Forums

Resolved
0 votes
Does anyone here have any documentation on how to implement IDS on ClearOS 7.3? I already installed intrusion detection (from the marketplace) but it didn't produce any alerts despite brute force attacks and port scans attacks. The configuration that I have implemented is as follows:

Attacker (Kali Linux) <----> firewall (ClearOS as gateway) <----> WebServer (Ubuntu Server)

So, here I want to secure web servers from attack with IDS and IPS ClearOS.

How should I configure it? How can I view the log file?

Thank you for your help.
Sunday, May 24 2020, 02:40 PM
Share this post:

Accepted Answer

Monday, May 25 2020, 08:41 PM - #Permalink
Resolved
0 votes
Hello and welcome to ClearOS.

The IDS/IPS on ClearOS is quite weak if you do not subscribe to the additional rule updates as it just uses the free publicly released rules which are covered by the GPL. If you subscribe to the updates (included with some subscriptions, please check), it becomes more powerful.

If Pen testing with Kali, please understand the RedHat way of working where they stick with a particular software release and then backport security fixes. You may see plenty of warnings that apache/httpd 2.4.6 is (massively) out of date and has plenty of security vulnerabilities but it does not. If you look at each of the vulnerabilities it is supposed to have then do an "rpm -q --changelog httpd" or "rpm -q --changelog httpd | grep -i cve", You will see all the CVE's fixed. The same goes for php.

Another issue you may see is the ciphers supported for httpd. It is easy to change, but, mid-release we tend not to as it could break client systems.

Log files are /var/log/snort/syslog and /var/log/snortsam.
The reply is currently minimized Show
Responses (4)
  • Accepted Answer

    Thursday, May 28 2020, 01:42 PM - #Permalink
    Resolved
    0 votes
    I have no recommendations for remote logging. If the logs in ClearOS use rsyslog (anything in messages, system, secure, mail and some others) could possibly leverage rsyslog which can be set up to receive or send logs externally. Snort (IDS) uses rsyslog. I am not so sure about snortsam (IPS).
    The reply is currently minimized Show
  • Accepted Answer

    Thursday, May 28 2020, 01:08 PM - #Permalink
    Resolved
    0 votes
    Thank you for the information, Mr. Nick. I have tried to update the ClearOS' IDS ruleset and everything is going well. Regarding IDS logging, is it possible if I use SIEM or network monitoring tools to monitor ClearOS' IDS logs? Do you have any recommendations or documentation?
    The reply is currently minimized Show
  • Accepted Answer

    Tuesday, May 26 2020, 01:24 PM - #Permalink
    Resolved
    0 votes
    That is not quite what I said. The free IDS/IPS rules are opensource and have been included, but they are old and not too effective. You are welcome to add rules from anywhere and it is quite possible to add the Emerging Threats rules. There used to be a thread on the forum showing how to do it and keep it updated. If you don't want to do that yourself, then ClearOS can provide updates but at a cost. They have to get their money from somewhere!

    I presume the IDS logging has never been added to the Events system. I can add an enhancement request for this. If you can program, feel welcome to submit a patch.
    The reply is currently minimized Show
  • Accepted Answer

    Tuesday, May 26 2020, 12:56 PM - #Permalink
    Resolved
    0 votes
    Thank you for the reply. As you have said, I need to subscribe first to be able to use the full features of IDS / IPS on ClearOS. Therefore, is there no way that ClearOS can detect more attacks without subscribing? Like changing the rules available at /etc/snort.d/rules/gpl? I previously thought ClearOS was one of the Open Source firewalls but didn't think that most of its IDS and IPS functions could only work when we paid for it.

    In addition, I managed to see the detected attacks by looking at the logs in /var/log/snort/syslog. However, why doesn't Clearos put those attacks in the warning / critical events?
    The reply is currently minimized Show
Your Reply