Re: Guardian 2

["R. W. Rodolico" <rodo@dailydata.net>]

[-- Attachment #1: Type: text/plain, Size: 6375 bytes --]

Can you give me a clue on how to set up Snort? I got nothing on my
intrusion logs. I "attacked" it from a remote server (all machines are
mine, so I can do that :) and saw nothing. I downloaded some rules from
EmergingThreats.net Community Rules and turned several of them on, but
saw nothing.

I had tried to do te Snort/VRT GPLv2 Community Rules and no rules showed
up. Just tried the SourceFire VRT Rules for registered users and got an
error, and no new rules showed up.

I guess I need to clean this whole thing out and start over, if I can
figure out how to clean out the Snort ruleset.

If anyone can give me a clue on this, I'll be happy to set it up and try
attacking myself.

Selective blocking/unblocking works like a charm.

Rod

On 07/17/2016 06:47 PM, Mark Coolen wrote:
> OK. Now I have everything working well. Guardian is auto-blocking and
> allowing me to selectively block and unblock as well as unblock all.
> 
> I think the IDS module really needs some kind of default settings for
> those who want to use it but don't understand the complexities of
> Snort's rules. I just guessed at things when I set Snort up, but it does
> produce logs of possible intrusion attempts and Guardian does respond
> appropriately.
> 
> On Sat, Jul 16, 2016 at 2:43 PM, R. W. Rodolico <rodo(a)dailydata.net
> <mailto:rodo(a)dailydata.net>> wrote:
> 
>     I saw the same issue and filed a bug report
>     (https://bugzilla.ipfire.org/show_bug.cgi?id=11146).
> 
>     When something like this pops up, I generally
>     https://bugzilla.ipfire.org/show_bug.cgi?id=11146
>     immediately after the problem shows up; that usually gives some
>     indication of the problem.
> 
>     As Matthias says, it is a permissions issue on the configuration file
>     directory. Either manually create the files (with correct ownership and
>     permission) or change ownership/permission on the directory. Then, you
>     have a nice, pretty GUI.
> 
>     I was able to efficiently block myself from the GUI after that. Since I
>     don't know anything about how to test Snort, I'm having problems getting
>     it to block automatically, but that is another issue.
> 
>     Rod
> 
>     On 07/16/2016 09:19 AM, Mark Coolen wrote:
>     > I'm a bit confused about that. Why would 2.0-002 be newer than 2.0-010?
>     > There's a 2.0-012 under 'old approach' but those files have an older
>     > timestamp. The 2.0-002 is a tarball, but the 2.0-010 is an ipfire
>     > package as are the 'dependancies'. I've used Guardian 2 several times in
>     > the past by just extracting according to the instructions on stevee's
>     > ;--) page, but that doesn't seem to work with the 2.0-002 tarball. I
>     > just get a completely blank page in the GUI.
>     > How do we test?
>     >
>     > On Sat, Jul 16, 2016 at 2:59 AM, Matthias Fischer
>     > <matthias.fischer(a)ipfire.org <mailto:matthias.fischer(a)ipfire.org>
>     <mailto:matthias.fischer(a)ipfire.org
>     <mailto:matthias.fischer(a)ipfire.org>>> wrote:
>     >
>     >     Hi,
>     >
>     >     Ok, next.
>     >
>     >     Am I right assuming that the '2.0-002'-version at
>     >     http://people.ipfire.org/~stevee/guardian-2.0/ plus
>     >     http://people.ipfire.org/~stevee/guardian-2.0/packages/dependencies/ is
>     >     the latest!?
>     >
>     >     Best,
>     >     Matthias
>     >
>     >     On 16.07.2016 04:03, Mark Coolen wrote:
>     >     > I'm willing to test it as well. I take it the instructions from
>     >     > http://planet.ipfire.org/post/introducing-guardian-2-0-for-ipfire
>     >     are still
>     >     > good?
>     >     >
>     >     > On Fri, Jul 15, 2016 at 8:23 PM, R. W. Rodolico
>     >     <rodo(a)dailydata.net <mailto:rodo(a)dailydata.net>
>     <mailto:rodo(a)dailydata.net <mailto:rodo(a)dailydata.net>>> wrote:
>     >     >
>     > Tell me what I need to do to test Guardian. I've never installed it,
>     > but I am doing it now.
>     >
>     > Rod
>     >
>     > On 07/15/2016 05:00 AM, Michael Tremer wrote:
>     >> Hi guys,
>     >
>     >> even if you have a conversation on the phone, please try keeping us
>     >> in the loop.
>     >
>     >> So the key points of what I know:
>     >
>     >> * A release is targeted for core update 104
>     >
>     >> * There are a few changes required so that re-blocking a host after
>     >> it has been manually unblocked allows this host the configured
>     >> number of tries again and not only one.
>     >
>     >> * Many more testers are required since feedback is really low at
>     >> this point.
>     >
>     >> Did I get this right? What is the ETA for a set of patches on the
>     >> mailing list?
>     >
>     >> What is the plan to engage more testers?
>     >
>     >> Best, -Michael
>     >
>     >> On Thu, 2016-07-14 at 14:36 +0200, Daniel Weismüller wrote:
>     >>> Hi Stevee I know you are very busy and working hard on the this.
>     >>> But if you want to release the new Guardian 2 with Core 104 we
>     >>> still need to do some work and it must be tested! So please tell
>     >>> us something about the new guardian2 and the state of your work.
>     >>>
>     >>> Maybe we find more testers here on the list.
>     >>>
>     >>> Meanwhile I've talked with Michael about the state which I know
>     >>> of the guardian2 and we both go confirm that the list of blocked
>     >>> IPs which runs in the background isn't a good idea. Please let us
>     >>> talk by phone about it again.
>     >>>
>     >>> - Daniel
>     >
>     >     >>
>     >     >
>     >     >
>     >     >
>     >
>     >
>     >
>     >
>     > --
>     >  _  _           _     ___         _
>     >  )\/,) ___  __  )L,   ))  __  __  )) __ _ _
>     > ((`(( ((_( (|  ((\   ((__((_)((_)(( (('((\(
> 
>     --
>     Rod Rodolico
>     Daily Data, Inc.
>     POB 140465
>     Dallas TX 75214-0465
>     214.827.2170 <tel:214.827.2170>
>     http://www.dailydata.net
> 
> 
> 
> 
> -- 
>  _  _           _     ___         _         
>  )\/,) ___  __  )L,   ))  __  __  )) __ _ _
> ((`(( ((_( (|  ((\   ((__((_)((_)(( (('((\(

-- 
Rod Rodolico
Daily Data, Inc.
POB 140465
Dallas TX 75214-0465
214.827.2170
http://www.dailydata.net