ClearFoundation Tracker - ClearOS
View Issue Details
0011551ClearOSapp-intrusion-detection - Intrusion Detectionpublic2016-12-12 11:212021-06-08 05:13
NickH 
 
normalfeaturealways
closedsuspended 
7.2.0 
 
0011551: Convert some snort rules to ipset rules
Perhaps this goes hand-in-hand with https://tracker.clearos.com/view.php?id=11521#c4321 [^]

There are a number of the subscription rules which are effectively firewall blocks (botcc.portgrouped.rules, botcc.rules, ciarmy.rules, compromised.rules, drop.rules, dshield.rules and tor.rules). Snort is a very inefficient tool for firewall blocking. It is quite easy to parse these rules to create an ipset set or multiple sets. I do it currently in two different ways. There is a public file https://rules.emergingthreats.net/open-nogpl/snort-2.9.0/rules/compromised-ips.txt [^] which covers some of the above rules - but as it is public it has a delay on release and the tor rules. I parse these in the attached ET script. There is another ET file, https://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt [^] which covers most of the rest (but again with a delay) and I parse these with the ET_IP_Blocks script attached. I also have bits to handle the ipset sets and firewall rules.
This now needs to be rationalised with the new Business rules, but the principle is the same and it is way more efficient than snort. The only down-side is possibly that you lose all the snort logging with my implementation, but it could be added to the firewall rules.

In some ways it is even worse using snort. You get two snort rules for every IP, one tcp and one udp so you end up with more rules than you would with the firewall - and you don't end up blocking other protocols such as ICMP.

There is an extra issue with the tor rules which should possibly be in a separate bug report but I'll put it here.

The tor rules cover both exit points and routers. If you want to block anonymised traffic you only really want to block the exit points. Routers which are not exit points route traffic within the tor network, but they can also originate all sorts of other traffic which could be legitimate and probably should not be considered in the same class as exit points. I would suggest splitting the file into two so just exit points can be blocked. You will see my script ignores tor routers.
No tags attached.
zip ET.zip (2,002) 2016-12-12 11:21
https://tracker.clearos.com/file_download.php?file_id=301&type=bug
Issue History
2016-12-12 11:21NickHNew Issue
2016-12-12 11:21NickHFile Added: ET.zip
2017-02-01 10:30user2Statusnew => acknowledged
2021-06-08 05:13NickHNote Added: 0015881
2021-06-08 05:13NickHStatusacknowledged => closed
2021-06-08 05:13NickHResolutionopen => suspended

Notes
(0015881)
NickH   
2021-06-08 05:13   
Migrated to https://gitlab.com/clearos/clearfoundation/app-intrusion-detection/-/issues/6 [^]