Administrator
|
This post was updated on .
updated
If you don't have a certain device or application, you should not be running the rules for them. Here are a few that I have gone through. Just add them to your exclude rules list. Feel free to verify these and add other categories for others. SymbOS 2012782 2012783 2012784 2012844 2012845 2012846 2012847 2012850 2012851 2012852 2012853 2012854 2012858 2012859 2012861 2012862 2012863 2012864 2012904 2013140 2013141 2013142 2013143 2013261 2013265 2013266 2017477 2017572 iOS 2014406 2019174 2019175 2019331 2019332 2019333 2019334 2020363 2020364 2021737 2021738 2021900 2021901 2019664 Drupal 2019422 2019423 2019424 2019425 2019426 2019427 2019428 2019429 2019430 2019431 2019432 2019433 2019434 2019435 2019436 2019437 2019438 2019439 2019440 2019441 2019442 2019443 2019444 2019445 2019446 2019447 2019448 2019449 2019450 2019451 2019452 2019453 2016098 2016099 D-Link ip cameras 2019801 2019802 2019803 Joomla 2018288 2018289 2022261 2022263 2022268 SMTP 2014827 2014828 2014829 2018314 2018308 2018309 2018310 2018311 2018312 2018490 2018853 2019406 2019407 2019408 2019409 2019410 2019411 iTunes 2018303 2018304 2018305 Silverlight 2017731 2017732 2017848 2017958 2017963 2017995 2017996 2017997 2018226 2018409 2018498 2018955 2018991 2019097 2019099 2019167 2019184 2019623 2019624 2019658 2019668 2019669 2019917 2020317 2020982 2021045 2018161 2018236 2018237 2018298 2018402 2018472 2017810 Blackberry 2013138 Quicktime 2003326 2003327 2007703 2007704 2012806 ScreenOS 2022291 Linksys router 2018136 2003072 2011669 2018156 2018157 2018158 2018159 2018160 2020858 2020879 2018131 2018132 2018155 2022758 Supermicro 2018585 2018586 2018587 2018588 Netgear 2017631 2017632 2017969 2021944 2020859 2020874 Asus 2020862 2020863 2020871 TP-Link 2020856 2020872 2020878 2020880 Fritzbox 2020867 2020868 Belkin 2019686 2020857 2020875 Tenda 2017623 2017624 2020876 Motorola 2020861 D-Link 2017590 2020873 2022518 Experimental 2007646 2003180 WinXP 2003586 2018229 Win98 2014562 POP3 2017546 IMAP 2008063 Telnet OSX 2021548 2021984 2014596 2014522 2014523 2014524 2014525 2014534 2017525 2019136 2019660 2019661 2019662 2019663 2019665 2019666 2019667 2019740 2019731 2019718 2022598 2022599 2022600 2022601 2022716 2022717 2022718 2022719 Debian 2016716 2016717 2016718 2016719 Ubuntu 2019418 Solaris 2000049 2001780 2003411 2003412 2100571 MySQL 2022579 2022580 2022581 2001988 2015975 2015992 2015995 2015996 Dameware 2022712 Quanta LTE router 2022698 2022699 2022700 2022701 Lastpass 2022989 2022374 2022989 Bank of Oklahoma 2022978 2022979 Dropbox 2022967 Oracle 2002886 2002887 2002888 2010375 2012101 2012085 2012100 IIS 2101487 2101018 2101402 2101046 bind9 2021572 2021573 2021574 2021575 fireeye 2021756 2022554 trendmicro 2003434 2007584 fortigate 2023075 cisco 2000005 2023070 2023071 2023086 2023311 2021785 iphone 2013019 2023240 2023093 2023093 2023094 2023095 2023096 2023097 2023098 2023099 2023100 2023101 2023102 2023103 2023104 2023105 2023106 2023107 2023108 2023109 2023110 2023111 2023112 2023113 2023114 2023115 2023116 2023117 2023118 2023119 2023120 2023121 2023122 2023123 2023124 2023125 2023126 2023127 2023128 2023129 2023130 2023131 2023132 2023133 2023134 2023136 2018042 hikvision 2018343 2018344 visio 2012153 2013322 mac 2019144 2007650 2008955 2012959 2013062 2014638 2014597 2014598 ADSL router 2020487 2020488 2017638 Shuttletech router 2020486 Seagate NAS 2020583 AOL 2015910 2017750 2021322 Yahoo 2015911 2017751 2021323 2021540 2021892 York bank 2015983 Zyxel 2018232 IE 2017131 2016640 2019773 2019774 2019775 2019792 2019793 2019794 2019795 2019796 2019797 2019799 2019806 2019733 2019734 2019735 2021713 2022797 2000514 2016897 2010799 2011472 2011891 2013251 2013252 2014463 2014911 2015711 2015712 2017133 2017129 2017130 2017478 2017479 2017480 2017704 2017705 2017708 2017709 2018147 2019706 2019715 2019730 2019732 2020099 2021709 2022523 2017694 Attack-response 2009146 2009147 2009149 2009244 2009245 2000499 2000500 2000501 2000502 2000503 2000504 2000505 2000506 2000507 2000508 2007715 2007717 2007723 2002809 2002810 2002811 2003464 2003465 2007725 2007726 2009210 2009211 2002034 2003071 2003149 2003150 2015993 2017121 2020506 2020507 2020508 2020509 2020510 2020511 2020512 2020513 2020514 2020515 2020516 2020517 2020518 2020519 2020520 2020521 2020522 2020523 2020524 2020525 2020526 2020527 2020528 2020529 2020530 2020531 2020532 2020533 2020534 2020535 2020536 2020537 2020538 2020539 2020540 2020541 2020542 2020543 2020544 2020545 2020546 2020547 2020548 2020549 2020550 2020551 2020552 2020553 2020554 2101882 2100498 2101008 2101009 2101292 2101200 2100494 2100495 2100497 2101886 2101885 2101883 2101884 2101666 2100493 WinZip 2012052 2012053 Flash 2013065 2013137 2016391 2016784 2018029 2018091 2020895 2015809 2015810 Office 2017409 2017410 2017411 2017671 2017672 2017673 2017674 2017675 2017676 2017677 2017679 2017680 2017681 2017672 2017673 2011478 Bitcoin 2018279 IRC 2017055 2017056 2017057 2017058 2017059 2017318 2017319 2017321 2017322 2017323 2017665 2000345 2000347 2000348 2000350 2000351 2000352 2009172 2003302 2002029 2002030 2011162 2002032 2002384 2002386 2002363 2008123 2008124 2003603 2013225 2013247 2013451 2014439 2016768 2016849 2016949 2017283 2017284 2017285 2017286 2017287 2017288 2017289 2017290 2017291 2017292 2017303 2017395 2017716 2018482 2018483 2018484 2018675 2019326 2019327 2019354 2019471 2019486 2019509 2019921 2020836 2021872 2021873 2021874 2021875 2021876 2021877 2021878 2021879 2021880 2021881 2021882 2021883 2021912 2021913 2021914 2021915 2021916 2022064 2022189 2022190 2022655 2022656 ISAPI 2101242 2011243 2101245 2101244 Dell 2022134
Running the latest OpenWrt stable release
|
I added some of these to the exclude list, then did a save and apply, but after it finished processing, they were no longer listed. Is that normal? I could not find anything in the admin guide on this either.
Thanks. |
Administrator
|
I noticed that too. Sometimes I had to do it again.
Running the latest OpenWrt stable release
|
By putting them in one at a time, I got in three rules to the exclude list. One rule each line. It won't take a 4th rule however.
Any ideas? Is there an alternate way to do this? I do have PuTTY access, but am not at home in this system. |
Administrator
|
I just copied and pasted them in and that's when I noticed too that sometimes the list wouldn't persist after saving. Obviously a bug in the GUI because I put them in directly like you mentioned and didn't have that problem. The file is /etc/snort/rules/exclude.rules
Running the latest OpenWrt stable release
|
Thanks, editing it directly worked. Now they show up in the GUI too, and I did an apply... of course that wiped them all out again.
I put them back in directly and reset the shield. The file was empty after the Shield rebooted. So I put them back in, and rebooted, again the file was cleared. Am I missing something? |
/usr/lib/lua/luci/controller/snort.lua and /usr/lib/lua/luci/model/cbi/snort.lua are responsible for how LuCI works with the Services > IPS section.
In the cbi/snort.lua this is the code for exclusion tab: ..... --------------------- Exclude Rules Tab ------------------------ config_file5 = s:taboption("tab_rules", TextValue, "text4", "") config_file5.wrap = "off" config_file5.rows = 25 config_file5.rmempty = false function config_file5.cfgvalue() local uci = require "luci.model.uci".cursor_state() file = "/etc/snort/rules/exclude.rules" if file then return fs.readfile(file) or "" else return "" end end function config_file5.write(self, section, value) if value then local uci = require "luci.model.uci".cursor_state() file = "/etc/snort/rules/exclude.rules" fs.writefile(file, value:gsub("\r\n", "\n")) luci.sys.call("/etc/init.d/snort restart") end end ..... but the code looks clean and similar to the other codes access when changing the custom rules, threshold config etc.
No more: Shield Pro v1, Chaos Calmer, FW 1.51 SP1
|
Just discovered that this script: /etc/snort/rules/exclude_rules.sh parses the exclude.rules contents against the currently loaded snort.rules file and removes entries.
#!/bin/bash EXCLUDE_RULES=/etc/snort/rules/exclude.rules SNORT_RULES=/etc/snort/rules/snort.rules # Remove all blank lines sed -i '/^$/d' $EXCLUDE_RULES # Remove all non-numeric entries sed -i '/[^0-9]/d' $EXCLUDE_RULES while read -r line || [[ -n "$line" ]]; do sed -i '/sid:'$line'/d' $SNORT_RULES done < $EXCLUDE_RULES |
To make to Webgui accept the list, I just had to remove the hidden trailing spaces after each numbers.
It worked without a problem |
Dang, great insight! That worked for me as well. Now the entries stick around.
|
In reply to this post by stangrunner
Hi
just modified the scrip so it removes all blank space from list, seem to work ok, #!/bin/bash EXCLUDE_RULES=/etc/snort/rules/exclude.rules SNORT_RULES=/etc/snort/rules/snort.rules # Remove all blank lines sed -i '/^$/d' $EXCLUDE_RULES # Remove all non-numeric entries sed -i '/[^0-9]/d' $EXCLUDE_RULES # Remove all blanks so gui accepts list properly (added by roadrunnere42) sed -r 's/\s//g' $EXCLUDE_RULES while read -r line || [[ -n "$line" ]]; do sed -i '/sid:'$line'/d' $SNORT_RULES done < $EXCLUDE_RULES Hans maybe worth putting into hotfixes roadrunnere42 |
Administrator
|
Thanks the editor you added is doing what it supposed to do but I just tried it and the GUI still wasn't saving it so there must be a bug somewhere else. Added directly to the file and it saved with no problems.
Running the latest OpenWrt stable release
|
In reply to this post by Roadrunnere42
CONTENTS DELETED
The author has deleted this message.
|
Free forum by Nabble | Edit this page |