IPS really working?

Hi @all,
I did some penetration tests with kali on my nethserver.
But all attacks I tested were not blocked by the IPS.

I have set it to balanced.
Is the IPS working at the green zone?
Is it correct that are only 24 rules are active?

Here my messages logfile:
Feb 19 22:20:57 mynethserver /sbin/e-smith/db[26481]: /var/lib/nethserver/db/configuration: OLD pulledpork=configuration|Policy|security
Feb 19 22:20:57 mynethserver /sbin/e-smith/db[26481]: /var/lib/nethserver/db/configuration: NEW pulledpork=configuration|Policy|balanced
Feb 19 22:20:57 mynethserver esmith::event[26484]: Event: nethserver-pulledpork-save
Feb 19 22:20:57 mynethserver esmith::event[26484]: expanding /etc/snort/pulledpork.conf
Feb 19 22:20:57 mynethserver esmith::event[26484]: expanding /etc/snort/dropsid.conf
Feb 19 22:20:57 mynethserver esmith::event[26484]: Action: /etc/e-smith/events/actions/generic_template_expand SUCCESS [0.179774]
Feb 19 22:20:57 mynethserver esmith::event[26484]:
Feb 19 22:20:57 mynethserver esmith::event[26484]: http://code.google.com/p/pulledpork/
Feb 19 22:20:57 mynethserver esmith::event[26484]: _____ ____
Feb 19 22:20:57 mynethserver esmith::event[26484]: ----,\ ) Feb 19 22:20:57 mynethserver esmith::event[26484]:–==\ / PulledPork v0.7.0 - Swine Flu!
Feb 19 22:20:57 mynethserver esmith::event[26484]: `–==\/
Feb 19 22:20:57 mynethserver esmith::event[26484]: .-~~~~-.Y|\_ Copyright © 2009-2013 JJ Cummings
Feb 19 22:20:57 mynethserver esmith::event[26484]: @_/ / 66_ cummingsj@gmail.com
Feb 19 22:20:57 mynethserver esmith::event[26484]: | \ \ _(")
Feb 19 22:20:57 mynethserver esmith::event[26484]: \ /-| ||’–’ Rules give me wings!
Feb 19 22:20:57 mynethserver esmith::event[26484]: _\ _\
Feb 19 22:20:57 mynethserver esmith::event[26484]: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Feb 19 22:20:57 mynethserver esmith::event[26484]:
Feb 19 22:21:01 mynethserver esmith::event[26484]: Rules tarball download of community-rules.tar.gz…
Feb 19 22:21:01 mynethserver esmith::event[26484]: Checking latest MD5 for emerging.rules.tar.gz…
Feb 19 22:21:01 mynethserver esmith::event[26484]: #011They Match
Feb 19 22:21:01 mynethserver esmith::event[26484]: #011Done!
Feb 19 22:21:01 mynethserver esmith::event[26484]: Prepping rules from emerging.rules.tar.gz for work…
Feb 19 22:21:01 mynethserver esmith::event[26484]: #011Done!
Feb 19 22:21:01 mynethserver esmith::event[26484]: Prepping rules from community-rules.tar.gz for work…
Feb 19 22:21:07 mynethserver esmith::event[26484]: #011Done!
Feb 19 22:21:07 mynethserver esmith::event[26484]: Reading rules…
Feb 19 22:21:07 mynethserver esmith::event[26484]: Reading rules…
Feb 19 22:21:07 mynethserver esmith::event[26484]: Activating balanced rulesets…
Feb 19 22:21:07 mynethserver esmith::event[26484]: #011Done
Feb 19 22:21:07 mynethserver esmith::event[26484]: Processing /etc/snort/enablesid.conf…
Feb 19 22:21:07 mynethserver esmith::event[26484]: #011Modified 0 rules
Feb 19 22:21:07 mynethserver esmith::event[26484]: #011Done
Feb 19 22:21:07 mynethserver esmith::event[26484]: Processing /etc/snort/dropsid.conf…
Feb 19 22:21:07 mynethserver esmith::event[26484]: #011Modified 716 rules
Feb 19 22:21:07 mynethserver esmith::event[26484]: #011Done
Feb 19 22:21:07 mynethserver esmith::event[26484]: Processing /etc/snort/disablesid.conf…
Feb 19 22:21:07 mynethserver esmith::event[26484]: #011Modified 0 rules
Feb 19 22:21:07 mynethserver esmith::event[26484]: #011Done
Feb 19 22:21:07 mynethserver esmith::event[26484]: Setting Flowbit State…
Feb 19 22:21:07 mynethserver esmith::event[26484]: #011Enabled 3 flowbits
Feb 19 22:21:07 mynethserver esmith::event[26484]: #011Enabled 1 flowbits
Feb 19 22:21:07 mynethserver esmith::event[26484]: #011Done
Feb 19 22:21:07 mynethserver esmith::event[26484]: Writing /etc/snort/rules/snort.rules…
Feb 19 22:21:07 mynethserver esmith::event[26484]: #011Done
Feb 19 22:21:07 mynethserver esmith::event[26484]: Generating sid-msg.map…
Feb 19 22:21:07 mynethserver esmith::event[26484]: #011Done
Feb 19 22:21:07 mynethserver esmith::event[26484]: Writing v1 /etc/snort/sid-msg.map…
Feb 19 22:21:07 mynethserver esmith::event[26484]: #011Done
Feb 19 22:21:07 mynethserver esmith::event[26484]: Writing /var/log/sid_changes.log…
Feb 19 22:21:07 mynethserver esmith::event[26484]: #011Done
Feb 19 22:21:07 mynethserver esmith::event[26484]: Rule Stats…
Feb 19 22:21:07 mynethserver esmith::event[26484]: #011New:-------0
Feb 19 22:21:07 mynethserver esmith::event[26484]: #011Deleted:—0
Feb 19 22:21:07 mynethserver esmith::event[26484]: #011Enabled Rules:----24
Feb 19 22:21:07 mynethserver esmith::event[26484]: #011Dropped Rules:----716
Feb 19 22:21:07 mynethserver esmith::event[26484]: #011Disabled Rules:—25890
Feb 19 22:21:07 mynethserver esmith::event[26484]: #011Total Rules:------26630
Feb 19 22:21:07 mynethserver esmith::event[26484]: No IP Blacklist Changes
Feb 19 22:21:07 mynethserver esmith::event[26484]:
Feb 19 22:21:07 mynethserver esmith::event[26484]: Done
Feb 19 22:21:07 mynethserver esmith::event[26484]: Please review /var/log/sid_changes.log for additional details
Feb 19 22:21:07 mynethserver esmith::event[26484]: Fly Piggy Fly!
Feb 19 22:21:07 mynethserver esmith::event[26484]: Action: /etc/e-smith/events/nethserver-pulledpork-save/S30nethserver-pulledpork-apply SUCCESS [9.753767]
Feb 19 22:21:07 mynethserver esmith::event[26484]: Event: nethserver-pulledpork-save SUCCESS
Feb 19 22:21:07 mynethserver esmith::event[26497]: Event: nethserver-snort-save
Feb 19 22:21:07 mynethserver esmith::event[26497]: expanding /etc/snort/snort.conf
Feb 19 22:21:07 mynethserver esmith::event[26497]: Action: /etc/e-smith/events/actions/generic_template_expand SUCCESS [0.147899]
Feb 19 22:21:07 mynethserver esmith::event[26497]: [INFO] service snortd restart
Feb 19 22:21:07 mynethserver snort[25938]: *** Caught Term-Signal
Feb 19 22:21:08 mynethserver esmith::event[26497]: Stopping snort: [ OK ]#015
Feb 19 22:21:09 mynethserver esmith::event[26497]: Starting snort: Spawning daemon child…
Feb 19 22:21:09 mynethserver esmith::event[26497]: My daemon child 26558 lives…
Feb 19 22:21:09 mynethserver esmith::event[26497]: Daemon parent exiting (0)
Feb 19 22:21:09 mynethserver esmith::event[26497]: [ OK ]#015
Feb 19 22:21:09 mynethserver esmith::event[26497]: [INFO] snortd restart
Feb 19 22:21:09 mynethserver esmith::event[26497]: Action: /etc/e-smith/events/actions/adjust-services SUCCESS [1.648817]
Feb 19 22:21:09 mynethserver esmith::event[26497]: Event: nethserver-snort-save SUCCESS
Feb 19 22:21:09 mynethserver esmith::event[26563]: Event: firewall-adjust
Feb 19 22:21:09 mynethserver esmith::event[26564]: Event: nethserver-firewall-base-save firewall-adjust
Feb 19 22:21:09 mynethserver esmith::event[26564]: Action: /etc/e-smith/events/nethserver-firewall-base-save/S02providers-cleanup SUCCESS [0.06087]
Feb 19 22:21:09 mynethserver esmith::event[26564]: expanding /etc/collectd.conf
Feb 19 22:21:09 mynethserver esmith::event[26564]: expanding /etc/hosts
Feb 19 22:21:09 mynethserver esmith::event[26564]: expanding /etc/collectd.d/ping.conf
Feb 19 22:21:09 mynethserver esmith::event[26564]: expanding /etc/lsm/lsm.conf
Feb 19 22:21:09 mynethserver esmith::event[26564]: expanding /etc/shorewall/rules
Feb 19 22:21:09 mynethserver esmith::event[26564]: expanding /etc/shorewall/zones
Feb 19 22:21:09 mynethserver esmith::event[26564]: expanding /etc/shorewall/providers
Feb 19 22:21:09 mynethserver esmith::event[26564]: expanding /etc/shorewall/tcrules
Feb 19 22:21:09 mynethserver esmith::event[26564]: expanding /etc/shorewall/tcpri
Feb 19 22:21:09 mynethserver esmith::event[26564]: expanding /etc/shorewall/rtrules
Feb 19 22:21:09 mynethserver esmith::event[26564]: expanding /etc/shorewall/nat
Feb 19 22:21:09 mynethserver esmith::event[26564]: expanding /etc/shorewall/stoppedrules
Feb 19 22:21:09 mynethserver esmith::event[26564]: expanding /etc/shorewall/policy
Feb 19 22:21:09 mynethserver esmith::event[26564]: expanding /etc/shorewall/actions
Feb 19 22:21:09 mynethserver esmith::event[26564]: expanding /etc/shorewall/masq
Feb 19 22:21:09 mynethserver esmith::event[26564]: expanding /etc/shorewall/tcinterfaces
Feb 19 22:21:09 mynethserver esmith::event[26564]: expanding /etc/shorewall/shorewall.conf
Feb 19 22:21:09 mynethserver esmith::event[26564]: expanding /etc/shorewall/interfaces
Feb 19 22:21:09 mynethserver esmith::event[26564]: expanding /etc/shorewall/maclist
Feb 19 22:21:09 mynethserver esmith::event[26564]: expanding /etc/shorewall/tunnels
Feb 19 22:21:09 mynethserver esmith::event[26564]: expanding /etc/shorewall/hosts
Feb 19 22:21:09 mynethserver esmith::event[26564]: expanding /var/www/html/wpad.dat
Feb 19 22:21:09 mynethserver esmith::event[26564]: Action: /etc/e-smith/events/actions/generic_template_expand SUCCESS [0.39188]
Feb 19 22:21:10 mynethserver logger: Shorewall restarted
Feb 19 22:21:10 mynethserver esmith::event[26564]: [NOTICE] Shorewall restart
Feb 19 22:21:10 mynethserver esmith::event[26564]: Action: /etc/e-smith/events/nethserver-firewall-base-save/S89nethserver-shorewall-restart SUCCESS [1.125118]
Feb 19 22:21:11 mynethserver esmith::event[26564]: lsm stop/pre-start, process 27042
Feb 19 22:21:11 mynethserver esmith::event[26564]: [INFO] lsm has been started
Feb 19 22:21:11 mynethserver esmith::event[26564]:
Feb 19 22:21:11 mynethserver esmith::event[26564]: [INFO] service collectd restart
Feb 19 22:21:11 mynethserver collectd[26462]: Exiting normally.
Feb 19 22:21:11 mynethserver collectd[26462]: collectd: Stopping 5 read threads.
Feb 19 22:21:11 mynethserver collectd[26462]: ping plugin: Shutting down thread.
Feb 19 22:21:11 mynethserver collectd[26462]: rrdtool plugin: Shutting down the queue thread. This may take a while.
Feb 19 22:21:11 mynethserver esmith::event[26564]: collectd beenden: [ OK ]#015
Feb 19 22:21:11 mynethserver collectd[27079]: Initialization complete, entering read-loop.
Feb 19 22:21:11 mynethserver esmith::event[26564]: collectd starten: [ OK ]#015
Feb 19 22:21:11 mynethserver esmith::event[26564]: [INFO] collectd restart
Feb 19 22:21:11 mynethserver esmith::event[26564]: Action: /etc/e-smith/events/actions/adjust-services SUCCESS [0.374201]
Feb 19 22:21:11 mynethserver esmith::event[26564]: Event: nethserver-firewall-base-save SUCCESS
Feb 19 22:21:11 mynethserver esmith::event[26563]: Action: /etc/e-smith/events/firewall-adjust/S20firewall-adjust SUCCESS [2.078208]
Feb 19 22:21:11 mynethserver esmith::event[26563]: Event: firewall-adjust SUCCESS

Thank you for your help.

Here, read this, it’s kinda in limbo right now and I haven’t had time to really followup on it.

No, only in red zone!
You can see this at the /etc/snort/snort.conf

var HOME_NET [127.0.0.1/32,192.168.1.0/24]
var DNS_SERVERS [192.168.2.254]

var EXTERNAL_NET        !$HOME_NET

Sorry, I’m not sure what you’re asking by “working at the green zone”.
Then you say only in red.

Firing off a vuln scan doesn’t tell you if you have the correct rules to match the attack traffic.
That’s why, in the other thread I posted, I picked a specific rule and specific attack (that web page) that I know does what I expect.

I assume your red zone should fall under external_net since that’s going to be any zone not home_net.

That is expected behavior.

Yes red zone is externat_net. I found out that there is a configuration problem with expert mode.
Snort will not start because there are some rules which need the config setting preprocessor ssl
I fixed it, but till now no alert. I will check this the next days

If you search this forum you’ll find my full working snort config.

May we add your config as default? Or maybe we should document it better

@alefattorini: I cannot answer your question. I don’t know if other configurations than expert will work.
In my cases I got no alerts.

Now in expert mode I get some alerts. Is there any possibility to get this via mailreport.
How can I change the rules from alerting to blocking?

I’m thinking to add a new option called “All rules (debug)” to test that snort is working. What do you think?

Honestly, and this is crazy talk I know, but the ideal would be to be able to enable / disable each rule… in the gui.
For me, what I’d prefer is to have the time to figure out the exact file in e-smith that I can go into and uncomment any given rule I wish to enable regardless of the 4 options. This is particularly important for testing, as I’ve stated in some other ips related posts, that’s the only way to know if ips is working, enable a rule and then give cause for it to fire, I can do this without issue with standalone snort install. The NS options, to me, are entirely too, either broad or minimal. But this is one of the tasks I have in my list, but I cannot prioritize, I want to invest my time in getting v7 out of beta and into production.

Sounds good, I agree that IPS need some work in this way… we are here to help whenever you have time to work on 7

Maybe we could enable each category, without going to “single rule” detail.

If you mean enable all 4 of NS’s categories at once, I would be concerned that lightweight machines would grind to a halt processing all those rules even on a relatively light network.

The issue, as I recall, that I’m having with troubleshooting is that while I was able to find the rules, I don’t remember where they’re at now, the process of restarting snort to apply the rule changes, wipes out my manual rule changes with the NS application of its categories.

For me, I am and have been using other tools for ids and ips, that’s not what brought me to NS, so I’m not really concerned about NS ips I only started looking into it because of a forum post and hit a brick wall, I think it’s important for a well rounded distro but I’d rather focus on what’s needed to get 7 out the door, like samba.

I mean:
https://www.snort.org/rules_explanation

Ok, maybe not a bad idea, question that comes to mind is… as I recall, aren’t we pulling down ET as well, and if so how would we deal with those rules?

I will try to set aside time tonight, to sit down and read through NS dev and admin docs for ips to see if there’s enough there that I can better understand how NS implements snort.

We simply configure pulledpork to download and enable rules.
So, rules selection has to be configured in pulledpork.conf and related files (disablesid.conf, dropsid.conf, enablesid.conf, modifysid.conf) according to pulledpork syntax.

To identify rules category, we could use the filename inside the tar.gz:

# tar -ztvf /tmp/emerging.rules.tar.gz | head
drwxr-xr-x root/root         0 2016-03-06 21:20 rules/
-rw-r--r-- root/root     13710 2016-03-06 21:20 rules/emerging-snmp.rules
-rw-r--r-- root/root      8660 2016-03-06 21:20 rules/emerging-icmp.rules
-rw-r--r-- root/root     28423 2016-03-06 21:20 rules/emerging-user_agents.rules
-rw-r--r-- root/root      1934 2016-03-06 21:20 rules/emerging-rbn.rules
-rw-r--r-- root/root      3349 2016-03-06 21:20 rules/emerging.conf
-rw-r--r-- root/root   2870968 2016-03-06 21:20 rules/emerging-web_specific_apps.rules
-rw-r--r-- root/root     26775 2016-03-06 21:20 rules/emerging-botcc.portgrouped.rules
-rw-r--r-- root/root     10027 2016-03-06 21:20 rules/emerging-inappropriate.rules
-rw-r--r-- root/root    298952 2016-03-06 21:20 rules/emerging-activex.rules

I like the idea from @filippo_carletti. That is a good way to do that.
I think it is one step to get the goals.

What are the goals in my opinion:

1. To know that the IDS is working.
2. A reporting function via mail -> IDS is working/not working and possible alerts
3. What is exactly activated if I use the presets Balanced, Expert, Connectivity, Security and a check if all needed rules are activated
   –> perhaps solved by @filippo_carletti suggestion
4. Create exceptions via webfrontend gui
5. possibility of blocking suspicious traffic

How do you think about that?

I would like to help you getting this done.

5. possibility of blocking suspicious traffic

By manual writing rules? could be usefull!

and the possibility to add the oinkcode or etpro code to use the paid ruleset would be awesome

@filippo_carletti

re: NS 7 Beta 1

IPS is still choking on snort[1738]: FATAL ERROR: /etc/snort/rules/snort.rules(6819) Unknown rule option: 'ssl_version'.

So;
Jul 8 13:31:53 server88 snort[1738]: FATAL ERROR: /etc/snort/rules/snort.rules(6819) Unknown rule option: 'ssl_version'. Jul 8 13:31:53 server88 snortd: Starting snort: [FAILED] Jul 8 13:31:53 server88 systemd: Started SYSV: snort is a lightweight network intrusion detection tool that currently detects more than 1100 host and network vulnerabilities, portscans, backdoors, and more.. Jul 8 13:31:53 server88 esmith::event[1713]: [INFO] snortd has been started Jul 8 13:31:53 server88 esmith::event[1713]: Jul 8 13:31:53 server88 esmith::event[1713]: Action: /etc/e-smith/events/actions/adjust-services SUCCESS [1.897545] Jul 8 13:31:53 server88 esmith::event[1713]: Event: nethserver-snort-save SUCCESS Jul 8 13:31:53 server88 esmith::event[1759]: Event: firewall-adjust

A ps shows the snortd process is not running, but…
Jul 8 13:31:50 server88 esmith::event[1702]: Rule Stats... Jul 8 13:31:50 server88 esmith::event[1702]: #011New:-------247 Jul 8 13:31:50 server88 esmith::event[1702]: #011Deleted:---12 Jul 8 13:31:50 server88 esmith::event[1702]: #011Enabled Rules:----20696 Jul 8 13:31:50 server88 esmith::event[1702]: #011Dropped Rules:----0 Jul 8 13:31:50 server88 esmith::event[1702]: #011Disabled Rules:---6795 Jul 8 13:31:50 server88 esmith::event[1702]: #011Total Rules:------27491

So, in Expert… most of the rules are enabled, unlike before, so that’s awesome, but snort isn’t running… boo.
Is this something we can fix or is it upstream… this has been an issue every time I test it for the last several weeks.

Also, is it really IPS… does it block… or is it really IDS?
We really should call it, rename it IDS if it doesn’t block…

If is only IDS, what should be used as IPS?