ClearFoundation Tracker - ClearOS |
| View Issue Details |
|
| ID | Project | Category | View Status | Date Submitted | Last Update |
| 0001640 | ClearOS | app-intrusion-detection - Intrusion Detection | public | 2014-03-30 12:57 | 2014-06-24 08:29 |
|
| Reporter | NickH | |
| Assigned To | user2 | |
| Priority | normal | Severity | minor | Reproducibility | have not tried |
| Status | closed | Resolution | fixed | |
| Platform | | OS | | OS Version | |
| Product Version | 6.5.0 | |
| Target Version | 6.5.0 Updates | Fixed in Version | 6.5.0 Updates | |
|
| Summary | 0001640: snort.conf HOME_NET not being updated to with new WAN IP |
| Description | I moved my installation from one server to another. While doing this I temporarily switched the cable modem/router to router mode. I inserted the new ClearOS box back into the LAN between the router and switch in gateway mode so it tried and failed to pick up a 192.168.0.x WAN IP address - see the syswatch log up to 11:07:39. From its timestamp, this is the last time /etc/snort.conf was updated and there is no WAN IP in HOME_NET.
I finally got an IP address on the router LAN soon after that (/var/log/ntpd gives an entry at 11:07:44 and syswatch indicates something at 11:07:40). I can see various clearsync and network_configuration events triggered. but snort.conf was not updated.
After that I switched the modem/router to modem only mode. For a While the ClearOS WAN was in the 192.168.100.x subnet before finally switching to the proper WAN IP but no updates to snort.conf were made
Logs are attached. Note during this time I was struggling to pull any WAN IP so I was upping and downing the interface at times hence the number of firewall restarts. |
| Steps To Reproduce | |
| Additional Information | |
| Tags | No tags attached. |
| Relationships | |
| Attached Files |  logs.zip (28,869) 2014-03-30 12:57
https://tracker.clearos.com/file_download.php?file_id=30&type=bug |
|
| Issue History |
| Date Modified | Username | Field | Change |
| 2014-03-30 12:57 | NickH | New Issue | |
| 2014-03-30 12:57 | NickH | File Added: logs.zip | |
| 2014-03-31 08:28 | user2 | Status | new => acknowledged |
| 2014-04-01 11:46 | user2 | Category | app-clearsync - Synchronization and Events => app-intrusion-detection - Intrusion Detection |
| 2014-04-01 11:53 | user2 | Note Added: 0001167 | |
| 2014-04-01 11:53 | user2 | Status | acknowledged => confirmed |
| 2014-04-01 11:54 | user2 | Target Version | => 6.5.0 Updates |
| 2014-04-01 12:07 | user2 | Note Added: 0001168 | |
| 2014-04-01 12:07 | user2 | Status | confirmed => resolved |
| 2014-04-01 12:07 | user2 | Fixed in Version | => 6.5.0 Updates |
| 2014-04-01 12:07 | user2 | Resolution | open => fixed |
| 2014-04-01 12:07 | user2 | Assigned To | => user2 |
| 2014-04-24 12:19 | NickH | Note Added: 0001174 | |
| 2014-04-24 12:19 | NickH | Status | resolved => feedback |
| 2014-04-24 12:19 | NickH | Resolution | fixed => reopened |
| 2014-04-24 18:57 | user2 | Note Added: 0001175 | |
| 2014-04-24 18:58 | user2 | Status | feedback => resolved |
| 2014-04-24 18:58 | user2 | Resolution | reopened => fixed |
| 2014-06-24 08:29 | user2 | Status | resolved => closed |
|
Notes |
|
|
(0001167)
|
|
user2
|
|
2014-04-01 11:53
|
|
Good catch Nick.
When HOME_NET was just the LAN/DMZ/HotLAN IPs (no WAN), the HOME_NET changes were hooked into the "network configuration" event. When a network card configuration was changed, Snort would check its HOME_NET configuration. All good.
When the WAN IP was later added to HOME_NET ( tracker 0001302 ), Snort should have also added a check in the "network connected" event. That's missing. |
|
|
|
(0001168)
|
|
user2
|
|
2014-04-01 12:07
|
|
|
|
|
(0001174)
|
|
NickH
|
|
2014-04-24 12:19
|
|
|
Please can you push the fix through the build system into release? |
|
|
|
(0001175)
|
|
user2
|
|
2014-04-24 18:57
|
|
|