From mboxrd@z Thu Jan 1 00:00:00 1970
From: "R. W. Rodolico" <rodo@dailydata.net>
To: development@lists.ipfire.org
Subject: Re: Guardian 2
Date: Mon, 18 Jul 2016 23:25:35 -0500
Message-ID: <578DABBF.6040909@dailydata.net>
In-Reply-To:
<CACOO0z_FEq0DmoAqrH=hjyTNo8rpgpUt-obJ2nFDabhU4-NVyg@mail.gmail.com>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============7531425191196623999=="
List-Id: <development.lists.ipfire.org>
--===============7531425191196623999==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
hmmm. that is what I tried, but it didn't work. Maybe I need to go get
another oinkcode or something.
Thank you
On 07/18/2016 12:48 PM, Mark Coolen wrote:
> You have to register on snort.org <http://snort.org>. I think I just
> followed the instructions on the IDS page in the IPFire GUI and then
> input my oinkcode.
> I have no idea which rules to enable once I have them downloaded, but I
> spent awhile going throught them awhile back and guessed ;-)
>=20
> I does work, and Guardian 2 watches the snort logs and automagically
> blocks IPs.
>=20
> On Mon, Jul 18, 2016 at 12:37 AM, R. W. Rodolico <rodo(a)dailydata.net
> <mailto:rodo(a)dailydata.net>> wrote:
>=20
> Can you give me a clue on how to set up Snort? I got nothing on my
> intrusion logs. I "attacked" it from a remote server (all machines are
> mine, so I can do that :) and saw nothing. I downloaded some rules from
> EmergingThreats.net Community Rules and turned several of them on, but
> saw nothing.
>=20
> I had tried to do te Snort/VRT GPLv2 Community Rules and no rules showed
> up. Just tried the SourceFire VRT Rules for registered users and got an
> error, and no new rules showed up.
>=20
> I guess I need to clean this whole thing out and start over, if I can
> figure out how to clean out the Snort ruleset.
>=20
> If anyone can give me a clue on this, I'll be happy to set it up and try
> attacking myself.
>=20
> Selective blocking/unblocking works like a charm.
>=20
> Rod
>=20
> On 07/17/2016 06:47 PM, Mark Coolen wrote:
> > OK. Now I have everything working well. Guardian is auto-blocking and
> > allowing me to selectively block and unblock as well as unblock all.
> >
> > I think the IDS module really needs some kind of default settings for
> > those who want to use it but don't understand the complexities of
> > Snort's rules. I just guessed at things when I set Snort up, but it d=
oes
> > produce logs of possible intrusion attempts and Guardian does respond
> > appropriately.
> >
> > On Sat, Jul 16, 2016 at 2:43 PM, R. W. Rodolico <rodo(a)dailydata.net=
<mailto:rodo(a)dailydata.net>
> > <mailto:rodo(a)dailydata.net <mailto:rodo(a)dailydata.net>>> wrote:
> >
> > I saw the same issue and filed a bug report
> > (https://bugzilla.ipfire.org/show_bug.cgi?id=3D11146).
> >
> > When something like this pops up, I generally
> > https://bugzilla.ipfire.org/show_bug.cgi?id=3D11146
> > immediately after the problem shows up; that usually gives some
> > indication of the problem.
> >
> > As Matthias says, it is a permissions issue on the
> configuration file
> > directory. Either manually create the files (with correct
> ownership and
> > permission) or change ownership/permission on the directory.
> Then, you
> > have a nice, pretty GUI.
> >
> > I was able to efficiently block myself from the GUI after
> that. Since I
> > don't know anything about how to test Snort, I'm having
> problems getting
> > it to block automatically, but that is another issue.
> >
> > Rod
> >
> > On 07/16/2016 09:19 AM, Mark Coolen wrote:
> > > I'm a bit confused about that. Why would 2.0-002 be newer
> than 2.0-010?
> > > There's a 2.0-012 under 'old approach' but those files have
> an older
> > > timestamp. The 2.0-002 is a tarball, but the 2.0-010 is an
> ipfire
> > > package as are the 'dependancies'. I've used Guardian 2
> several times in
> > > the past by just extracting according to the instructions on
> stevee's
> > > ;--) page, but that doesn't seem to work with the 2.0-002
> tarball. I
> > > just get a completely blank page in the GUI.
> > > How do we test?
> > >
> > > On Sat, Jul 16, 2016 at 2:59 AM, Matthias Fischer
> > > <matthias.fischer(a)ipfire.org
> <mailto:matthias.fischer(a)ipfire.org>
> <mailto:matthias.fischer(a)ipfire.org
> <mailto:matthias.fischer(a)ipfire.org>>
> > <mailto:matthias.fischer(a)ipfire.org
> <mailto:matthias.fischer(a)ipfire.org>
> > <mailto:matthias.fischer(a)ipfire.org <mailto:matthias.fischer(a)=
ipfire.org>>>>
> wrote:
> > >
> > > Hi,
> > >
> > > Ok, next.
> > >
> > > Am I right assuming that the '2.0-002'-version at
> > > http://people.ipfire.org/~stevee/guardian-2.0/ plus
> > > http://people.ipfire.org/~stevee/guardian-2.0/packages/depe=
ndencies/ is
> > > the latest!?
> > >
> > > Best,
> > > Matthias
> > >
> > > On 16.07.2016 04:03, Mark Coolen wrote:
> > > > I'm willing to test it as well. I take it the instruction=
s from
> > > > http://planet.ipfire.org/post/introducing-guardian-2-0-fo=
r-ipfire
> > > are still
> > > > good?
> > > >
> > > > On Fri, Jul 15, 2016 at 8:23 PM, R. W. Rodolico
> > > <rodo(a)dailydata.net <mailto:rodo(a)dailydata.net>
> <mailto:rodo(a)dailydata.net <mailto:rodo(a)dailydata.net>>
> > <mailto:rodo(a)dailydata.net <mailto:rodo(a)dailydata.net>
> <mailto:rodo(a)dailydata.net <mailto:rodo(a)dailydata.net>>>> wrote:
> > > >
> > > Tell me what I need to do to test Guardian. I've never
> installed it,
> > > but I am doing it now.
> > >
> > > Rod
> > >
> > > On 07/15/2016 05:00 AM, Michael Tremer wrote:
> > >> Hi guys,
> > >
> > >> even if you have a conversation on the phone, please try
> keeping us
> > >> in the loop.
> > >
> > >> So the key points of what I know:
> > >
> > >> * A release is targeted for core update 104
> > >
> > >> * There are a few changes required so that re-blocking a
> host after
> > >> it has been manually unblocked allows this host the configured
> > >> number of tries again and not only one.
> > >
> > >> * Many more testers are required since feedback is really
> low at
> > >> this point.
> > >
> > >> Did I get this right? What is the ETA for a set of patches
> on the
> > >> mailing list?
> > >
> > >> What is the plan to engage more testers?
> > >
> > >> Best, -Michael
> > >
> > >> On Thu, 2016-07-14 at 14:36 +0200, Daniel Weism=C3=BCller wrot=
e:
> > >>> Hi Stevee I know you are very busy and working hard on the
> this.
> > >>> But if you want to release the new Guardian 2 with Core 104 we
> > >>> still need to do some work and it must be tested! So
> please tell
> > >>> us something about the new guardian2 and the state of your
> work.
> > >>>
> > >>> Maybe we find more testers here on the list.
> > >>>
> > >>> Meanwhile I've talked with Michael about the state which I
> know
> > >>> of the guardian2 and we both go confirm that the list of
> blocked
> > >>> IPs which runs in the background isn't a good idea. Please
> let us
> > >>> talk by phone about it again.
> > >>>
> > >>> - Daniel
> > >
> > > >>
> > > >
> > > >
> > > >
> > >
> > >
> > >
> > >
> > > --
> > > _ _ _ ___ _
> > > )\/,) ___ __ )L, )) __ __ )) __ _ _
> > > ((`(( ((_( (| ((\ ((__((_)((_)(( (('((\(
> >
> > --
> > Rod Rodolico
> > Daily Data, Inc.
> > POB 140465
> > Dallas TX 75214-0465
> > 214.827.2170 <tel:214.827.2170> <tel:214.827.2170
> <tel:214.827.2170>>
> > http://www.dailydata.net
> >
> >
> >
> >
> > --
> > _ _ _ ___ _
> > )\/,) ___ __ )L, )) __ __ )) __ _ _
> > ((`(( ((_( (| ((\ ((__((_)((_)(( (('((\(
>=20
> --
> Rod Rodolico
> Daily Data, Inc.
> POB 140465
> Dallas TX 75214-0465
> 214.827.2170 <tel:214.827.2170>
> http://www.dailydata.net
>=20
>=20
>=20
>=20
> --=20
> _ _ _ ___ _ =20
> )\/,) ___ __ )L, )) __ __ )) __ _ _
> ((`(( ((_( (| ((\ ((__((_)((_)(( (('((\(
--=20
Rod Rodolico
Daily Data, Inc.
POB 140465
Dallas TX 75214-0465
214.827.2170
http://www.dailydata.net
--===============7531425191196623999==--