IPS not working


(Charlie Lehardy) #1

IPS is enabled, I have tested the “connectivity” “balanced” and “security” templates, the snortd service is running, but the logs never show any activity at all. Status/IPS report always shows zero events, and /var/log/snort/alert is always empty. The docs seem to say you just install the package, enable it, and it runs. I somehow doubt that the problem is just that no one is interested in probing my server. :smile:

I don’t see pulledpork in the list of running services, so perhaps that is wrong? Anyway, I’m wondering if there is some IPS dependency that I may be missing? Thanks.


#2

Is the adapter running in promisc?


(Charlie Lehardy) #3

No sir.


(Filippo Carletti) #4

snort on NethServer does not put adapters in promisc mode, it uses netfilter queues.
pulledpork is not a service, so you will not see it running. It’s started from cron every night.

That said, the 3 profiles (balanced, security and connectivity) contain rules that fire rarely on common setups (at least in my setups).

IIRC, custom mode enables all rules by default, it may be a good test to check snort is working.
I’ve shared my custom config in a post here some days ago.


(Gabriel GHEORGHIU) #5

Still not working!


#6

For rules to trigger, the traffic must impact the sensor.
Without knowing the network topology this is hard to troubleshoot. If this test instance is a vm that’s not processing the traffic for clients ‘behind’ it then how can it see traffic to trigger a rule?
What rule are you trying to trigger?

Example test; enable rule sid 498 on your NS instance and from the cli of that NS instance enter wget testmyids.com and see if that triggers an alert.


(Gabriel GHEORGHIU) #7

Hi @fasttech,
Basically you’re right but:

  1. NS is installed on a dedicated server machine and acting as UTM.
  2. RED eth is connected to the internet with public ip (WAN).
  3. GREEN eth is connected to LAN with private IP.
  4. No firewall rules for inbound and/or outbound; only Web Proxy and Web Filter.
  5. IPS is enabled with Balanced Rule Policy (tested also with Connectivity and Security Rules Policy, as @AZChas already did). Aren’t these Rules as trigger? Isn’t RED eth the sensor? I think yes. So, if these Rules is supposed to be working well, must be something written in IPS report. Am I wrong?
  6. I’m sure is some activity out there, like @stephdl said here:
    Nethserver-fail2ban needs testers
  7. I want to use NS in production. In this moment I use it in paralel with Endian UTM.
    Please see what Endian show about IPS and how Endian use IPS.


(Charlie Lehardy) #8

Gabriel: Thank you for pursuing this. I want to confirm that I have not solved the problem myself, and my NS configuration is like yours: Red public IP on the internet, Green private LAN, no firewall rules, web proxy and web filter working. I have been engaged in other projects and haven’t been able to get back to this, so I appreciate your efforts to find the answer. Thanks! --Charlie


#9

I fired up an NS instance and installed ips.

There are no rules in the snort rules folder, if that’s the correct directory for the rules for the NS implementation of ips then that’s why no one is getting any alerts, it looks like the rules are not being populated because pulled pork is pointing to a server that doesn’t appear to have any rules when I look with a browser.

Jan 6 13:09:19 server32 esmith::event[2865]: #011Error 404 when fetching https://s3.amazonaws.com/snort-org/www/rules/community/community-rules.tar.gz.md5 at /usr/bin/pulledpork.pl line 463
Jan 6 13:09:19 server32 esmith::event[2865]: #011main::md5file(‘Community’, ‘community-rules.tar.gz’, ‘/tmp/’, ‘https://s3.amazonaws.com/snort-org/www/rules/community/’) called at /usr/bin/pulledpork.pl line 1847
Jan 6 13:09:19 server32 esmith::event[2865]: Checking latest MD5 for community-rules.tar.gz…
Jan 6 13:09:19 server32 esmith::event[2865]: #011A 404 error occurred, please verify your filenames and urls for your tarball!
Jan 6 13:09:19 server32 esmith::event[2865]: Action: /etc/e-smith/events/nethserver-pulledpork-save/S30nethserver-pulledpork-apply FAILED: 255 [3.474154]

I don’t see any rules at that url, the snort site has this url for community;
https://www.snort.org/downloads/community/community-rules.tar.gz

I tried changing the pulledpork.conf rule url to the above but after restarting snort in the gui the e-smith overwrote my change, since I don’t know where to find the e-smith file to change I’m just going to leave this at this point.

If someone wants to point me to the exact file that I can make the appropriate changes then I will follow up with this more.

That is my biggest struggle with NS, knowing which e-smith file to make permanent changes to for any given service, but it’s probably because I don’t have a couple of days to sit down and work it through.

I do have a new network buildout on my desk with a shiny new install of sophos xg and a 3 pack of unifi ap though. :smile:


(Eddie Atherton) #10

@fasttech
Does this help with the error pulling down the rules.

Cheers.


#11

I forgot all about that. Jeez. Thanks.
Curious that my fresh install doesn’t have the updated pulledpork as I’m reading from bug #3301

Status changed from VERIFIED to CLOSED
% Done changed from 90 to 100
Released in nethserver-updates:
nethserver-pulledpork-1.0.2-1.ns6.noarch.rpm

Having rules in place, the problem I encounter now is that all the easy rules I have to test are commented out in the rules regardless of having selected Expert.

Now the issue is how to un-comment a particular rule and reload it without running pulledpork again and overwriting the rules per the esmith scheme.


#12

When I change policies, the outcome doesn’t match what I would expect, but would explain why so many rules are commented out when I look at the rules file.

When I submit Expert in the gui, the last one in the log snapshot, it seems apply a disabled policy even though it lists 18 thousand odd rules as enabled.
I wouldn’t expect Security to disable all the rules.

-=Begin Changes Logged for Thu Jan 7 00:57:47 2016 GMT=-

Set Policy: connectivity

Rule Totals
New:-------0
Deleted:—0
Enabled:—0
Dropped:—0
Disabled:–23078
Total:-----23078

No IP Blacklist Changes

-=End Changes Logged for Thu Jan 7 00:57:47 2016 GMT=-

-=Begin Changes Logged for Thu Jan 7 00:58:41 2016 GMT=-

Set Policy: balanced

Rule Totals
New:-------0
Deleted:—0
Enabled:—0
Dropped:—0
Disabled:–23078
Total:-----23078

No IP Blacklist Changes

-=End Changes Logged for Thu Jan 7 00:58:41 2016 GMT=-

-=Begin Changes Logged for Thu Jan 7 01:00:07 2016 GMT=-

Set Policy: security

Rule Totals
New:-------0
Deleted:—0
Enabled:—0
Dropped:—0
Disabled:–23078
Total:-----23078

No IP Blacklist Changes

-=End Changes Logged for Thu Jan 7 01:00:07 2016 GMT=-

-=Begin Changes Logged for Thu Jan 7 01:00:35 2016 GMT=-

Set Policy: Disabled

Rule Totals
New:-------0
Deleted:—0
Enabled:—18920
Dropped:—0
Disabled:–4158
Total:-----23078

No IP Blacklist Changes

-=End Changes Logged for Thu Jan 7 01:00:35 2016 GMT=-


#13

yeah, this doesn’t look right, but what do I know? @filippo_carletti

[root@server32 pulledpork.conf]# cat 30policy |more
# What is the base ruleset that you want to use, please uncomment to use
# and see the README.RULESETS for a description of the options.
# Note that setting this value will disable all ET rulesets if you are
# Running such rulesets

{
    my $policy = $pulledpork{'Policy'} || 'connectivity';
    if ($policy eq 'expert') {
        $OUT .= "#ips_policy DISABLED - EXPERT MODE\n";
    } else {
        $OUT .= "ips_policy=$policy\n";
    }
}

(Filippo Carletti) #14

I’ve shared my config in the past:

With that config (maybe slightly adjusted since that time) I have:

-=Begin Changes Logged for Thu Jan  7 01:30:16 2016 GMT=-

Set Policy: Disabled

Rule Totals
        New:-------0
        Deleted:---0
        Enabled:---8949
        Dropped:---7643
        Disabled:--9819
        Total:-----26411

#15

@filippo_carletti Damnit, I’m so stupid, I went back and looked at the docs again and realized I got Expert and Security mixed up, grrrrr, sorry.


#16

But I still don’t get it.

-=Begin Changes Logged for Thu Jan 7 15:59:13 2016 GMT=-

Set Policy: security

Rule Totals
New:-------0
Deleted:—0
Enabled:—0
Dropped:—0
Disabled:–23084
Total:-----23084

No IP Blacklist Changes

-=End Changes Logged for Thu Jan 7 15:59:13 2016 GMT=-

Disabling all the rules under Security doesn’t seem to jive with the description of Security in the docs.


#17

Yeah, I just don’t get it.

Jan 7 08:59:09 server32 /sbin/e-smith/db[6476]: /var/lib/nethserver/db/configuration: OLD pulledpork=configuration|Policy|expert
Jan 7 08:59:09 server32 /sbin/e-smith/db[6476]: /var/lib/nethserver/db/configuration: NEW pulledpork=configuration|Policy|security
Jan 7 08:59:09 server32 esmith::event[6479]: Event: nethserver-pulledpork-save
Jan 7 08:59:09 server32 esmith::event[6479]: expanding /etc/snort/pulledpork.conf
Jan 7 08:59:09 server32 esmith::event[6479]: expanding /etc/snort/dropsid.conf
Jan 7 08:59:09 server32 esmith::event[6479]: Action: /etc/e-smith/events/actions/generic_template_expand SUCCESS [0.092139]
Jan 7 08:59:09 server32 esmith::event[6479]:
Jan 7 08:59:09 server32 esmith::event[6479]: http://code.google.com/p/pulledpork/
Jan 7 08:59:09 server32 esmith::event[6479]: _____ ____
Jan 7 08:59:09 server32 esmith::event[6479]: ----,\ ) Jan 7 08:59:09 server32 esmith::event[6479]:–==\ / PulledPork v0.7.0 - Swine Flu!
Jan 7 08:59:09 server32 esmith::event[6479]: `–==\/
Jan 7 08:59:09 server32 esmith::event[6479]: .-~~~~-.Y|\_ Copyright © 2009-2013 JJ Cummings
Jan 7 08:59:09 server32 esmith::event[6479]: @_/ / 66_ cummingsj@gmail.com
Jan 7 08:59:09 server32 esmith::event[6479]: | \ \ _(")
Jan 7 08:59:09 server32 esmith::event[6479]: \ /-| ||’–’ Rules give me wings!
Jan 7 08:59:09 server32 esmith::event[6479]: _\ _\
Jan 7 08:59:09 server32 esmith::event[6479]: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Jan 7 08:59:09 server32 esmith::event[6479]:
Jan 7 08:59:10 server32 esmith::event[6479]: Checking latest MD5 for emerging.rules.tar.gz…
Jan 7 08:59:10 server32 esmith::event[6479]: #011They Match
Jan 7 08:59:10 server32 esmith::event[6479]: #011Done!
Jan 7 08:59:10 server32 esmith::event[6479]: Prepping rules from emerging.rules.tar.gz for work…
Jan 7 08:59:13 server32 esmith::event[6479]: #011Done!
Jan 7 08:59:13 server32 esmith::event[6479]: Reading rules…
Jan 7 08:59:13 server32 esmith::event[6479]: Reading rules…
Jan 7 08:59:13 server32 esmith::event[6479]: Activating security rulesets…
Jan 7 08:59:13 server32 esmith::event[6479]: #011Done
Jan 7 08:59:13 server32 esmith::event[6479]: Processing /etc/snort/enablesid.conf…
Jan 7 08:59:13 server32 esmith::event[6479]: #011Modified 0 rules
Jan 7 08:59:13 server32 esmith::event[6479]: #011Done
Jan 7 08:59:13 server32 esmith::event[6479]: Processing /etc/snort/dropsid.conf…
Jan 7 08:59:13 server32 esmith::event[6479]: #011Modified 0 rules
Jan 7 08:59:13 server32 esmith::event[6479]: #011Done
Jan 7 08:59:13 server32 esmith::event[6479]: Processing /etc/snort/disablesid.conf…
Jan 7 08:59:13 server32 esmith::event[6479]: #011Modified 0 rules
Jan 7 08:59:13 server32 esmith::event[6479]: #011Done
Jan 7 08:59:13 server32 esmith::event[6479]: Setting Flowbit State…
Jan 7 08:59:13 server32 esmith::event[6479]: #011Done
Jan 7 08:59:13 server32 esmith::event[6479]: Writing /etc/snort/rules/snort.rules…
Jan 7 08:59:13 server32 esmith::event[6479]: #011Done
Jan 7 08:59:13 server32 esmith::event[6479]: Generating sid-msg.map…
Jan 7 08:59:13 server32 esmith::event[6479]: #011Done
Jan 7 08:59:13 server32 esmith::event[6479]: Writing v1 /etc/snort/sid-msg.map…
Jan 7 08:59:13 server32 esmith::event[6479]: #011Done
Jan 7 08:59:13 server32 esmith::event[6479]: Writing /var/log/sid_changes.log…
Jan 7 08:59:13 server32 esmith::event[6479]: #011Done
Jan 7 08:59:13 server32 esmith::event[6479]: Rule Stats…
Jan 7 08:59:13 server32 esmith::event[6479]: #011New:-------0
Jan 7 08:59:13 server32 esmith::event[6479]: #011Deleted:—0
Jan 7 08:59:13 server32 esmith::event[6479]: #011Enabled Rules:----0
Jan 7 08:59:13 server32 esmith::event[6479]: #011Dropped Rules:----0
Jan 7 08:59:13 server32 esmith::event[6479]: #011Disabled Rules:—23084
Jan 7 08:59:13 server32 esmith::event[6479]: #011Total Rules:------23084
Jan 7 08:59:13 server32 esmith::event[6479]: No IP Blacklist Changes
Jan 7 08:59:13 server32 esmith::event[6479]:
Jan 7 08:59:13 server32 esmith::event[6479]: Done
Jan 7 08:59:13 server32 esmith::event[6479]: Please review /var/log/sid_changes.log for additional details


(Gabriel GHEORGHIU) #18

Hi everybody,

What I get in “/var/log/messages”, after I have changed IPS policy from “Security” to “Balanced”.


IPS really working?