ClearOS Bug Tracker


View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0001640ClearOSapp-intrusion-detection - Intrusion Detectionpublic2014-03-30 12:572014-06-24 08:29
ReporterNickH 
Assigned Touser2 
PrioritynormalSeverityminorReproducibilityhave not tried
StatusclosedResolutionfixed 
PlatformOSOS Version
Product Version6.5.0 
Target Version6.5.0 UpdatesFixed in Version6.5.0 Updates 
Summary0001640: snort.conf HOME_NET not being updated to with new WAN IP
DescriptionI moved my installation from one server to another. While doing this I temporarily switched the cable modem/router to router mode. I inserted the new ClearOS box back into the LAN between the router and switch in gateway mode so it tried and failed to pick up a 192.168.0.x WAN IP address - see the syswatch log up to 11:07:39. From its timestamp, this is the last time /etc/snort.conf was updated and there is no WAN IP in HOME_NET.
I finally got an IP address on the router LAN soon after that (/var/log/ntpd gives an entry at 11:07:44 and syswatch indicates something at 11:07:40). I can see various clearsync and network_configuration events triggered. but snort.conf was not updated.

After that I switched the modem/router to modem only mode. For a While the ClearOS WAN was in the 192.168.100.x subnet before finally switching to the proper WAN IP but no updates to snort.conf were made

Logs are attached. Note during this time I was struggling to pull any WAN IP so I was upping and downing the interface at times hence the number of firewall restarts.
TagsNo tags attached.
Attached Fileszip file icon logs.zip [^] (28,869 bytes) 2014-03-30 12:57

- Relationships

-  Notes
(0001167)
user2
2014-04-01 11:53

Good catch Nick.

When HOME_NET was just the LAN/DMZ/HotLAN IPs (no WAN), the HOME_NET changes were hooked into the "network configuration" event. When a network card configuration was changed, Snort would check its HOME_NET configuration. All good.

When the WAN IP was later added to HOME_NET ( tracker 0001302 ), Snort should have also added a check in the "network connected" event. That's missing.
(0001168)
user2
2014-04-01 12:07

https://github.com/clearos/app-intrusion-detection/commit/8d5699a73fe846eacda5cfb05847e3c79dda6fb8 [^]
(0001174)
NickH (developer)
2014-04-24 12:19

Please can you push the fix through the build system into release?
(0001175)
user2
2014-04-24 18:57

Done! http://buildsys.clearfoundation.com/plague/job.psp?uid=4244 [^]

It should land in clearos-test in a few hours. We'll move it to clearos-updates-testing by Wednesday, but likely earlier.

yum --enablerepo=clearos-test,clearos-updates-testing upgrade app-intrusion-detection

- Issue History
Date Modified Username Field Change
2014-03-30 12:57 NickH New Issue
2014-03-30 12:57 NickH File Added: logs.zip
2014-03-31 08:28 user2 Status new => acknowledged
2014-04-01 11:46 user2 Category app-clearsync - Synchronization and Events => app-intrusion-detection - Intrusion Detection
2014-04-01 11:53 user2 Note Added: 0001167
2014-04-01 11:53 user2 Status acknowledged => confirmed
2014-04-01 11:54 user2 Target Version => 6.5.0 Updates
2014-04-01 12:07 user2 Note Added: 0001168
2014-04-01 12:07 user2 Status confirmed => resolved
2014-04-01 12:07 user2 Fixed in Version => 6.5.0 Updates
2014-04-01 12:07 user2 Resolution open => fixed
2014-04-01 12:07 user2 Assigned To => user2
2014-04-24 12:19 NickH Note Added: 0001174
2014-04-24 12:19 NickH Status resolved => feedback
2014-04-24 12:19 NickH Resolution fixed => reopened
2014-04-24 18:57 user2 Note Added: 0001175
2014-04-24 18:58 user2 Status feedback => resolved
2014-04-24 18:58 user2 Resolution reopened => fixed
2014-06-24 08:29 user2 Status resolved => closed