From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: Security vulnerabilities in snort and Guardian Date: Fri, 27 Oct 2017 16:06:31 +0100 Message-ID: <1509116791.4838.230.camel@ipfire.org> In-Reply-To: <20171026214945.68960724.peter.mueller@link38.eu> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============6924476041779938850==" List-Id: --===============6924476041779938850== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hi, Stefan is the maintainer of Guardian. On Thu, 2017-10-26 at 21:49 +0200, Peter M=C3=BCller wrote: > Hello, >=20 > there are two security vulnerabilities in IPFire's IDS/IPS > (snort/Guardian) which I consider quite critical: >=20 > (a) Guardian does not malicious destination IP addresses > As described in bug #11532, it is possible to access a "bad" > IP address (C&C server, Spamhaus DROP, Dshield, and others) > in the internet from a internal network behind IPFire. >=20 > This is because Guardian only looks at the source IP of > a snort alert, and in this case, it is the firewall's IP > which should not be blocked for obvious reason. >=20 > There is little change that an admin will notice that the IPS > is only working in case of inbound attacks since snort > triggers an alert correctly. >=20 > Could someone (maintainer?) have a look at Guardian and > fix this? Unfortunately, my programming skills are too little > for this job. :-| I think this is a problem that could be solved. Probably the solution is quite simple even. However, I do not consider this a security issue that requires us to send an update immediately. > (b) Snort does not detect internal attacks > As described in bug #10273 (which has been reported back in > 2012), the IDS is fully working on RED only. Although it > can be turned on for GREEN, BLUE and ORANGE, too, it does not > capture any attacks in internal networks. >=20 > This can be hardly examined from the WebUI, too, since it > shows snort being up and running on GREEN and others. >=20 > Changing this also allows blocking an infected PC in a local > network which is spreading malware. On RED, the internal IP > is already NATted. > > Maybe Guardian can be configured so it shows a big warning in case > of blocked local IPs (internal networks should be clean), but > this is kind of a feature request. I think it blocks this now as I think it should be. Of course it won't be able to block the one machine attacking others on the s= ame network because the firewall does not see that traffic, but Guardian blocks attacks from the internal network to the Internet if snort detects it. Let's see if Stefan can clear this up for us. > See also: > * https://bugzilla.ipfire.org/show_bug.cgi?id=3D10273 > * https://bugzilla.ipfire.org/show_bug.cgi?id=3D11532 > (Thanks again to Michael for enabling HTTPS with trusted certificates.) >=20 > One question left: If there are attacks from a network connected > via VPN, where are they captured by snort? On RED? They should show up on the RED interface. > I hate bringing up bugs like this - and hope I did not harm > anybody :-) - but since this has a security impact, it seems okay > to me. Well, we all hate bugs :) >=20 > Thanks and best regards, > Peter M=C3=BCller --===============6924476041779938850== Content-Type: application/pgp-signature Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="signature.asc" MIME-Version: 1.0 LS0tLS1CRUdJTiBQR1AgU0lHTkFUVVJFLS0tLS0KCmlRSXpCQUFCQ2dBZEZpRUU1L3JXNWwzR0dl Mnlwa3R4Z0hudy8yK1FDUWNGQWxuelMzY0FDZ2tRZ0hudy8yK1EKQ1FlemVSQUFoc2c0YmszOGk2 dXhJbEsxRHhCN1F4Nzc0OU9WalpUbi9oeE1qcm5yMERXNFpTOVVJZVRMLzRkLwpPdEhQUnFzRjR5 NG9wK1ROUEFpajFQWHBOaFlxMDZRcVR4dlgyUEYreFczTDBMMUdWdGVzVSthaktONFg2U01rCm82 S3A4S09CSG1vb29HM1YzdmNKUVU0ZnQ5a0YreW5yaGFmNFRVcnZObnp1RUdMeWlQa0xRMmVaMzdX ZlFPU1YKbG9qTlhTaXRSaDVscEgyb0pkSEd1R1EwL3hDSWdKcjVjSkgyUXRKSjFUdGZQK3A0bzE1 c0ltZTVITFVFRldJNAptM1hER213OHJpK1NLVGtiNytYOXdjdEZiOUxWajRyeGJpZWtEVC9UdGpY dXRja0JtMnFmcGUxR21zL01kSDdFCkJiVGtnZk1wd000OHJHelhDb052MlcvVmk0bzVFNkVic084 S2pHNzd5S0p6YU4zY1ZWRVVUQ0M0U3prMjg4eTcKVlAzdnhMNEJFMm1ia1dueVRQMjgxSmdVN2J0 Y1ZZV2NVN2tOcDBCeldRU3g5bENHV1FSeDdoSk04UGRad1VjYgpadGg5d1FHYlNrZGxaRVA2cCsx cmFVQ1h2R2dkTkduTmROUzNhbURydkZtaDFDc2lpWisxU05JemNNZk1wc3dGCnhQQUFNTTlXdWxO MmRzQzJYSERwMDVzd05SWmlyS0lnUDJ0eFA1cHVqZ241TWZKMGwvMzdkQ2lqSjlabHdyVWIKSFh4 KzdycTM2Q1EzMjYyRHJKKzJZbW1zWGNJOXgzancyUWFQN2U1RWRrYjhITEYvaUYyOXg3YVRSYWVK dmo0NwpkOWpVSmthQVNESWxydlhoMjFTVDlobmJwSHYvU0xvZmlRbDk5TUJ6aDNaV2hwcnBaNlU9 Cj0yem5HCi0tLS0tRU5EIFBHUCBTSUdOQVRVUkUtLS0tLQo= --===============6924476041779938850==--