ClearFoundation Tracker - ClearOS |
| View Issue Details |
|
| ID | Project | Category | View Status | Date Submitted | Last Update |
| 0000020 | ClearOS | app-intrusion-prevention - Intrusion Prevention | public | 2010-01-22 03:23 | 2010-03-02 19:21 |
|
| Reporter | timb80 | |
| Assigned To | dsokoloski | |
| Priority | normal | Severity | minor | Reproducibility | always |
| Status | closed | Resolution | fixed | |
| Platform | | OS | | OS Version | |
| Product Version | 5.1 | |
| Target Version | | Fixed in Version | 5.1 | |
|
| Summary | 0000020: Firewall restart does not regenerate all snortsam iptables rules |
| Description | Ip's blocked by snortsam during operation are defined by two rules in the INPUT chain to prevent any traffic originating from suspect IP (with both source and dest defined). Restart of firewall does not re-create both rules. Snortsam then gives errors about missing iptables rule after time elapses.
To reproduce:-
run a port scan (say from grc.com) to block an IP
snortsam will block with two rules, /var/log/snortsam
2010/01/22, 10:12:45, 127.0.0.1, 2, snortsam, Blocking host 4.79.142.206 completely for 86400 seconds (Sig_ID:524).
iptables -L INPUT -n -v | grep 4.79
0 0 DROP all -- eth1 * 0.0.0.0/0 4.79.142.206
184 8048 DROP all -- eth1 * 4.79.142.206 0.0.0.0/0
do a 'service firewall restart'
iptables -L INPUT -n -v | grep 4.79
0 0 DROP all -- eth1 * 4.79.142.206 0.0.0.0/0
Only the original rule is recreated.
After the 24hours has passed snortsam will attempt to remove both rules (unblock the host) and report the following error, as obviously one of the two rules is now missing
iptables, Error: Command2 /sbin/iptables -D INPUT -i eth1 -s 4.79.142.206 -j DROP Failed |
| Steps To Reproduce | |
| Additional Information | As far as I can tell this affects the section of code "Running incoming denied rules" as the IP does not appear under the list of blocked external hosts from /var/log/system
/etc/rc.d/firewall.lua
|
| Tags | No tags attached. |
| Relationships | |
| Attached Files |  snortsam-reblock (2,261) 2010-01-24 16:50
https://tracker.clearos.com/file_download.php?file_id=4&type=bug
 snortsam-reblock-output.txt (3,108) 2010-01-25 01:58
https://tracker.clearos.com/file_download.php?file_id=5&type=bug |
|
| Issue History |
| Date Modified | Username | Field | Change |
| 2010-01-22 03:23 | timb80 | New Issue | |
| 2010-01-22 03:25 | timb80 | Note Added: 0000013 | |
| 2010-01-22 03:28 | timb80 | Note Added: 0000014 | |
| 2010-01-22 08:35 | user2 | Status | new => assigned |
| 2010-01-22 08:35 | user2 | Assigned To | => dsokoloski |
| 2010-01-22 11:18 | dsokoloski | Note Added: 0000015 | |
| 2010-01-22 11:18 | dsokoloski | Resolution | open => fixed |
| 2010-01-22 11:18 | dsokoloski | Fixed in Version | => 5.2 |
| 2010-01-22 11:21 | dsokoloski | File Added: firewall | |
| 2010-01-22 11:21 | dsokoloski | Status | assigned => acknowledged |
| 2010-01-22 11:22 | dsokoloski | Note Edited: 0000015 | |
| 2010-01-22 11:23 | dsokoloski | Note Edited: 0000015 | |
| 2010-01-22 12:51 | dsokoloski | Status | acknowledged => resolved |
| 2010-01-22 14:25 | timb80 | Note Added: 0000017 | |
| 2010-01-22 14:25 | timb80 | Status | resolved => feedback |
| 2010-01-22 14:25 | timb80 | Resolution | fixed => reopened |
| 2010-01-22 14:38 | dsokoloski | File Added: snortsam-reblock | |
| 2010-01-22 14:39 | dsokoloski | Note Added: 0000018 | |
| 2010-01-24 14:30 | timb80 | File Added: snortsam-reblock-output.txt | |
| 2010-01-24 14:32 | timb80 | Note Added: 0000019 | |
| 2010-01-24 16:49 | dsokoloski | File Deleted: firewall | |
| 2010-01-24 16:49 | dsokoloski | File Deleted: snortsam-reblock | |
| 2010-01-24 16:49 | dsokoloski | File Deleted: snortsam-reblock-output.txt | |
| 2010-01-24 16:50 | dsokoloski | File Added: snortsam-reblock | |
| 2010-01-24 16:51 | dsokoloski | Note Added: 0000020 | |
| 2010-01-25 01:58 | timb80 | File Added: snortsam-reblock-output.txt | |
| 2010-01-25 01:58 | timb80 | Note Added: 0000021 | |
| 2010-01-25 15:58 | dsokoloski | Note Added: 0000022 | |
| 2010-01-25 15:59 | dsokoloski | Status | feedback => resolved |
| 2010-02-22 16:54 | user2 | Checkin | |
| 2010-02-22 16:54 | user2 | Note Added: 0000038 | |
| 2010-02-22 16:54 | user2 | Resolution | reopened => fixed |
| 2010-02-24 10:02 | user2 | Fixed in Version | 5.2 => 5.1 |
| 2010-03-02 19:21 | user2 | Note Added: 0000052 | |
| 2010-03-02 19:21 | user2 | Status | resolved => closed |
|
Notes |
|
|
(0000013)
|
|
timb80
|
|
2010-01-22 03:25
|
|
|
P.S this category has a typo ;) [ClearOS] Intrusion Projection << |
|
|
|
(0000014)
|
|
timb80
|
|
2010-01-22 03:28
|
|
EDIT: Sorry I have a typo on the last line! The Snortsam iptables error relates to the rule when the IP is in the destination field. Source field shown above
iptables, Error: Command2 /sbin/iptables -D INPUT -i eth1 -d 208.111.139.4 -j DROP Failed |
|
|
|
(0000015)
|
|
dsokoloski
|
2010-01-22 11:18
(edited on: 2010-01-22 11:23) |
|
The firewall init script ignores the snortsam 'mode' type and recreates the iptables rules as FWSAM_HOW_IN only. It is possible for a blocked host to have the following modes:
FWSAM_HOW_IN: blocked host based on incoming traffic
FWSAM_HOW_OUT: blocked host based on outgoing traffic
FWSAM_HOW_INOUT: blocked host based on both in/outgoing traffic
FWSAM_HOW_THIS: blocked host based on traffic sent directly to the gateway
I have updated the firewall init script adding support for the first three modes. This should properly recreate most of the block rules. FWSAM_HOW_THIS will require more changes so I haven't implemented this mode yet.
If you have time, could you test the updated init script? I've attached it to this bug report. Backup your existing /etc/init.d/firewall script and copy this one over it... or just run the updated version from whatever directory you copy it to.
Thanks for the feedback!
|
|
|
|
(0000017)
|
|
timb80
|
|
2010-01-22 14:25
|
|
Hi, thanks for the prompt reply! unfortunately it doesn't appear to work here. If I restart the firewall, it no longer recreates the block rules from snortsam...if I restart snortsam then only the first rule is recreated as it was before
Port scan, ip blocked
2010/01/22, 21:22:04, 127.0.0.1, 2, snortsam, Blocking host 4.79.142.206 completely for 86400 seconds (Sig_ID: 524).
[root@starlane:~]# iptables -L INPUT -n -v | grep 4.79
0 0 DROP all -- eth1 * 0.0.0.0/0 4.79.142.206
201 8788 DROP all -- eth1 * 4.79.142.206 0.0.0.0/0
[root@starlane:~]# service firewall restart
Starting firewall: [ OK ]
[root@starlane:~]# iptables -L INPUT -n -v | grep 4.79
[root@starlane:~]# << no rules created
[root@starlane:~]# service snortsam restart
Stopping snortsam: [ OK ]
Starting snortsam: [ OK ]
[root@starlane:~]# iptables -L INPUT -n -v | grep 4.79
0 0 DROP all -- eth1 * 4.79.142.206 0.0.0.0/0 |
|
|
|
|
Can you download the attached script "snortsam-reblock" to your server, chmod a+x, and then:
./snortsam-reblock
Post the output here. Thanks again! |
|
|
|
(0000019)
|
|
timb80
|
|
2010-01-24 14:32
|
|
|
Attached the output as snortsam-reblock-output.txt |
|
|
|
|
Thanks for the feedback.
I've uploaded another test script with the appropriate fix (I hope).
Btw, my PSNID is darryl, add me :) |
|
|
|
(0000021)
|
|
timb80
|
|
2010-01-25 01:58
|
|
Attached revised output, just after i'd run another port scan...looks promising
Will add you later :) |
|
|
|
|
Looks good. I've committed the fixes to SVN and I will mark this as resolved unless you find that the regenerated rules are not correct.
Found ya on PSN... thanks! :) |
|
|
|
(0000038)
|
|
user2
|
|
2010-02-22 16:54
|
|
Source Code Changelog
---------------------------------------------------
- Fixed intrusion prevention hooks to regenerate firewall rules [fixed tracker 0000020]
File Changes
---------------------------------------------------
U legacy/modules/branches/5.1/app-firewall/app-firewall.spec.in
U legacy/modules/branches/5.1/app-firewall/firewall
A legacy/modules/branches/5.1/app-firewall/snortsam-reblock
|
|
|
|
(0000052)
|
|
user2
|
|
2010-03-02 19:21
|
|
|