ClearOS Bug Tracker

View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0011551ClearOSapp-intrusion-detection - Intrusion Detectionpublic2016-12-12 11:212021-06-08 05:13
Assigned To 
PlatformOSOS Version
Product Version7.2.0 
Target VersionFixed in Version 
Summary0011551: Convert some snort rules to ipset rules
DescriptionPerhaps this goes hand-in-hand with [^]

There are a number of the subscription rules which are effectively firewall blocks (botcc.portgrouped.rules, botcc.rules, ciarmy.rules, compromised.rules, drop.rules, dshield.rules and tor.rules). Snort is a very inefficient tool for firewall blocking. It is quite easy to parse these rules to create an ipset set or multiple sets. I do it currently in two different ways. There is a public file [^] which covers some of the above rules - but as it is public it has a delay on release and the tor rules. I parse these in the attached ET script. There is another ET file, [^] which covers most of the rest (but again with a delay) and I parse these with the ET_IP_Blocks script attached. I also have bits to handle the ipset sets and firewall rules.
This now needs to be rationalised with the new Business rules, but the principle is the same and it is way more efficient than snort. The only down-side is possibly that you lose all the snort logging with my implementation, but it could be added to the firewall rules.

In some ways it is even worse using snort. You get two snort rules for every IP, one tcp and one udp so you end up with more rules than you would with the firewall - and you don't end up blocking other protocols such as ICMP.

There is an extra issue with the tor rules which should possibly be in a separate bug report but I'll put it here.

The tor rules cover both exit points and routers. If you want to block anonymised traffic you only really want to block the exit points. Routers which are not exit points route traffic within the tor network, but they can also originate all sorts of other traffic which could be legitimate and probably should not be considered in the same class as exit points. I would suggest splitting the file into two so just exit points can be blocked. You will see my script ignores tor routers.
TagsNo tags attached.
Attached Fileszip file icon [^] (2,002 bytes) 2016-12-12 11:21

- Relationships

- Issue History
Date Modified Username Field Change
2016-12-12 11:21 NickH New Issue
2016-12-12 11:21 NickH File Added:
2017-02-01 10:30 user2 Status new => acknowledged
2021-06-08 05:13 NickH Note Added: 0015881
2021-06-08 05:13 NickH Status acknowledged => closed
2021-06-08 05:13 NickH Resolution open => suspended