Topic: Problem with Snort+Oinkmaster+Guardian

[Stiven]

Hi everybody,

I've installed Snort+Oinkmaster+Guardian thanx to Mastersleepy rpms and Howto.

But I have a problem : some of remote users are blocked. I suppose they're blocked by Guardian 'cause their email software is set up to regulary establish an IMAPS connection.

It is quite problematic for a professional use to be blocked during 24hours.

Note that the remote users have differents workplaces and dynamic IP addresses so very hard to use guardian.ignore file.

Is someone can solve my problem ?

Thanx in advance.

[MasterSleepy]

Hello,

Try to deactive imap rules.

Code: [Select]

db configuration snortd imap disabled
expand-template /etc/snort/snort.conf
service snortd stopwait until snort shutdown ps -ef

Code: [Select]

service snortd start
Regards,
MasterSleepy.

[Stiven]

Thanx for your quick reply MasterSleepy (and all stuffs you provide to community  )

I'll try this and give a return on it.

CU

[Stiven]

hum...

I think there is a little problem with the first command.

Code: [Select]

# db configuration snortd setprop imap disabled
usage:
    /sbin/e-smith/db dbfile keys
    /sbin/e-smith/db dbfile print [key]
    /sbin/e-smith/db dbfile show [key]
    /sbin/e-smith/db dbfile get key
    /sbin/e-smith/db dbfile set key type [prop1 val1] [prop2 val2] ...
    /sbin/e-smith/db dbfile setdefault key type [prop1 val1] [prop2 val2] ...
    /sbin/e-smith/db dbfile delete key
    /sbin/e-smith/db dbfile printtype [key]
    /sbin/e-smith/db dbfile gettype key
    /sbin/e-smith/db dbfile settype key type
    /sbin/e-smith/db dbfile printprop key [prop1] [prop2] [prop3] ...
    /sbin/e-smith/db dbfile getprop key prop
    /sbin/e-smith/db dbfile setprop key prop1 val1 [prop2 val2] [prop3 val3] ...
    /sbin/e-smith/db dbfile delprop key prop1 [prop2] [prop3] ...
Are you sure the syntax is correct ?

[MasterSleepy]

Sorry, the command should be
db configuration setprop snortd imap disabled

++

[Stiven]

It does work like that.

Now let's see it.

A last question : does this setting work with Secured IMAP (993) ?

[MasterSleepy]

Yes!
This action will disable rules that are contains in files /etc/snort/rules/imap.rules
Of course it will disable all rules related to imap, so if you want to enabled it again, split rules in two files.

Regards,
MasterSleepy.

[Stiven]

Hi everybody,

I reinstall snort and I have a problem with this hack.

I have

Code: [Select]

# db configuration getprop snortd imap
disabled
But when I get

Code: [Select]

# expand-template /etc/snort/snort.conf
Thes lines still appear in snort.conf file

Code: [Select]

include $RULE_PATH/community-imap.rules
...
include $RULE_PATH/imap.rules

The snort.sonf have been properly expanded (I cheked).

Expecting a better solution, I comment the lines in snort.conf but I fear I would have to do it after each signal-event post-upgarde (not really clean).

Is someone can help me.

Thanx in advance.

[MasterSleepy]

Hello,

The correct command is

Code: [Select]

db configuration setprop snortd imap.rules disabled
db configuration setprop snortd community-imap.rules disabled
Regards,