hmmm. that is what I tried, but it didn't work. Maybe I need to go get another oinkcode or something. Thank you On 07/18/2016 12:48 PM, Mark Coolen wrote: > You have to register on snort.org . I think I just > followed the instructions on the IDS page in the IPFire GUI and then > input my oinkcode. > I have no idea which rules to enable once I have them downloaded, but I > spent awhile going throught them awhile back and guessed ;-) > > I does work, and Guardian 2 watches the snort logs and automagically > blocks IPs. > > On Mon, Jul 18, 2016 at 12:37 AM, R. W. Rodolico > wrote: > > Can you give me a clue on how to set up Snort? I got nothing on my > intrusion logs. I "attacked" it from a remote server (all machines are > mine, so I can do that :) and saw nothing. I downloaded some rules from > EmergingThreats.net Community Rules and turned several of them on, but > saw nothing. > > I had tried to do te Snort/VRT GPLv2 Community Rules and no rules showed > up. Just tried the SourceFire VRT Rules for registered users and got an > error, and no new rules showed up. > > I guess I need to clean this whole thing out and start over, if I can > figure out how to clean out the Snort ruleset. > > If anyone can give me a clue on this, I'll be happy to set it up and try > attacking myself. > > Selective blocking/unblocking works like a charm. > > Rod > > On 07/17/2016 06:47 PM, Mark Coolen wrote: > > OK. Now I have everything working well. Guardian is auto-blocking and > > allowing me to selectively block and unblock as well as unblock all. > > > > I think the IDS module really needs some kind of default settings for > > those who want to use it but don't understand the complexities of > > Snort's rules. I just guessed at things when I set Snort up, but it does > > produce logs of possible intrusion attempts and Guardian does respond > > appropriately. > > > > On Sat, Jul 16, 2016 at 2:43 PM, R. W. Rodolico > > >> wrote: > > > > I saw the same issue and filed a bug report > > (https://bugzilla.ipfire.org/show_bug.cgi?id=11146). > > > > When something like this pops up, I generally > > https://bugzilla.ipfire.org/show_bug.cgi?id=11146 > > immediately after the problem shows up; that usually gives some > > indication of the problem. > > > > As Matthias says, it is a permissions issue on the > configuration file > > directory. Either manually create the files (with correct > ownership and > > permission) or change ownership/permission on the directory. > Then, you > > have a nice, pretty GUI. > > > > I was able to efficiently block myself from the GUI after > that. Since I > > don't know anything about how to test Snort, I'm having > problems getting > > it to block automatically, but that is another issue. > > > > Rod > > > > On 07/16/2016 09:19 AM, Mark Coolen wrote: > > > I'm a bit confused about that. Why would 2.0-002 be newer > than 2.0-010? > > > There's a 2.0-012 under 'old approach' but those files have > an older > > > timestamp. The 2.0-002 is a tarball, but the 2.0-010 is an > ipfire > > > package as are the 'dependancies'. I've used Guardian 2 > several times in > > > the past by just extracting according to the instructions on > stevee's > > > ;--) page, but that doesn't seem to work with the 2.0-002 > tarball. I > > > just get a completely blank page in the GUI. > > > How do we test? > > > > > > On Sat, Jul 16, 2016 at 2:59 AM, Matthias Fischer > > > > > > > > > >>> > wrote: > > > > > > Hi, > > > > > > Ok, next. > > > > > > Am I right assuming that the '2.0-002'-version at > > > http://people.ipfire.org/~stevee/guardian-2.0/ plus > > > http://people.ipfire.org/~stevee/guardian-2.0/packages/dependencies/ is > > > the latest!? > > > > > > Best, > > > Matthias > > > > > > On 16.07.2016 04:03, Mark Coolen wrote: > > > > I'm willing to test it as well. I take it the instructions from > > > > http://planet.ipfire.org/post/introducing-guardian-2-0-for-ipfire > > > are still > > > > good? > > > > > > > > On Fri, Jul 15, 2016 at 8:23 PM, R. W. Rodolico > > > > > > > > >>> wrote: > > > > > > > Tell me what I need to do to test Guardian. I've never > installed it, > > > but I am doing it now. > > > > > > Rod > > > > > > On 07/15/2016 05:00 AM, Michael Tremer wrote: > > >> Hi guys, > > > > > >> even if you have a conversation on the phone, please try > keeping us > > >> in the loop. > > > > > >> So the key points of what I know: > > > > > >> * A release is targeted for core update 104 > > > > > >> * There are a few changes required so that re-blocking a > host after > > >> it has been manually unblocked allows this host the configured > > >> number of tries again and not only one. > > > > > >> * Many more testers are required since feedback is really > low at > > >> this point. > > > > > >> Did I get this right? What is the ETA for a set of patches > on the > > >> mailing list? > > > > > >> What is the plan to engage more testers? > > > > > >> Best, -Michael > > > > > >> On Thu, 2016-07-14 at 14:36 +0200, Daniel Weismüller wrote: > > >>> Hi Stevee I know you are very busy and working hard on the > this. > > >>> But if you want to release the new Guardian 2 with Core 104 we > > >>> still need to do some work and it must be tested! So > please tell > > >>> us something about the new guardian2 and the state of your > work. > > >>> > > >>> Maybe we find more testers here on the list. > > >>> > > >>> Meanwhile I've talked with Michael about the state which I > know > > >>> of the guardian2 and we both go confirm that the list of > blocked > > >>> IPs which runs in the background isn't a good idea. Please > let us > > >>> talk by phone about it again. > > >>> > > >>> - Daniel > > > > > > >> > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > _ _ _ ___ _ > > > )\/,) ___ __ )L, )) __ __ )) __ _ _ > > > ((`(( ((_( (| ((\ ((__((_)((_)(( (('((\( > > > > -- > > Rod Rodolico > > Daily Data, Inc. > > POB 140465 > > Dallas TX 75214-0465 > > 214.827.2170 > > > http://www.dailydata.net > > > > > > > > > > -- > > _ _ _ ___ _ > > )\/,) ___ __ )L, )) __ __ )) __ _ _ > > ((`(( ((_( (| ((\ ((__((_)((_)(( (('((\( > > -- > Rod Rodolico > Daily Data, Inc. > POB 140465 > Dallas TX 75214-0465 > 214.827.2170 > http://www.dailydata.net > > > > > -- > _ _ _ ___ _ > )\/,) ___ __ )L, )) __ __ )) __ _ _ > ((`(( ((_( (| ((\ ((__((_)((_)(( (('((\( -- Rod Rodolico Daily Data, Inc. POB 140465 Dallas TX 75214-0465 214.827.2170 http://www.dailydata.net