IPS Error with fresh updated install of 6.7

Adam · October 29, 2015, 4:36pm

With two separate installs of 6.7 today, I did the following:

Installed all updates
Installed Basic firewall, DNS and DHCP server, Intrusion Prevention System, Web filter, and Web proxy packages
Configured green and red interfaces and enabled DHCP
Enabled and configured content filter
Enabled and configured web proxy
Enabled IPS and BOOM, I get this error:

It doesn’t matter which rule policy I select and even displays that error when I disable IPS. I see these errors in messages log:

Oct 29 12:17:12 localhost esmith::event[25916]: #011A 404 error
occurred, please verify your filenames and urls for your tarball!
Oct 29 12:17:12 localhost esmith::event[25916]: Action:
/etc/e-smith/events/nethserver-pulledpork-save/S30nethserver-pulledpork-apply
FAILED: 255 [0.55115]
Oct 29 12:17:12 localhost esmith::event[25916]: Event:
nethserver-pulledpork-save FAILED

filippo_carletti · October 29, 2015, 4:42pm

snort is making some modification to their website, moving links, etc.
I hope they will fix things in the coming days.
If not, we need an updated version of pulledpork (the snort update tool).
Either way, it will be fixed in a few days.

Adam · October 29, 2015, 5:25pm

Should I hold off on this testing until it’s resolved?

filippo_carletti · October 29, 2015, 5:31pm

No. But the sid_changes.log will not be updated any longer.

Adam · October 29, 2015, 5:54pm

I don’t have any NethServer servers with a sid_changes.log file and it looks like it’s not created unless IPS can be enabled correctly… so I think it’ll have to wait.

filippo_carletti · October 29, 2015, 6:05pm

Delete this line from /etc/snort/pulledpork.conf:

rule_url=https://s3.amazonaws.com/snort-org/www/rules/community/|community-rules.tar.gz|Community

You will be downloading only ET rules without errors.
You could run the following command to force download now:

/usr/bin/pulledpork.pl -c /etc/snort/pulledpork.conf

filippo_carletti · October 29, 2015, 6:28pm

snort has noticed the problem:

I tested the instructions: those work on NethServer.
I will work on a fix tomorrow, now I’m heading out to the local Linux User Group meeting.

Adam · October 29, 2015, 7:07pm

Perfect! I also made the change here and it worked great:

/etc/e-smith/templates/etc/snort/pulledpork.conf

BTW, local Linux user group meeting sounds fun! I’m a bit of a newb with linux, but I’ve started getting into it pretty hard core. I recently acquired a HP Microserver Gen8 with 4x 6tb WD red drives, 8GB RAM, a Xeon, and a P222 controller for home. I’ve been doing some testing with CentOS 7 and having a blast. The wife and kid are starting to miss me though. LOL!

Adam · November 10, 2015, 10:08pm

Is there going to be an update for this?

filippo_carletti · November 11, 2015, 7:43am

I think I’ve released it last week. I’ve probably made a mistake, give me some time to double check.

Update: it was released yesterday, sorry. See:
http://dev.nethserver.org/issues/3301#note-6

When a package has been verified but still unreleased, it could be safely updated from the testing repository.

Adam · November 11, 2015, 1:48pm

Sorry about that… I quickly browsed through redmine but didn’t see this issue, there weren’t any updates available through the standard repo, and the issue was still happening. It seems to be working now after updating though. Thanks!!

EddieA · December 17, 2015, 5:20am

@filippo_carletti
Are you sure that it’s updated in the repository. The Software Center shows nothing to update, but:

[root@NethServer ~]# yum list | grep pulled
nethserver-pulledpork.noarch        1.0.1-1.ns6              @nethserver-updates
pulledpork.noarch                   0.7.0-2                  @nethserver-base
[root@NethServer ~]## yum repolist
Loaded plugins: changelog, fastestmirror, nethserver_events, presto
Loading mirror speeds from cached hostfile
 * nethserver-base: mirror.nethserver.org
 * nethserver-updates: mirror.nethserver.org
repo id                            repo name                              status
centos-base                        CentOS-6 Base                          6,518
centos-updates                     CentOS-6 Updates                       1,370
nethserver-base                    NethServer 6.7 base                      327
nethserver-updates                 NethServer 6.7 updates                   412
repolist: 8,627
[root@NethServer ~]#

Cheers.

filippo_carletti · December 17, 2015, 9:32am

Do you have an http cache between NethServer and the mirrors?

Here I see:

[root@nscom ~]# yum repolist
Loaded plugins: changelog, fastestmirror, nethserver_events, presto
Determining fastest mirrors
 * centos-base: centos.muzzy.it
 * centos-updates: ba.mirror.garr.it
Including mirror: mirror.nethserver.org
 * nethserver-base: mirror.nethserver.org
Including mirror: mirror.nethserver.org
 * nethserver-updates: mirror.nethserver.org
centos-base                                                                                                  | 3.7 kB     00:00     
centos-base/primary_db                                                                                       | 4.6 MB     00:01     
centos-updates                                                                                               | 3.4 kB     00:00     
centos-updates/primary_db                                                                                    | 3.2 MB     00:00     
nethserver-base                                                                                              | 3.7 kB     00:00     
nethserver-base/primary_db                                                                                   | 436 kB     00:00     
nethserver-updates                                                                                           | 4.1 kB     00:00     
nethserver-updates/primary_db                                                                                | 129 kB     00:00     
repo id                                                      repo name                                                        status
centos-base                                                  CentOS-6 Base                                                    6,575
centos-updates                                               CentOS-6 Updates                                                   954
nethserver-base                                              NethServer 6.7 base                                                446
nethserver-updates                                           NethServer 6.7 updates                                              70
repolist: 8,045
[root@nscom ~]# yum list | grep pulled
nethserver-pulledpork.noarch        1.0.2-1.ns6                 @nethserver-updates
pulledpork.noarch                   0.7.0-2                     @nethserver-base

EddieA · December 17, 2015, 5:37pm

Nope. The server is connected directly to the internet.

Cheers.

EddieA · December 18, 2015, 12:26am

Not sure why it suddenly kicked in this afternoon after a couple of days of running, but now the Software Center shows around 200 packages to be updated with around 30 Nethserver ones in the list, including this one. I guess it’s catching up with all the changes since I built the system a couple of months ago and then put it to one side while gathering the courage to switch out my Zentyal.

Cheers.