Can you give me a clue on how to set up Snort? I got nothing on my intrusion logs. I "attacked" it from a remote server (all machines are mine, so I can do that :) and saw nothing. I downloaded some rules from EmergingThreats.net Community Rules and turned several of them on, but saw nothing.
I had tried to do te Snort/VRT GPLv2 Community Rules and no rules showed up. Just tried the SourceFire VRT Rules for registered users and got an error, and no new rules showed up.
I guess I need to clean this whole thing out and start over, if I can figure out how to clean out the Snort ruleset.
If anyone can give me a clue on this, I'll be happy to set it up and try attacking myself.
Selective blocking/unblocking works like a charm.
Rod
On 07/17/2016 06:47 PM, Mark Coolen wrote:
OK. Now I have everything working well. Guardian is auto-blocking and allowing me to selectively block and unblock as well as unblock all.
I think the IDS module really needs some kind of default settings for those who want to use it but don't understand the complexities of Snort's rules. I just guessed at things when I set Snort up, but it does produce logs of possible intrusion attempts and Guardian does respond appropriately.
On Sat, Jul 16, 2016 at 2:43 PM, R. W. Rodolico <rodo@dailydata.net mailto:rodo@dailydata.net> wrote:
I saw the same issue and filed a bug report (https://bugzilla.ipfire.org/show_bug.cgi?id=11146). When something like this pops up, I generally https://bugzilla.ipfire.org/show_bug.cgi?id=11146 immediately after the problem shows up; that usually gives some indication of the problem. As Matthias says, it is a permissions issue on the configuration file directory. Either manually create the files (with correct ownership and permission) or change ownership/permission on the directory. Then, you have a nice, pretty GUI. I was able to efficiently block myself from the GUI after that. Since I don't know anything about how to test Snort, I'm having problems getting it to block automatically, but that is another issue. Rod On 07/16/2016 09:19 AM, Mark Coolen wrote: > I'm a bit confused about that. Why would 2.0-002 be newer than 2.0-010? > There's a 2.0-012 under 'old approach' but those files have an older > timestamp. The 2.0-002 is a tarball, but the 2.0-010 is an ipfire > package as are the 'dependancies'. I've used Guardian 2 several times in > the past by just extracting according to the instructions on stevee's > ;--) page, but that doesn't seem to work with the 2.0-002 tarball. I > just get a completely blank page in the GUI. > How do we test? > > On Sat, Jul 16, 2016 at 2:59 AM, Matthias Fischer > <matthias.fischer@ipfire.org <mailto:matthias.fischer@ipfire.org> <mailto:matthias.fischer@ipfire.org <mailto:matthias.fischer@ipfire.org>>> wrote: > > Hi, > > Ok, next. > > Am I right assuming that the '2.0-002'-version at > http://people.ipfire.org/~stevee/guardian-2.0/ plus > http://people.ipfire.org/~stevee/guardian-2.0/packages/dependencies/ is > the latest!? > > Best, > Matthias > > On 16.07.2016 04:03, Mark Coolen wrote: > > I'm willing to test it as well. I take it the instructions from > > http://planet.ipfire.org/post/introducing-guardian-2-0-for-ipfire > are still > > good? > > > > On Fri, Jul 15, 2016 at 8:23 PM, R. W. Rodolico > <rodo@dailydata.net <mailto:rodo@dailydata.net> <mailto:rodo@dailydata.net <mailto:rodo@dailydata.net>>> wrote: > > > Tell me what I need to do to test Guardian. I've never installed it, > but I am doing it now. > > Rod > > On 07/15/2016 05:00 AM, Michael Tremer wrote: >> Hi guys, > >> even if you have a conversation on the phone, please try keeping us >> in the loop. > >> So the key points of what I know: > >> * A release is targeted for core update 104 > >> * There are a few changes required so that re-blocking a host after >> it has been manually unblocked allows this host the configured >> number of tries again and not only one. > >> * Many more testers are required since feedback is really low at >> this point. > >> Did I get this right? What is the ETA for a set of patches on the >> mailing list? > >> What is the plan to engage more testers? > >> Best, -Michael > >> On Thu, 2016-07-14 at 14:36 +0200, Daniel Weismüller wrote: >>> Hi Stevee I know you are very busy and working hard on the this. >>> But if you want to release the new Guardian 2 with Core 104 we >>> still need to do some work and it must be tested! So please tell >>> us something about the new guardian2 and the state of your work. >>> >>> Maybe we find more testers here on the list. >>> >>> Meanwhile I've talked with Michael about the state which I know >>> of the guardian2 and we both go confirm that the list of blocked >>> IPs which runs in the background isn't a good idea. Please let us >>> talk by phone about it again. >>> >>> - Daniel > > >> > > > > > > > > > > > -- > _ _ _ ___ _ > )\/,) ___ __ )L, )) __ __ )) __ _ _ > ((`(( ((_( (| ((\ ((__((_)((_)(( (('((\( -- Rod Rodolico Daily Data, Inc. POB 140465 Dallas TX 75214-0465 214.827.2170 <tel:214.827.2170> http://www.dailydata.net-- _ _ _ ___ _ )/,) ___ __ )L, )) __ __ )) __ _ _ ((`(( ((_( (| ((\ ((__((_)((_)(( (('(((