Koozali.org: home of the SME Server
Legacy Forums => Experienced User Forum => Topic started by: Guck Puppy on May 12, 2003, 09:49:29 PM
-
I just installed this IDS thingy and it's doing what it's supposed to do. The "Guardian" part of it (http://www.chaotic.org/guardian/) is also doing what it's supposed to do (block the IP address of the "attacker" for 24 hours).
I just wanted to point to anyone who fits into any of the following categories that the default setup may need a bit of tweaking :
- you host public websites you want spidered by search engines
- you host your own primary dns which you want seconded by an external nameserver
by default, snort & guardian will
- block any ip (for 24 hours) that asks for your robots.txt file
(edit /etc/web-misc.rules)
- block any ip (for 24 hours) that attempts a dns zone transfer
(edit /etc/dns.rules)
This is probably all fine and good for the majority that don't run dns or web - although even for them, the ports would not be open so why would you monitor?
Also I was surprised that the snort rules weren't templated... although I guess the automatic updating of the rules could have something to do with that. Actually, with that in mind, I wonder what will happen to the rules I have turned off once the weekly rule update happens?
G
-
I think the snort rules are located under the "rules" directory and you define which rules to use in /etc/snort/snort.conf. The snort.conf doesn't get updated with the weekly updated. Just going from memory here since I'm away from my SME.
-
You are correct.
That web-robots rule I mentioned... I'm trying to figure out how I can make sure it stays disabled (so guardian doesn't block the spider) while at the same time getting regular rule updates... perhaps some combination of grep and sed...?
G
-
It's not pretty, but you can use grep to remove rules you don't want when the update happens.
I added these lines to update-rules.sh after the rules are copied in place :
# remove excluded rules
echo REMOVE EXCLUDED RULES
/bin/grep -v --extended-regex "WEB-MISC robots?.txt access" /etc/snort/web-misc.rules > /tmp/snort_web-misc.rules
/bin/grep -v --extended-regex "DNS zone transfer ..." /etc/snort/dns.rules > /tmp/snort_dns.rules
mv /tmp/snort_web-misc.rules /etc/snort/web-misc.rules
mv /tmp/snort_dns.rules /etc/snort/dns.rules
the "grep -v" thing means "give me everything in the file that doesn't match" effectively removing the rules you don't want.
G