From: "R. W. Rodolico" <rodo@dailydata.net>
To: development@lists.ipfire.org
Subject: Re: Guardian 2
Date: Mon, 18 Jul 2016 23:25:35 -0500 [thread overview]
Message-ID: <578DABBF.6040909@dailydata.net> (raw)
In-Reply-To: <CACOO0z_FEq0DmoAqrH=hjyTNo8rpgpUt-obJ2nFDabhU4-NVyg@mail.gmail.com>
[-- Attachment #1: Type: text/plain, Size: 8900 bytes --]
hmmm. that is what I tried, but it didn't work. Maybe I need to go get
another oinkcode or something.
Thank you
On 07/18/2016 12:48 PM, Mark Coolen wrote:
> You have to register on snort.org <http://snort.org>. I think I just
> followed the instructions on the IDS page in the IPFire GUI and then
> input my oinkcode.
> I have no idea which rules to enable once I have them downloaded, but I
> spent awhile going throught them awhile back and guessed ;-)
>
> I does work, and Guardian 2 watches the snort logs and automagically
> blocks IPs.
>
> On Mon, Jul 18, 2016 at 12:37 AM, R. W. Rodolico <rodo(a)dailydata.net
> <mailto:rodo(a)dailydata.net>> wrote:
>
> Can you give me a clue on how to set up Snort? I got nothing on my
> intrusion logs. I "attacked" it from a remote server (all machines are
> mine, so I can do that :) and saw nothing. I downloaded some rules from
> EmergingThreats.net Community Rules and turned several of them on, but
> saw nothing.
>
> I had tried to do te Snort/VRT GPLv2 Community Rules and no rules showed
> up. Just tried the SourceFire VRT Rules for registered users and got an
> error, and no new rules showed up.
>
> I guess I need to clean this whole thing out and start over, if I can
> figure out how to clean out the Snort ruleset.
>
> If anyone can give me a clue on this, I'll be happy to set it up and try
> attacking myself.
>
> Selective blocking/unblocking works like a charm.
>
> Rod
>
> On 07/17/2016 06:47 PM, Mark Coolen wrote:
> > OK. Now I have everything working well. Guardian is auto-blocking and
> > allowing me to selectively block and unblock as well as unblock all.
> >
> > I think the IDS module really needs some kind of default settings for
> > those who want to use it but don't understand the complexities of
> > Snort's rules. I just guessed at things when I set Snort up, but it does
> > produce logs of possible intrusion attempts and Guardian does respond
> > appropriately.
> >
> > On Sat, Jul 16, 2016 at 2:43 PM, R. W. Rodolico <rodo(a)dailydata.net <mailto:rodo(a)dailydata.net>
> > <mailto:rodo(a)dailydata.net <mailto:rodo(a)dailydata.net>>> wrote:
> >
> > I saw the same issue and filed a bug report
> > (https://bugzilla.ipfire.org/show_bug.cgi?id=11146).
> >
> > When something like this pops up, I generally
> > https://bugzilla.ipfire.org/show_bug.cgi?id=11146
> > immediately after the problem shows up; that usually gives some
> > indication of the problem.
> >
> > As Matthias says, it is a permissions issue on the
> configuration file
> > directory. Either manually create the files (with correct
> ownership and
> > permission) or change ownership/permission on the directory.
> Then, you
> > have a nice, pretty GUI.
> >
> > I was able to efficiently block myself from the GUI after
> that. Since I
> > don't know anything about how to test Snort, I'm having
> problems getting
> > it to block automatically, but that is another issue.
> >
> > Rod
> >
> > On 07/16/2016 09:19 AM, Mark Coolen wrote:
> > > I'm a bit confused about that. Why would 2.0-002 be newer
> than 2.0-010?
> > > There's a 2.0-012 under 'old approach' but those files have
> an older
> > > timestamp. The 2.0-002 is a tarball, but the 2.0-010 is an
> ipfire
> > > package as are the 'dependancies'. I've used Guardian 2
> several times in
> > > the past by just extracting according to the instructions on
> stevee's
> > > ;--) page, but that doesn't seem to work with the 2.0-002
> tarball. I
> > > just get a completely blank page in the GUI.
> > > How do we test?
> > >
> > > On Sat, Jul 16, 2016 at 2:59 AM, Matthias Fischer
> > > <matthias.fischer(a)ipfire.org
> <mailto:matthias.fischer(a)ipfire.org>
> <mailto:matthias.fischer(a)ipfire.org
> <mailto:matthias.fischer(a)ipfire.org>>
> > <mailto:matthias.fischer(a)ipfire.org
> <mailto:matthias.fischer(a)ipfire.org>
> > <mailto:matthias.fischer(a)ipfire.org <mailto:matthias.fischer(a)ipfire.org>>>>
> wrote:
> > >
> > > Hi,
> > >
> > > Ok, next.
> > >
> > > Am I right assuming that the '2.0-002'-version at
> > > http://people.ipfire.org/~stevee/guardian-2.0/ plus
> > > http://people.ipfire.org/~stevee/guardian-2.0/packages/dependencies/ is
> > > the latest!?
> > >
> > > Best,
> > > Matthias
> > >
> > > On 16.07.2016 04:03, Mark Coolen wrote:
> > > > I'm willing to test it as well. I take it the instructions from
> > > > http://planet.ipfire.org/post/introducing-guardian-2-0-for-ipfire
> > > are still
> > > > good?
> > > >
> > > > On Fri, Jul 15, 2016 at 8:23 PM, R. W. Rodolico
> > > <rodo(a)dailydata.net <mailto:rodo(a)dailydata.net>
> <mailto:rodo(a)dailydata.net <mailto:rodo(a)dailydata.net>>
> > <mailto:rodo(a)dailydata.net <mailto:rodo(a)dailydata.net>
> <mailto:rodo(a)dailydata.net <mailto:rodo(a)dailydata.net>>>> wrote:
> > > >
> > > Tell me what I need to do to test Guardian. I've never
> installed it,
> > > but I am doing it now.
> > >
> > > Rod
> > >
> > > On 07/15/2016 05:00 AM, Michael Tremer wrote:
> > >> Hi guys,
> > >
> > >> even if you have a conversation on the phone, please try
> keeping us
> > >> in the loop.
> > >
> > >> So the key points of what I know:
> > >
> > >> * A release is targeted for core update 104
> > >
> > >> * There are a few changes required so that re-blocking a
> host after
> > >> it has been manually unblocked allows this host the configured
> > >> number of tries again and not only one.
> > >
> > >> * Many more testers are required since feedback is really
> low at
> > >> this point.
> > >
> > >> Did I get this right? What is the ETA for a set of patches
> on the
> > >> mailing list?
> > >
> > >> What is the plan to engage more testers?
> > >
> > >> Best, -Michael
> > >
> > >> On Thu, 2016-07-14 at 14:36 +0200, Daniel Weismüller wrote:
> > >>> Hi Stevee I know you are very busy and working hard on the
> this.
> > >>> But if you want to release the new Guardian 2 with Core 104 we
> > >>> still need to do some work and it must be tested! So
> please tell
> > >>> us something about the new guardian2 and the state of your
> work.
> > >>>
> > >>> Maybe we find more testers here on the list.
> > >>>
> > >>> Meanwhile I've talked with Michael about the state which I
> know
> > >>> of the guardian2 and we both go confirm that the list of
> blocked
> > >>> IPs which runs in the background isn't a good idea. Please
> let us
> > >>> talk by phone about it again.
> > >>>
> > >>> - Daniel
> > >
> > > >>
> > > >
> > > >
> > > >
> > >
> > >
> > >
> > >
> > > --
> > > _ _ _ ___ _
> > > )\/,) ___ __ )L, )) __ __ )) __ _ _
> > > ((`(( ((_( (| ((\ ((__((_)((_)(( (('((\(
> >
> > --
> > Rod Rodolico
> > Daily Data, Inc.
> > POB 140465
> > Dallas TX 75214-0465
> > 214.827.2170 <tel:214.827.2170> <tel:214.827.2170
> <tel:214.827.2170>>
> > http://www.dailydata.net
> >
> >
> >
> >
> > --
> > _ _ _ ___ _
> > )\/,) ___ __ )L, )) __ __ )) __ _ _
> > ((`(( ((_( (| ((\ ((__((_)((_)(( (('((\(
>
> --
> Rod Rodolico
> Daily Data, Inc.
> POB 140465
> Dallas TX 75214-0465
> 214.827.2170 <tel:214.827.2170>
> http://www.dailydata.net
>
>
>
>
> --
> _ _ _ ___ _
> )\/,) ___ __ )L, )) __ __ )) __ _ _
> ((`(( ((_( (| ((\ ((__((_)((_)(( (('((\(
--
Rod Rodolico
Daily Data, Inc.
POB 140465
Dallas TX 75214-0465
214.827.2170
http://www.dailydata.net
next parent reply other threads:[~2016-07-19 4:25 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <CACOO0z_FEq0DmoAqrH=hjyTNo8rpgpUt-obJ2nFDabhU4-NVyg@mail.gmail.com>
2016-07-19 4:25 ` R. W. Rodolico [this message]
[not found] <CACOO0z9xQoJh8PY74M4pdxRe8TOATF_SwjM65FtbDMexXq6mOA@mail.gmail.com>
2016-07-18 4:37 ` R. W. Rodolico
[not found] <CACOO0z-ZmvxauaLjrv5nLX_kctaPcbMB1nGNZy02iT=E5FDNEA@mail.gmail.com>
2016-07-16 15:12 ` Matthias Fischer
2016-07-16 18:43 ` R. W. Rodolico
[not found] <CACOO0z8ZGnBa2rCKEqU+4dgiVWb0ZjZHvpbd3fgv-KvDK524zg@mail.gmail.com>
2016-07-16 6:59 ` Matthias Fischer
2016-07-14 12:36 Daniel Weismüller
2016-07-15 10:00 ` Michael Tremer
2016-07-16 0:23 ` R. W. Rodolico
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=578DABBF.6040909@dailydata.net \
--to=rodo@dailydata.net \
--cc=development@lists.ipfire.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox