ClearFoundation Tracker - ClearOS
View Issue Details
0000020ClearOSapp-intrusion-prevention - Intrusion Preventionpublic2010-01-22 03:232010-03-02 19:21
timb80 
dsokoloski 
normalminoralways
closedfixed 
5.1 
5.1 
0000020: Firewall restart does not regenerate all snortsam iptables rules
Ip's blocked by snortsam during operation are defined by two rules in the INPUT chain to prevent any traffic originating from suspect IP (with both source and dest defined). Restart of firewall does not re-create both rules. Snortsam then gives errors about missing iptables rule after time elapses.

To reproduce:-
run a port scan (say from grc.com) to block an IP

snortsam will block with two rules, /var/log/snortsam
2010/01/22, 10:12:45, 127.0.0.1, 2, snortsam, Blocking host 4.79.142.206 completely for 86400 seconds (Sig_ID:524).

iptables -L INPUT -n -v | grep 4.79
    0 0 DROP all -- eth1 * 0.0.0.0/0 4.79.142.206
  184 8048 DROP all -- eth1 * 4.79.142.206 0.0.0.0/0

do a 'service firewall restart'

iptables -L INPUT -n -v | grep 4.79
    0 0 DROP all -- eth1 * 4.79.142.206 0.0.0.0/0

Only the original rule is recreated.

After the 24hours has passed snortsam will attempt to remove both rules (unblock the host) and report the following error, as obviously one of the two rules is now missing
iptables, Error: Command2 /sbin/iptables -D INPUT -i eth1 -s 4.79.142.206 -j DROP Failed
As far as I can tell this affects the section of code "Running incoming denied rules" as the IP does not appear under the list of blocked external hosts from /var/log/system
/etc/rc.d/firewall.lua

No tags attached.
? snortsam-reblock (2,261) 2010-01-24 16:50
https://tracker.clearos.com/file_download.php?file_id=4&type=bug
txt snortsam-reblock-output.txt (3,108) 2010-01-25 01:58
https://tracker.clearos.com/file_download.php?file_id=5&type=bug
Issue History
2010-01-22 03:23timb80New Issue
2010-01-22 03:25timb80Note Added: 0000013
2010-01-22 03:28timb80Note Added: 0000014
2010-01-22 08:35user2Statusnew => assigned
2010-01-22 08:35user2Assigned To => dsokoloski
2010-01-22 11:18dsokoloskiNote Added: 0000015
2010-01-22 11:18dsokoloskiResolutionopen => fixed
2010-01-22 11:18dsokoloskiFixed in Version => 5.2
2010-01-22 11:21dsokoloskiFile Added: firewall
2010-01-22 11:21dsokoloskiStatusassigned => acknowledged
2010-01-22 11:22dsokoloskiNote Edited: 0000015
2010-01-22 11:23dsokoloskiNote Edited: 0000015
2010-01-22 12:51dsokoloskiStatusacknowledged => resolved
2010-01-22 14:25timb80Note Added: 0000017
2010-01-22 14:25timb80Statusresolved => feedback
2010-01-22 14:25timb80Resolutionfixed => reopened
2010-01-22 14:38dsokoloskiFile Added: snortsam-reblock
2010-01-22 14:39dsokoloskiNote Added: 0000018
2010-01-24 14:30timb80File Added: snortsam-reblock-output.txt
2010-01-24 14:32timb80Note Added: 0000019
2010-01-24 16:49dsokoloskiFile Deleted: firewall
2010-01-24 16:49dsokoloskiFile Deleted: snortsam-reblock
2010-01-24 16:49dsokoloskiFile Deleted: snortsam-reblock-output.txt
2010-01-24 16:50dsokoloskiFile Added: snortsam-reblock
2010-01-24 16:51dsokoloskiNote Added: 0000020
2010-01-25 01:58timb80File Added: snortsam-reblock-output.txt
2010-01-25 01:58timb80Note Added: 0000021
2010-01-25 15:58dsokoloskiNote Added: 0000022
2010-01-25 15:59dsokoloskiStatusfeedback => resolved
2010-02-22 16:54user2Checkin
2010-02-22 16:54user2Note Added: 0000038
2010-02-22 16:54user2Resolutionreopened => fixed
2010-02-24 10:02user2Fixed in Version5.2 => 5.1
2010-03-02 19:21user2Note Added: 0000052
2010-03-02 19:21user2Statusresolved => closed

Notes
(0000013)
timb80   
2010-01-22 03:25   
P.S this category has a typo ;) [ClearOS] Intrusion Projection <<
(0000014)
timb80   
2010-01-22 03:28   
EDIT: Sorry I have a typo on the last line! The Snortsam iptables error relates to the rule when the IP is in the destination field. Source field shown above
iptables, Error: Command2 /sbin/iptables -D INPUT -i eth1 -d 208.111.139.4 -j DROP Failed
(0000015)
dsokoloski   
2010-01-22 11:18   
(edited on: 2010-01-22 11:23)
The firewall init script ignores the snortsam 'mode' type and recreates the iptables rules as FWSAM_HOW_IN only. It is possible for a blocked host to have the following modes:

FWSAM_HOW_IN: blocked host based on incoming traffic
FWSAM_HOW_OUT: blocked host based on outgoing traffic
FWSAM_HOW_INOUT: blocked host based on both in/outgoing traffic
FWSAM_HOW_THIS: blocked host based on traffic sent directly to the gateway

I have updated the firewall init script adding support for the first three modes. This should properly recreate most of the block rules. FWSAM_HOW_THIS will require more changes so I haven't implemented this mode yet.

If you have time, could you test the updated init script? I've attached it to this bug report. Backup your existing /etc/init.d/firewall script and copy this one over it... or just run the updated version from whatever directory you copy it to.

Thanks for the feedback!

(0000017)
timb80   
2010-01-22 14:25   
Hi, thanks for the prompt reply! unfortunately it doesn't appear to work here. If I restart the firewall, it no longer recreates the block rules from snortsam...if I restart snortsam then only the first rule is recreated as it was before

Port scan, ip blocked
2010/01/22, 21:22:04, 127.0.0.1, 2, snortsam, Blocking host 4.79.142.206 completely for 86400 seconds (Sig_ID: 524).

[root@starlane:~]# iptables -L INPUT -n -v | grep 4.79
    0 0 DROP all -- eth1 * 0.0.0.0/0 4.79.142.206
  201 8788 DROP all -- eth1 * 4.79.142.206 0.0.0.0/0
[root@starlane:~]# service firewall restart
Starting firewall: [ OK ]
[root@starlane:~]# iptables -L INPUT -n -v | grep 4.79
[root@starlane:~]# << no rules created
[root@starlane:~]# service snortsam restart
Stopping snortsam: [ OK ]
Starting snortsam: [ OK ]
[root@starlane:~]# iptables -L INPUT -n -v | grep 4.79
    0 0 DROP all -- eth1 * 4.79.142.206 0.0.0.0/0
(0000018)
dsokoloski   
2010-01-22 14:39   
Can you download the attached script "snortsam-reblock" to your server, chmod a+x, and then:

./snortsam-reblock

Post the output here. Thanks again!
(0000019)
timb80   
2010-01-24 14:32   
Attached the output as snortsam-reblock-output.txt
(0000020)
dsokoloski   
2010-01-24 16:51   
Thanks for the feedback.

I've uploaded another test script with the appropriate fix (I hope).

Btw, my PSNID is darryl, add me :)
(0000021)
timb80   
2010-01-25 01:58   
Attached revised output, just after i'd run another port scan...looks promising

Will add you later :)
(0000022)
dsokoloski   
2010-01-25 15:58   
Looks good. I've committed the fixes to SVN and I will mark this as resolved unless you find that the regenerated rules are not correct.

Found ya on PSN... thanks! :)
(0000038)
user2   
2010-02-22 16:54   
Source Code Changelog
---------------------------------------------------
- Fixed intrusion prevention hooks to regenerate firewall rules [fixed tracker 0000020]

File Changes
---------------------------------------------------
U legacy/modules/branches/5.1/app-firewall/app-firewall.spec.in
U legacy/modules/branches/5.1/app-firewall/firewall
A legacy/modules/branches/5.1/app-firewall/snortsam-reblock
(0000052)
user2   
2010-03-02 19:21   
Errata Update CFBA-2010:031 - http://clearsdn.clearcenter.com/software/admin.php?aid=31 [^]