Forums

P Jones
P Jones
Offline
Resolved
0 votes
I have two ClearOS 6.7 servers at different locations with Intrusion Protection subscriptions, and neither one is showing any IP addresses in the Blocked List. Both servers stopped blocking hosts on April 27 at about 4:00 PM EST. As it happens this is right about the time that the 0426 ClearSDN intrusion protection update was automatically applied.
Friday, April 29 2016, 01:45 AM
Share this post:
Responses (9)
  • Accepted Answer

    Wednesday, May 04 2016, 02:00 AM - #Permalink
    Resolved
    0 votes
    Peter Broch wrote:

    I haven't experienced problems with blocking. Likely because I never received the 27 April signature update. Will it arrive anytime soon?


    The update was released yesterday, so the April 27 update was deprecated.
    The reply is currently minimized Show
  • Accepted Answer

    Tuesday, May 03 2016, 11:42 PM - #Permalink
    Resolved
    0 votes
    I haven't experienced problems with blocking. Likely because I never received the 27 April signature update. Will it arrive anytime soon?

    Cheers

    Peter
    The reply is currently minimized Show
  • Accepted Answer

    Monday, May 02 2016, 06:29 PM - #Permalink
    Resolved
    0 votes
    Oh - the issue was with the way back-end handled snort ID mappings. The little test script that we run weekly didn't capture the fwsam tag properly.
    The reply is currently minimized Show
  • Accepted Answer

    Monday, May 02 2016, 06:27 PM - #Permalink
    Resolved
    0 votes
    An update was just released today. You can upgrade right away with:

    yum upgrade clearsdn-intrusion-protection
    The reply is currently minimized Show
  • Accepted Answer

    Dean Kempe
    Dean Kempe
    Offline
    Monday, May 02 2016, 12:32 PM - #Permalink
    Resolved
    0 votes
    Community Edition with I P subscription and have same issue from 27/4.
    Any solution at all?
    The reply is currently minimized Show
  • Accepted Answer

    P Jones
    P Jones
    Offline
    Sunday, May 01 2016, 12:08 PM - #Permalink
    Resolved
    0 votes
    The reply is currently minimized Show
  • Accepted Answer

    Saturday, April 30 2016, 04:51 PM - #Permalink
    Resolved
    0 votes
    Since you've subscribed to the rules updates, please can one of you raise a ticket with Clearcenter?
    The reply is currently minimized Show
  • Accepted Answer

    Saturday, April 30 2016, 02:20 PM - #Permalink
    Resolved
    0 votes
    I confirm. I'm using ClearOS Home Edition and since the last intrusion-prevention update no more IP banned before that I had a lot of banned IP.
    A quick look in /etc/snort.d/rules/clearcenter, only one alert activate snortsam.

    What I did:
    cat /etc/snort.d/rules/clearclenter/*.rules | grep fwsam:

    and this is what I get:
    alert tcp $EXTERNAL_NET any -> $HOME_NET 995 (msg:"ET SCAN Rapid POP3S Connections - Possible Brute Force Attack"; flags: S,12; threshold: type both, track by_src, count 30, seconds 120; reference:url,doc.emergingthreats.net/2002993; classtype:misc-activity; sid:2002993; rev:6; fwsam: src, 1 day;)


    Every rules who normaly should activate snortsam miss this statement "fwsam: src, 1 day;)" at the end of each alert.
    So please, Clearcenter could you investigate.
    The reply is currently minimized Show
  • Accepted Answer

    P Jones
    P Jones
    Offline
    Saturday, April 30 2016, 12:21 AM - #Permalink
    Resolved
    0 votes
    OK, if I roll back the clearcenter snort rules and the snortsam clearcenter-whitelist.conf file to the March 24 update, the Blocked List starts showing blocked IPs almost immediately, and so does the /var/log/snortsam log.
    The reply is currently minimized Show
Your Reply