| Anonymous | Login | 2024-04-26 15:33 MDT |
| Main | My View | View Issues | Change Log | Roadmap | Repositories |
| View Issue Details [ Jump to Notes ] | [ Issue History ] [ Print ] | ||||||||
| ID | Project | Category | View Status | Date Submitted | Last Update | ||||
| 0000034 | ClearOS | app-intrusion-prevention - Intrusion Prevention | public | 2010-02-25 05:48 | 2010-06-17 15:19 | ||||
| Reporter | timb80 | ||||||||
| Assigned To | user2 | ||||||||
| Priority | normal | Severity | major | Reproducibility | sometimes | ||||
| Status | closed | Resolution | fixed | ||||||
| Platform | OS | OS Version | |||||||
| Product Version | 5.1 | ||||||||
| Target Version | Fixed in Version | 5.1 | |||||||
| Summary | 0000034: Snortsam does not always block hosts in a timely manner | ||||||||
| Description | This one is hard to reproduce, after the WAN has been down for an extended time, snortsam will sometimes fail to restart, and will lay dead without warning (besides checking the webconfig manually). Not the problem but maybe related Only snort is automatically restarted on detection of WAN On manual restart (snortsam after snort) snortsam will log blocks correctly, however nothing will be passed to iptables 2010/02/25, 11:52:14, 127.0.0.1, 2, snortsam, Blocking host 4.79.142.206 completely for 86400 seconds (Sig_ID: 524). [root@starlane ~]# iptables -L -n -v | grep 4.79 ..nothing At a similar time snortsam also complains that (/var/log/snortsam) it is not in sync with Snort, however acceptance of block from Snort indicates this isn't the problem snortsam, Snort station 127.0.0.1 using wrong password, trying to re-sync. On closer inspection it appears that the iptables entry is completely removed from /etc/snortsam.conf # IP Tables plug-in: # You have to specify the adapter to block on (for example, eth0) and you can # optionally add a logging option. [BLANK LINE] Manually adding the following back and restarting snortsam fixes the problem, and iptables rules are recreated:- iptables eth1 syslog.info It is not clear which functions or network situations of the webconfig cause this line to be removed or readded. Or whether if left long enough it would eventually block the host - I have waited >5-10mins This has happened on maybe 2-3 occasions sporadically | ||||||||
| Tags | No tags attached. | ||||||||
| Attached Files | |||||||||
 Relationships |
|
 Relationships |
|
Notes |
|
|
(0000079) timb80 (developer) 2010-04-13 03:52 |
This happened again today - Snort was restarted (after some configuration with local.rules) and the iptables line was noticed as missing from /etc/snortsam.conf 'iptables eth1 syslog.info' The webconfig continues to think it is blocking hosts, and so does snortsam - this is bad. 2010/04/13, 10:47:10, 127.0.0.1, 2, snortsam, Blocking host 4.79.142.206 completely for 86400 seconds (Sig_ID: 524). 2010/04/13, 10:47:29, 127.0.0.1, 2, snortsam, Extending block for host 4.79.142.206 completely for 86400 seconds (Sig_ID: 524). But no entries appear in the actual firewall (not surprisingly). However both the user and webconfig are completely unaware [root@starlane ~]# iptables -L -n -v | grep 4.79 [root@starlane ~]# I suggest that Snortsam should not be able to start without a valid iptables plugin in the config? |
|
(0000168) user2 2010-06-08 14:34 |
Fixed. The init script would only implant an "iptables" directive if an external interface was active. That's not good. http://code.clearfoundation.com/svn/revision.php?repname=ClarkConnect&path=/&rev=4069&peg=4069 [^] |
|
(0000169) user2 2010-06-08 14:38 |
There will be an errata available shortly. Look out for snort-2.8.4.1-3.1.v5.i386.rpm in the yum repos. |
|
(0000185) user2 2010-06-17 15:19 |
Errata update: CCBA-2010:057 http://clearsdn.clearcenter.com/software/detail.php?aid=57 [^] |
|
Notes |
|
Issue History |
|||
| Date Modified | Username | Field | Change |
| 2010-02-25 05:48 | timb80 | New Issue | |
| 2010-02-26 08:56 | user2 | Status | new => acknowledged |
| 2010-04-13 03:52 | timb80 | Note Added: 0000079 | |
| 2010-06-08 14:34 | user2 | Note Added: 0000168 | |
| 2010-06-08 14:35 | user2 | Status | acknowledged => resolved |
| 2010-06-08 14:35 | user2 | Fixed in Version | => 5.1 |
| 2010-06-08 14:35 | user2 | Resolution | open => fixed |
| 2010-06-08 14:35 | user2 | Assigned To | => user2 |
| 2010-06-08 14:38 | user2 | Note Added: 0000169 | |
| 2010-06-17 15:19 | user2 | Note Added: 0000185 | |
| 2010-06-17 15:19 | user2 | Status | resolved => closed |
|
Issue History |