IPS is enabled, I have tested the “connectivity” “balanced” and “security” templates, the snortd service is running, but the logs never show any activity at all. Status/IPS report always shows zero events, and /var/log/snort/alert is always empty. The docs seem to say you just install the package, enable it, and it runs. I somehow doubt that the problem is just that no one is interested in probing my server.
I don’t see pulledpork in the list of running services, so perhaps that is wrong? Anyway, I’m wondering if there is some IPS dependency that I may be missing? Thanks.
snort on NethServer does not put adapters in promisc mode, it uses netfilter queues.
pulledpork is not a service, so you will not see it running. It’s started from cron every night.
That said, the 3 profiles (balanced, security and connectivity) contain rules that fire rarely on common setups (at least in my setups).
IIRC, custom mode enables all rules by default, it may be a good test to check snort is working.
I’ve shared my custom config in a post here some days ago.
For rules to trigger, the traffic must impact the sensor.
Without knowing the network topology this is hard to troubleshoot. If this test instance is a vm that’s not processing the traffic for clients ‘behind’ it then how can it see traffic to trigger a rule?
What rule are you trying to trigger?
Example test; enable rule sid 498 on your NS instance and from the cli of that NS instance enter wget testmyids.com and see if that triggers an alert.
NS is installed on a dedicated server machine and acting as UTM.
RED eth is connected to the internet with public ip (WAN).
GREEN eth is connected to LAN with private IP.
No firewall rules for inbound and/or outbound; only Web Proxy and Web Filter.
IPS is enabled with Balanced Rule Policy (tested also with Connectivity and Security Rules Policy, as @AZChas already did). Aren’t these Rules as trigger? Isn’t RED eth the sensor? I think yes. So, if these Rules is supposed to be working well, must be something written in IPS report. Am I wrong?
Gabriel: Thank you for pursuing this. I want to confirm that I have not solved the problem myself, and my NS configuration is like yours: Red public IP on the internet, Green private LAN, no firewall rules, web proxy and web filter working. I have been engaged in other projects and haven’t been able to get back to this, so I appreciate your efforts to find the answer. Thanks! --Charlie
There are no rules in the snort rules folder, if that’s the correct directory for the rules for the NS implementation of ips then that’s why no one is getting any alerts, it looks like the rules are not being populated because pulled pork is pointing to a server that doesn’t appear to have any rules when I look with a browser.
Jan 6 13:09:19 server32 esmith::event[2865]: #011Error 404 when fetching https://s3.amazonaws.com/snort-org/www/rules/community/community-rules.tar.gz.md5 at /usr/bin/pulledpork.pl line 463
Jan 6 13:09:19 server32 esmith::event[2865]: #011main::md5file(‘Community’, ‘community-rules.tar.gz’, ‘/tmp/’, ‘https://s3.amazonaws.com/snort-org/www/rules/community/’) called at /usr/bin/pulledpork.pl line 1847
Jan 6 13:09:19 server32 esmith::event[2865]: Checking latest MD5 for community-rules.tar.gz…
Jan 6 13:09:19 server32 esmith::event[2865]: #011A 404 error occurred, please verify your filenames and urls for your tarball!
Jan 6 13:09:19 server32 esmith::event[2865]: Action: /etc/e-smith/events/nethserver-pulledpork-save/S30nethserver-pulledpork-apply FAILED: 255 [3.474154]
I tried changing the pulledpork.conf rule url to the above but after restarting snort in the gui the e-smith overwrote my change, since I don’t know where to find the e-smith file to change I’m just going to leave this at this point.
If someone wants to point me to the exact file that I can make the appropriate changes then I will follow up with this more.
That is my biggest struggle with NS, knowing which e-smith file to make permanent changes to for any given service, but it’s probably because I don’t have a couple of days to sit down and work it through.
I do have a new network buildout on my desk with a shiny new install of sophos xg and a 3 pack of unifi ap though.
I forgot all about that. Jeez. Thanks.
Curious that my fresh install doesn’t have the updated pulledpork as I’m reading from bug #3301
Status changed from VERIFIED to CLOSED
% Done changed from 90 to 100
Released in nethserver-updates:
nethserver-pulledpork-1.0.2-1.ns6.noarch.rpm
Having rules in place, the problem I encounter now is that all the easy rules I have to test are commented out in the rules regardless of having selected Expert.
Now the issue is how to un-comment a particular rule and reload it without running pulledpork again and overwriting the rules per the esmith scheme.
When I change policies, the outcome doesn’t match what I would expect, but would explain why so many rules are commented out when I look at the rules file.
When I submit Expert in the gui, the last one in the log snapshot, it seems apply a disabled policy even though it lists 18 thousand odd rules as enabled.
I wouldn’t expect Security to disable all the rules.
-=Begin Changes Logged for Thu Jan 7 00:57:47 2016 GMT=-
yeah, this doesn’t look right, but what do I know? @filippo_carletti
[root@server32 pulledpork.conf]# cat 30policy |more
# What is the base ruleset that you want to use, please uncomment to use
# and see the README.RULESETS for a description of the options.
# Note that setting this value will disable all ET rulesets if you are
# Running such rulesets
{
my $policy = $pulledpork{'Policy'} || 'connectivity';
if ($policy eq 'expert') {
$OUT .= "#ips_policy DISABLED - EXPERT MODE\n";
} else {
$OUT .= "ips_policy=$policy\n";
}
}
