On Mon, Jul 18, 2016 at 12:37 AM, R. W. Rodolico <rodo@dailydata.net> wrote:

Can you give me a clue on how to set up Snort? I got nothing on my
intrusion logs. I "attacked" it from a remote server (all machines are
mine, so I can do that :) and saw nothing. I downloaded some rules from
EmergingThreats.net Community Rules and turned several of them on, but
saw nothing.

I had tried to do te Snort/VRT GPLv2 Community Rules and no rules showed
up. Just tried the SourceFire VRT Rules for registered users and got an
error, and no new rules showed up.

I guess I need to clean this whole thing out and start over, if I can
figure out how to clean out the Snort ruleset.

If anyone can give me a clue on this, I'll be happy to set it up and try
attacking myself.

Selective blocking/unblocking works like a charm.

Rod

On 07/17/2016 06:47 PM, Mark Coolen wrote:
> OK. Now I have everything working well. Guardian is auto-blocking and
> allowing me to selectively block and unblock as well as unblock all.
>
> I think the IDS module really needs some kind of default settings for
> those who want to use it but don't understand the complexities of
> Snort's rules. I just guessed at things when I set Snort up, but it does
> produce logs of possible intrusion attempts and Guardian does respond
> appropriately.
>
> On Sat, Jul 16, 2016 at 2:43 PM, R. W. Rodolico <rodo@dailydata.net

> <mailto:rodo@dailydata.net>> wrote:
>
> I saw the same issue and filed a bug report
> (https://bugzilla.ipfire.org/show_bug.cgi?id=11146).
>
> When something like this pops up, I generally
> https://bugzilla.ipfire.org/show_bug.cgi?id=11146
> immediately after the problem shows up; that usually gives some
> indication of the problem.
>
> As Matthias says, it is a permissions issue on the configuration file
> directory. Either manually create the files (with correct ownership and
> permission) or change ownership/permission on the directory. Then, you
> have a nice, pretty GUI.
>
> I was able to efficiently block myself from the GUI after that. Since I
> don't know anything about how to test Snort, I'm having problems getting
> it to block automatically, but that is another issue.
>
> Rod
>
> On 07/16/2016 09:19 AM, Mark Coolen wrote:
> > I'm a bit confused about that. Why would 2.0-002 be newer than 2.0-010?
> > There's a 2.0-012 under 'old approach' but those files have an older
> > timestamp. The 2.0-002 is a tarball, but the 2.0-010 is an ipfire
> > package as are the 'dependancies'. I've used Guardian 2 several times in
> > the past by just extracting according to the instructions on stevee's
> > ;--) page, but that doesn't seem to work with the 2.0-002 tarball. I
> > just get a completely blank page in the GUI.
> > How do we test?
> >
> > On Sat, Jul 16, 2016 at 2:59 AM, Matthias Fischer
> > <matthias.fischer@ipfire.org <mailto:matthias.fischer@ipfire.org>

> <mailto:matthias.fischer@ipfire.org
> <mailto:matthias.fischer@ipfire.org>>> wrote:
> >
> > Hi,
> >
> > Ok, next.
> >
> > Am I right assuming that the '2.0-002'-version at
> > http://people.ipfire.org/~stevee/guardian-2.0/ plus
> > http://people.ipfire.org/~stevee/guardian-2.0/packages/dependencies/ is
> > the latest!?
> >
> > Best,
> > Matthias
> >
> > On 16.07.2016 04:03, Mark Coolen wrote:
> > > I'm willing to test it as well. I take it the instructions from
> > > http://planet.ipfire.org/post/introducing-guardian-2-0-for-ipfire
> > are still
> > > good?
> > >
> > > On Fri, Jul 15, 2016 at 8:23 PM, R. W. Rodolico
> > <rodo@dailydata.net <mailto:rodo@dailydata.net>

> <mailto:rodo@dailydata.net <mailto:rodo@dailydata.net>>> wrote:
> > >
> > Tell me what I need to do to test Guardian. I've never installed it,
> > but I am doing it now.
> >
> > Rod
> >
> > On 07/15/2016 05:00 AM, Michael Tremer wrote:
> >> Hi guys,
> >
> >> even if you have a conversation on the phone, please try keeping us
> >> in the loop.
> >
> >> So the key points of what I know:
> >
> >> * A release is targeted for core update 104
> >
> >> * There are a few changes required so that re-blocking a host after
> >> it has been manually unblocked allows this host the configured
> >> number of tries again and not only one.
> >
> >> * Many more testers are required since feedback is really low at
> >> this point.
> >
> >> Did I get this right? What is the ETA for a set of patches on the
> >> mailing list?
> >
> >> What is the plan to engage more testers?
> >
> >> Best, -Michael
> >
> >> On Thu, 2016-07-14 at 14:36 +0200, Daniel Weismüller wrote:
> >>> Hi Stevee I know you are very busy and working hard on the this.
> >>> But if you want to release the new Guardian 2 with Core 104 we
> >>> still need to do some work and it must be tested! So please tell
> >>> us something about the new guardian2 and the state of your work.
> >>>
> >>> Maybe we find more testers here on the list.
> >>>
> >>> Meanwhile I've talked with Michael about the state which I know
> >>> of the guardian2 and we both go confirm that the list of blocked
> >>> IPs which runs in the background isn't a good idea. Please let us
> >>> talk by phone about it again.
> >>>
> >>> - Daniel
> >
> > >>
> > >
> > >
> > >
> >
> >
> >
> >
> > --
> > _ _ _ ___ _
> > )\/,) ___ __ )L, )) __ __ )) __ _ _
> > ((`(( ((_( (| ((\ ((__((_)((_)(( (('((\(
>
> --
> Rod Rodolico
> Daily Data, Inc.
> POB 140465
> Dallas TX 75214-0465

> 214.827.2170 <tel:214.827.2170>

> http://www.dailydata.net
>
>
>
>
> --
> _ _ _ ___ _
> )\/,) ___ __ )L, )) __ __ )) __ _ _
> ((`(( ((_( (| ((\ ((__((_)((_)(( (('((\(

--
Rod Rodolico
Daily Data, Inc.
POB 140465
Dallas TX 75214-0465
214.827.2170
http://www.dailydata.net

_ _           _     ___         _
)\/,) ___ __ )L,   )) __ __ )) __ _ _
((`(( ((_( (| ((\   ((__((_)((_)(( (('((\(