Koozali.org: home of the SME Server

Obsolete Releases => SME 7.x Contribs => Topic started by: Stiven on March 26, 2008, 01:29:35 PM

Title: Problem with Snort+Oinkmaster+Guardian
Post by: Stiven on March 26, 2008, 01:29:35 PM: Hi everybody,

I've installed Snort+Oinkmaster+Guardian thanx to Mastersleepy rpms and Howto.

But I have a problem : some of remote users are blocked. I suppose they're blocked by Guardian 'cause their email software is set up to regulary establish an IMAPS connection.

It is quite problematic for a professional use to be blocked during 24hours.

Note that the remote users have differents workplaces and dynamic IP addresses so very hard to use guardian.ignore file.

Is someone can solve my problem ?

Thanx in advance.
Title: Re: Problem with Snort+Oinkmaster+Guardian
Post by: MasterSleepy on March 26, 2008, 02:16:40 PM: Hello,

Try to deactive imap rules.
Code: [Select]
db configuration snortd imap disabled expand-template /etc/snort/snort.conf service snortd stopwait until snort shutdown ps -ef
Code: [Select]
service snortd start
Regards,
MasterSleepy.
Title: Re: Problem with Snort+Oinkmaster+Guardian
Post by: Stiven on March 26, 2008, 03:21:42 PM: Thanx for your quick reply MasterSleepy (and all stuffs you provide to community ;-) )

I'll try this and give a return on it.

CU
Title: Re: Problem with Snort+Oinkmaster+Guardian
Post by: Stiven on March 26, 2008, 03:28:21 PM: hum...

I think there is a little problem with the first command.

Code: [Select]
# db configuration snortd setprop imap disabled usage: /sbin/e-smith/db dbfile keys /sbin/e-smith/db dbfile print [key] /sbin/e-smith/db dbfile show [key] /sbin/e-smith/db dbfile get key /sbin/e-smith/db dbfile set key type [prop1 val1] [prop2 val2] ... /sbin/e-smith/db dbfile setdefault key type [prop1 val1] [prop2 val2] ... /sbin/e-smith/db dbfile delete key /sbin/e-smith/db dbfile printtype [key] /sbin/e-smith/db dbfile gettype key /sbin/e-smith/db dbfile settype key type /sbin/e-smith/db dbfile printprop key [prop1] [prop2] [prop3] ... /sbin/e-smith/db dbfile getprop key prop /sbin/e-smith/db dbfile setprop key prop1 val1 [prop2 val2] [prop3 val3] ... /sbin/e-smith/db dbfile delprop key prop1 [prop2] [prop3] ...
Are you sure the syntax is correct ?
Title: Re: Problem with Snort+Oinkmaster+Guardian
Post by: MasterSleepy on March 26, 2008, 03:31:22 PM: Sorry, the command should be
db configuration setprop snortd imap disabled

++
Title: Re: Problem with Snort+Oinkmaster+Guardian
Post by: Stiven on March 26, 2008, 03:46:05 PM: It does work like that.

Now let's see it.

A last question : does this setting work with Secured IMAP (993) ?
Title: Re: Problem with Snort+Oinkmaster+Guardian
Post by: MasterSleepy on March 26, 2008, 03:56:20 PM: Yes!
This action will disable rules that are contains in files /etc/snort/rules/imap.rules
Of course it will disable all rules related to imap, so if you want to enabled it again, split rules in two files.

Regards,
MasterSleepy.
Title: Re: Problem with Snort+Oinkmaster+Guardian
Post by: Stiven on September 11, 2008, 03:45:03 PM: Hi everybody,

I reinstall snort and I have a problem with this hack.

I have

Code: [Select]
# db configuration getprop snortd imap disabled
But when I get

Code: [Select]
# expand-template /etc/snort/snort.conf
Thes lines still appear in snort.conf file

Code: [Select]
include $RULE_PATH/community-imap.rules ... include $RULE_PATH/imap.rules
The snort.sonf have been properly expanded (I cheked).

Expecting a better solution, I comment the lines in snort.conf but I fear I would have to do it after each signal-event post-upgarde (not really clean).

Is someone can help me.

Thanx in advance.
Title: Re: Problem with Snort+Oinkmaster+Guardian
Post by: MasterSleepy on September 13, 2008, 05:47:46 AM: Hello,

The correct command is
Code: [Select]
db configuration setprop snortd imap.rules disabled db configuration setprop snortd community-imap.rules disabledRegards,