Re: Guardian 2

hmmm. that is what I tried, but it didn't work. Maybe I need to go get another oinkcode or something.

Thank you

On 07/18/2016 12:48 PM, Mark Coolen wrote:

You have to register on snort.org http://snort.org. I think I just followed the instructions on the IDS page in the IPFire GUI and then input my oinkcode. I have no idea which rules to enable once I have them downloaded, but I spent awhile going throught them awhile back and guessed ;-)

I does work, and Guardian 2 watches the snort logs and automagically blocks IPs.

On Mon, Jul 18, 2016 at 12:37 AM, R. W. Rodolico <rodo@dailydata.net mailto:rodo@dailydata.net> wrote:

Can you give me a clue on how to set up Snort? I got nothing on my
intrusion logs. I "attacked" it from a remote server (all machines are
mine, so I can do that :) and saw nothing. I downloaded some rules from
EmergingThreats.net Community Rules and turned several of them on, but
saw nothing.

I had tried to do te Snort/VRT GPLv2 Community Rules and no rules showed
up. Just tried the SourceFire VRT Rules for registered users and got an
error, and no new rules showed up.

I guess I need to clean this whole thing out and start over, if I can
figure out how to clean out the Snort ruleset.

If anyone can give me a clue on this, I'll be happy to set it up and try
attacking myself.

Selective blocking/unblocking works like a charm.

Rod

On 07/17/2016 06:47 PM, Mark Coolen wrote:
> OK. Now I have everything working well. Guardian is auto-blocking and
> allowing me to selectively block and unblock as well as unblock all.
>
> I think the IDS module really needs some kind of default settings for
> those who want to use it but don't understand the complexities of
> Snort's rules. I just guessed at things when I set Snort up, but it does
> produce logs of possible intrusion attempts and Guardian does respond
> appropriately.
>
> On Sat, Jul 16, 2016 at 2:43 PM, R. W. Rodolico <rodo@dailydata.net <mailto:rodo@dailydata.net>
> <mailto:rodo@dailydata.net <mailto:rodo@dailydata.net>>> wrote:
>
>     I saw the same issue and filed a bug report
>     (https://bugzilla.ipfire.org/show_bug.cgi?id=11146).
>
>     When something like this pops up, I generally
>     https://bugzilla.ipfire.org/show_bug.cgi?id=11146
>     immediately after the problem shows up; that usually gives some
>     indication of the problem.
>
>     As Matthias says, it is a permissions issue on the
configuration file
>     directory. Either manually create the files (with correct
ownership and
>     permission) or change ownership/permission on the directory.
Then, you
>     have a nice, pretty GUI.
>
>     I was able to efficiently block myself from the GUI after
that. Since I
>     don't know anything about how to test Snort, I'm having
problems getting
>     it to block automatically, but that is another issue.
>
>     Rod
>
>     On 07/16/2016 09:19 AM, Mark Coolen wrote:
>     > I'm a bit confused about that. Why would 2.0-002 be newer
than 2.0-010?
>     > There's a 2.0-012 under 'old approach' but those files have
an older
>     > timestamp. The 2.0-002 is a tarball, but the 2.0-010 is an
ipfire
>     > package as are the 'dependancies'. I've used Guardian 2
several times in
>     > the past by just extracting according to the instructions on
stevee's
>     > ;--) page, but that doesn't seem to work with the 2.0-002
tarball. I
>     > just get a completely blank page in the GUI.
>     > How do we test?
>     >
>     > On Sat, Jul 16, 2016 at 2:59 AM, Matthias Fischer
>     > <matthias.fischer@ipfire.org
<mailto:matthias.fischer@ipfire.org>
<mailto:matthias.fischer@ipfire.org
<mailto:matthias.fischer@ipfire.org>>
>     <mailto:matthias.fischer@ipfire.org
<mailto:matthias.fischer@ipfire.org>
>     <mailto:matthias.fischer@ipfire.org <mailto:matthias.fischer@ipfire.org>>>>
wrote:
>     >
>     >     Hi,
>     >
>     >     Ok, next.
>     >
>     >     Am I right assuming that the '2.0-002'-version at
>     >     http://people.ipfire.org/~stevee/guardian-2.0/ plus
>     >     http://people.ipfire.org/~stevee/guardian-2.0/packages/dependencies/ is
>     >     the latest!?
>     >
>     >     Best,
>     >     Matthias
>     >
>     >     On 16.07.2016 04:03, Mark Coolen wrote:
>     >     > I'm willing to test it as well. I take it the instructions from
>     >     > http://planet.ipfire.org/post/introducing-guardian-2-0-for-ipfire
>     >     are still
>     >     > good?
>     >     >
>     >     > On Fri, Jul 15, 2016 at 8:23 PM, R. W. Rodolico
>     >     <rodo@dailydata.net <mailto:rodo@dailydata.net>
<mailto:rodo@dailydata.net <mailto:rodo@dailydata.net>>
>     <mailto:rodo@dailydata.net <mailto:rodo@dailydata.net>
<mailto:rodo@dailydata.net <mailto:rodo@dailydata.net>>>> wrote:
>     >     >
>     > Tell me what I need to do to test Guardian. I've never
installed it,
>     > but I am doing it now.
>     >
>     > Rod
>     >
>     > On 07/15/2016 05:00 AM, Michael Tremer wrote:
>     >> Hi guys,
>     >
>     >> even if you have a conversation on the phone, please try
keeping us
>     >> in the loop.
>     >
>     >> So the key points of what I know:
>     >
>     >> * A release is targeted for core update 104
>     >
>     >> * There are a few changes required so that re-blocking a
host after
>     >> it has been manually unblocked allows this host the configured
>     >> number of tries again and not only one.
>     >
>     >> * Many more testers are required since feedback is really
low at
>     >> this point.
>     >
>     >> Did I get this right? What is the ETA for a set of patches
on the
>     >> mailing list?
>     >
>     >> What is the plan to engage more testers?
>     >
>     >> Best, -Michael
>     >
>     >> On Thu, 2016-07-14 at 14:36 +0200, Daniel Weismüller wrote:
>     >>> Hi Stevee I know you are very busy and working hard on the
this.
>     >>> But if you want to release the new Guardian 2 with Core 104 we
>     >>> still need to do some work and it must be tested! So
please tell
>     >>> us something about the new guardian2 and the state of your
work.
>     >>>
>     >>> Maybe we find more testers here on the list.
>     >>>
>     >>> Meanwhile I've talked with Michael about the state which I
know
>     >>> of the guardian2 and we both go confirm that the list of
blocked
>     >>> IPs which runs in the background isn't a good idea. Please
let us
>     >>> talk by phone about it again.
>     >>>
>     >>> - Daniel
>     >
>     >     >>
>     >     >
>     >     >
>     >     >
>     >
>     >
>     >
>     >
>     > --
>     >  _  _           _     ___         _
>     >  )\/,) ___  __  )L,   ))  __  __  )) __ _ _
>     > ((`(( ((_( (|  ((\   ((__((_)((_)(( (('((\(
>
>     --
>     Rod Rodolico
>     Daily Data, Inc.
>     POB 140465
>     Dallas TX 75214-0465
>     214.827.2170 <tel:214.827.2170> <tel:214.827.2170
<tel:214.827.2170>>
>     http://www.dailydata.net
>
>
>
>
> --
>  _  _           _     ___         _
>  )\/,) ___  __  )L,   ))  __  __  )) __ _ _
> ((`(( ((_( (|  ((\   ((__((_)((_)(( (('((\(

--
Rod Rodolico
Daily Data, Inc.
POB 140465
Dallas TX 75214-0465
214.827.2170 <tel:214.827.2170>
http://www.dailydata.net

-- _ _ _ ___ _ )/,) ___ __ )L, )) __ __ )) __ _ _ ((`(( ((_( (| ((\ ((__((_)((_)(( (('(((