Re: Betatest Guardian 2.0

[Matthias Fischer <matthias.fischer@ipfire.org>]

[-- Attachment #1: Type: text/plain, Size: 5472 bytes --]

On 20.07.2016 15:33, Stefan Schantl wrote:
> Hello testers,

Hi Stefan,

> I've uploaded  a new test version (003).

Thanks! ;-)

> Update or fresh install works like described in the announcement mail.
> 
> The Changelog can be found here:
> 
> http://people.ipfire.org/~stevee/guardian-2.0/Changelog.txt
> 
> At the moment I'm missing feedback for the following functions:
> 
> * Manually blocking / unblocking addresses.

Tested - seems to work.
Manually added to block list: "Connection timed out".
Unblocked: Runs at once.
Logs says: "<info> Socket - User-requested action."

> * Dealing with the ignore list.

Added my own IP and tried to login - with wrong password.

Log says:
"16:12:37	guardian[5773]: 	<info> Reloading ignore list...
16:12:57	guardian[5773]: 	<info> Ignoring event for 192.XXX.YYY.ZZZ,
because it is part of the ignore list.
16:13:01	guardian[5773]: 	<info> Ignoring event for 192.XXX.YYY.ZZZ,
because it is part of the ignore list.
16:13:05	guardian[5773]: 	<info> Ignoring event for 192.XXX.YYY.ZZZ,
because it is part of the ignore list. "

After deleting this entry and after the second attempt (Blockcount = 2)
the IP was blocked - tested with my daughter... <EG>

> * Owncloud message parser.

Can't test this here, sorry.

> * Logrotate, there should be an corresponding log entry in the guardian
> logfile after rotation of the logfiles have been done.

Using 'syslog' there were NO rotation entry yesterday, the log just went on.

> * Reload of the ignore list after "Red" has been reconnected. There
> also a corresponding log entry should be logged to the logfile and the
> new "Red-address" should also be logged as part of the ignore list (If
> you own an dynamic assigned one).

I'm "static", sorry. ;-)

> As always please report your bugs or experience with the new version to
> this list.

One suggestion:

The 'ids.cgi' contains the old 'snortrules'-version and an outdated
license link (patch attached).

Best,
Matthias

> Best regards,
> 
> -Stefan
> 
>> Hello mailing list followers,
>> 
>> this is the official release announcement for the first beta release
>> of
>> the new Guardian 2.0 approach.
>> 
>> 
>> - What are the differences to the current version of guardian
>> (legacy)
>> and the first approach of guardian 2.0?
>> 
>> The most important difference is, that the new version of Guardian
>> 2.0
>> completely has been re-written from scratch and released under the
>> terms of the GPLv3. The legacy version of guardian is not maintained
>> anymore by it's developer and the software has been released without
>> any license details at all.
>> 
>> Guardian 2.0 has a very modular code base and has been designed as a
>> multi-threaded application. This allows a parallel parsing of all
>> monitored logfiles and faster actions, if one of the used modules
>> detects an attack.
>> 
>> A very important difference to the legacy version is the support of
>> configuring and managing the entire service through the IPFire
>> webinterface. The entire configuration, managing of current blocked
>> hosts, unblocking them or editing the ignored hosts list now can be
>> done in a graphical way. 
>> 
>> The legacy version of guardian only supported parsing snort alerts.
>> HTTPD and SSH support has been patched by the IPFire development team
>> some time ago. Guardian 2.0 supports all of them out of the box and
>> includes a filter to detect owncloud login brute-force attempts. As a
>> benefit of the new modular design, additional filters easily can be
>> added.
>> 
>> Guardian 2.0 is able to reload it's configuration, reloading
>> the ignore list during runtime and handle, if the logfiles will get
>> rotated by logrotate. This actions can be called by using the
>> webinterface or from the command line interface by using
>> "guardianctrl".
>> 
>> These are just a handful of the changes and benefits which comes with
>> Guardian 2.0, a complete list would be to long for this mailing list.
>> 
>> 
>> - How to join testing?
>> 
>> To get part of the testing team, simple navigate to http://people.ipf
>> ir
>> e.org/~stevee/guardian-2.0/ and download the latest tarball
>> (currently
>> 002). Please take care to download the correct one, based on your
>> used
>> architecture. The i585 packages are for 32Bit installations of
>> IPFire,
>> the x86_64 packages only can be used on 64Bit installations.
>> 
>> Put the downloaded file on your IPFire test system and extract the
>> package by using "tar -xvf guardian-2.0-002.<arch>.tar.gz -C /".
>> 
>> The final installation step would be to regenerate the language cache
>> by executing "update-lang-cache" on the console.
>> 
>> From now you can find a new menu item called "Guardian" in your
>> "Service" menu after you have logged-in into your IPFire's
>> webinterface.
>> 
>> Documentation can be found on the IPFire wiki: http://wiki.ipfire.org
>> /e
>> n/addons/guardian/start#the_guardian_20_addon
>> 
>> 
>> - Where to post bugs reports or provide feedback?
>> 
>> If you find any bugs, please report them as usual on the IPFire
>> bugtracker, which can be found at https://bugzilla.ipfire.org.
>> 
>> To provide feedback or to join a discussion, please send your mails
>> to
>> "development(a)lists.ipfire.org" (Please register first at http://lists
>> .i
>> pfire.org if not yet done).
>> 
>> The source code can be found at http://git.ipfire.org/?p=people/steve
>> e/
>> guardian.git;a=summary
>> 
>> 
>> Happy testing,
>> 
>> -Stefan
>> 
> 




[-- Attachment #2: snort_ids_cgi_latest_rules_and_link.txt --]
[-- Type: text/plain, Size: 1357 bytes --]

--- old/ids.cgi	Wed Oct 22 19:27:52 2014
+++ new/ids.cgi	Tue Jul 19 04:10:39 2016
@@ -254,9 +254,9 @@
 #######################  End added for snort rules control  #################################
 
 if ($snortsettings{'RULES'} eq 'subscripted') {
-	$url=" https://www.snort.org/rules/snortrules-snapshot-2961.tar.gz?oinkcode=$snortsettings{'OINKCODE'}";
+	$url=" https://www.snort.org/rules/snortrules-snapshot-2983.tar.gz?oinkcode=$snortsettings{'OINKCODE'}";
 } elsif ($snortsettings{'RULES'} eq 'registered') {
-	$url=" https://www.snort.org/rules/snortrules-snapshot-2961.tar.gz?oinkcode=$snortsettings{'OINKCODE'}";
+	$url=" https://www.snort.org/rules/snortrules-snapshot-2983.tar.gz?oinkcode=$snortsettings{'OINKCODE'}";
 } elsif ($snortsettings{'RULES'} eq 'community') {
 	$url=" https://www.snort.org/rules/community";
 } else {
@@ -485,7 +485,7 @@
 </tr>
 <tr>
 	<td><br />
-		$Lang::tr{'ids rules license'} <a href='https://www.snort.org/signup' target='_blank'>www.snort.org</a>$Lang::tr{'ids rules license1'}<br /><br />
+		$Lang::tr{'ids rules license'} <a href='https://www.snort.org/subscribe' target='_blank'>www.snort.org</a>$Lang::tr{'ids rules license1'}<br /><br />
 		$Lang::tr{'ids rules license2'} <a href='https://www.snort.org/account/oinkcode' target='_blank'>Get an Oinkcode</a>, $Lang::tr{'ids rules license3'}
 	</td>
 </tr>