Anonymous | Login | 2024-12-22 05:08 MST |
Main | My View | View Issues | Change Log | Roadmap | Repositories |
View Issue Details [ Jump to Notes ] | [ Issue History ] [ Print ] | ||||||||
ID | Project | Category | View Status | Date Submitted | Last Update | ||||
0011551 | ClearOS | app-intrusion-detection - Intrusion Detection | public | 2016-12-12 11:21 | 2021-06-08 05:13 | ||||
Reporter | NickH | ||||||||
Assigned To | |||||||||
Priority | normal | Severity | feature | Reproducibility | always | ||||
Status | closed | Resolution | suspended | ||||||
Platform | OS | OS Version | |||||||
Product Version | 7.2.0 | ||||||||
Target Version | Fixed in Version | ||||||||
Summary | 0011551: Convert some snort rules to ipset rules | ||||||||
Description | Perhaps this goes hand-in-hand with https://tracker.clearos.com/view.php?id=11521#c4321 [^] There are a number of the subscription rules which are effectively firewall blocks (botcc.portgrouped.rules, botcc.rules, ciarmy.rules, compromised.rules, drop.rules, dshield.rules and tor.rules). Snort is a very inefficient tool for firewall blocking. It is quite easy to parse these rules to create an ipset set or multiple sets. I do it currently in two different ways. There is a public file https://rules.emergingthreats.net/open-nogpl/snort-2.9.0/rules/compromised-ips.txt [^] which covers some of the above rules - but as it is public it has a delay on release and the tor rules. I parse these in the attached ET script. There is another ET file, https://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt [^] which covers most of the rest (but again with a delay) and I parse these with the ET_IP_Blocks script attached. I also have bits to handle the ipset sets and firewall rules. This now needs to be rationalised with the new Business rules, but the principle is the same and it is way more efficient than snort. The only down-side is possibly that you lose all the snort logging with my implementation, but it could be added to the firewall rules. In some ways it is even worse using snort. You get two snort rules for every IP, one tcp and one udp so you end up with more rules than you would with the firewall - and you don't end up blocking other protocols such as ICMP. There is an extra issue with the tor rules which should possibly be in a separate bug report but I'll put it here. The tor rules cover both exit points and routers. If you want to block anonymised traffic you only really want to block the exit points. Routers which are not exit points route traffic within the tor network, but they can also originate all sorts of other traffic which could be legitimate and probably should not be considered in the same class as exit points. I would suggest splitting the file into two so just exit points can be blocked. You will see my script ignores tor routers. | ||||||||
Tags | No tags attached. | ||||||||
Attached Files | ET.zip [^] (2,002 bytes) 2016-12-12 11:21 | ||||||||
Notes | |
(0015881) NickH (developer) 2021-06-08 05:13 |
Migrated to https://gitlab.com/clearos/clearfoundation/app-intrusion-detection/-/issues/6 [^] |
Issue History | |||
Date Modified | Username | Field | Change |
2016-12-12 11:21 | NickH | New Issue | |
2016-12-12 11:21 | NickH | File Added: ET.zip | |
2017-02-01 10:30 | user2 | Status | new => acknowledged |
2021-06-08 05:13 | NickH | Note Added: 0015881 | |
2021-06-08 05:13 | NickH | Status | acknowledged => closed |
2021-06-08 05:13 | NickH | Resolution | open => suspended |