LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 12-22-2003, 03:07 PM   #1
mikmok
LQ Newbie
 
Registered: Dec 2003
Posts: 28

Rep: Reputation: 15
Snort 2.05 and guardian 1.6 problem


Hi,

i've just setup a linux box withn suse 9.0
the new 2.4.23 kernel
snort 2.05
and guardian 1.6

everythink works fine
except that guardian doesn't execute the scripts to block.
i can see, with tail -f the /var/log/messages, the /var/log/snort/alert changing with no errors
the /var/log/guardian.log reports me only a line indicating me the pid of guardian when i start it.

i can't see any
"Running script ..."

i've checked the rights on the /var/log/snort/alert ... i put them to rwxrwxrwx to test ... i've no errors at all.

any insight?

thank you very much

Mik
 
Old 12-22-2003, 06:21 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,383
Blog Entries: 55

Rep: Reputation: 3558Reputation: 3558Reputation: 3558Reputation: 3558Reputation: 3558Reputation: 3558Reputation: 3558Reputation: 3558Reputation: 3558Reputation: 3558Reputation: 3558
Config checked out OK? Tried running in debug mode? BTW, I run Guardian-1.7, check out if it has essential changes/improvements.
 
Old 12-23-2003, 12:48 AM   #3
mikmok
LQ Newbie
 
Registered: Dec 2003
Posts: 28

Original Poster
Rep: Reputation: 15
Thanks for your reply,

the system has worked since i've recompiled the snort and changed the snort binary in the rc.d directory . The guardian was always the same,
I've tried the debug mode, no errors, no messages, it's simply waiting.... and the /var/log/snort/alert file is growing ...

today i'll try the version 1.7.
from where can i download it ?

thank again
Mik
 
Old 12-23-2003, 05:50 AM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,383
Blog Entries: 55

Rep: Reputation: 3558Reputation: 3558Reputation: 3558Reputation: 3558Reputation: 3558Reputation: 3558Reputation: 3558Reputation: 3558Reputation: 3558Reputation: 3558Reputation: 3558
BTW, you do have the external scripts in place, right? The ones that block route and add Iptables/Ipchains rules. Guardian D/L should be Snort.org/contrib or so.
 
Old 12-23-2003, 06:14 AM   #5
mikmok
LQ Newbie
 
Registered: Dec 2003
Posts: 28

Original Poster
Rep: Reputation: 15
hi,
now i'm using guardian 1.7 on a snort 2.03
the scripts of guardian_block and guardian_unblock are good (i've lunched them by hand) if i move them guardian doesn't start so i assume it can read them.

It has worked only one time !!!
It has blocked the 127.0.0.1 ip but trying from a different net with nmap id doesn't execute the blocking script.

thank you very much

Mik
 
Old 12-23-2003, 06:56 AM   #6
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,383
Blog Entries: 55

Rep: Reputation: 3558Reputation: 3558Reputation: 3558Reputation: 3558Reputation: 3558Reputation: 3558Reputation: 3558Reputation: 3558Reputation: 3558Reputation: 3558Reputation: 3558
if i move them guardian doesn't start so i assume it can read them.
Running "grep guardian.pl -e \$..blockpath" should show (IIRC, I modified mine somewhat I think) where it supposes the scripts to be.


It has blocked the 127.0.0.1 ip but trying from a different net with nmap id doesn't execute the blocking script.
This could depend on what Snort logs (like interface it is listening on, if the nmap scan doesn't trigger a rule, if you added a BPF filter, which preprocessors are enabled or an added portscan ignore statement etc etc), unless you can tell from the Alert file it got logged, and if it was already blocked (but then it should be in the guardian log or show up with "route" or "iptables -n -L"). Also check your guardian.conf.

Could you kill Guardian, clean up any firewall or route blocks it added, and run "guardian.pl -d -c /path/to/guardian.conf 2>&1|tee -a /tmp/guardian.debug", then try to make it block again.
Post the log.
 
Old 12-23-2003, 10:00 AM   #7
mikmok
LQ Newbie
 
Registered: Dec 2003
Posts: 28

Original Poster
Rep: Reputation: 15
Hi,
now it works !!!
i've downloaded all the lates rules including the snort.conf
and i've re-edited.
in snort.conf i wrote down that my HOME NET is /24 even if it's a/29
i've modified the guardian.pl to be sure that the two scripts are called.

thank you for the patience and the great help
grazie

Merry Christmas.

Mik
 
Old 12-23-2003, 10:45 AM   #8
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,383
Blog Entries: 55

Rep: Reputation: 3558Reputation: 3558Reputation: 3558Reputation: 3558Reputation: 3558Reputation: 3558Reputation: 3558Reputation: 3558Reputation: 3558Reputation: 3558Reputation: 3558
Merry Christmas to you too.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
snort + Guardian Atrocity Linux - Security 1 06-29-2005 10:48 AM
snort with ipf and guardian SiLiCoN *BSD 0 05-11-2005 06:43 AM
dans guardian on slackware 10.0 paul_mat Slackware 2 03-20-2005 11:04 PM
how snort and guardian work together? jarien Linux - Security 2 11-27-2004 08:00 AM
Combined firewall Guardian tarquin Linux - Networking 1 07-17-2003 10:03 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 09:15 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration