huh
Logged
simontkksimontkk
Jr. Member
*
Offline Offline

Posts: 4
« Reply #2 on: Monday 17 December 2012, 07:16:46 pm »
HI vazromju,

I found that i also faced the same problems that you faced previously. Beside my "Live log" for Intrusion prevention is not coming out as well even through i have enable the features.

May I know, how are you settle this issue in the end?
Very appreciate if you can guide me around.

Thanks

Best Regards,
SIMON TIONG.
Logged
Pages: [1] Go Up Print 
« previous next »
Jump to:  

Page created in 0.047 seconds with 18 queries.
Powered by SMF 1.1 RC2 | SMF © 2001-2005, Lewis Media Design by 7dana.com