snort only drops custom rules

[Guest]

[vazromju]

 
Hello.
This is my first question to the forum.
Thank you very much for the oportunity, and support.

I have been running EFW 2.5 (community edition) for 4 months without troubles, but only Snort.
I had troubles with Snort because I have added a  of custom rules trying to avoid certain known vulnerability in the php application it is running in a internal webserver, and I wanted to drop the connection directly.
With a little history with it, I can't activate the shield in the GUI, but I found that if I drop the rule directly on the CLI it is droped.
The only problem I had after this was that if snort is configured to auto-update the rules, this rule stop working and I have to "save and restart" snort in the GUI, to begin working again.

Today I have a more serious problem.
After testing and seeing that all is working as expected and not too much false positives, and all of them controled, I have decided to drop all the rules.
I have selected all the rules, and mark the shield, save and restart and begin testing.

The test I have done have been easy: trying to chat from Green to Facebook chat, with a firewall rule that is inspecting http and https.
The problem is that snort logs the chat, but it doesn' t drop the connection.
As you will understand I have restarted snort, killed snort and pid, and run it in debug mode, restart the machine, and nothing.
/var/log/messages the only I see is that it says:

Code:

Nov 28 02:55:50 machine snort[8181]: Enabling inline operation
Nov 28 02:55:50 machine snort[8181]: Running in IDS mode
(........)
Nov 28 03:20:13 machine snort[15958]: Writing PID "15958" to file "/var/run//snort_eth0.pid"
Nov 28 03:20:13 machine snort[15958]: Cannot set uid and gid when running Snort in inline mode.
Nov 28 03:20:13 machine snort[15958]: Setting the Packet Processor to decode packets from iptables

I am not a Snort expert, but I am a little lost with the second line "Running in IDS mode"

I have also found in /var/efw/snort/settings a line that said:

Code:

SNORT_DEFAULT_POLICY=alert

and I have changed it to:

Code:

SNORT_DEFAULT_POLICY=drop

But still the same.

Can someone help me to get the right direction to address this issue?
Any help will be appreciated.

Thank you very much,
Juan

[vazromju]

Hi,
I have more information.

This is the behaivour.

Built EFW community from scratch.
Opened Facebook and opened buddy list. Got an alert from snort.

Went to Snort rules and block buddy list (auto-emerging-chat.rules, block all the group)

tried to open buddy list from facebook and dropped. Working allright.

Went to Snort rules and return to alert.
tried to open buddy list, and working.

Went to Snort rules and block the rule.
Never more working.


.... 

[simontkksimontkk]

HI vazromju,

I found that i also faced the same problems that you faced previously. Beside my "Live log" for Intrusion prevention is not coming out as well even through i have enable the features.

May I know, how are you settle this issue in the end?
Very appreciate if you can guide me around.

Thanks

Best Regards,
SIMON TIONG.