Posted by
Grommish on
Jun 17, 2019; 2:27pm
URL: https://itus.accessinnov.com/FIRMWARE-Itus-Networks-Shield-Firmware-Upgrade-WIP-tp1726p1765.html
It seems that every time I get on a tear, the posts just come back and back.
First, I finally managed to get Snort to more or less work properly, although I'm reasonably sure it's just alerting, rather than dropping, matching packets. I'm sure there is a setting for that somewhere.
I didn't realize the map files were actually needed for things

. Snort comes with gen_msg.map, but the sid_msg.map from ET was also needed - silly me..
Luckily, it seems to have fixed the detection issues for the most part. Of course, since I'm using ALL the rules, it picks up on more than just threats (which I was surprised to see). It's surprisingly difficult to trigger Snort when you're testing it 3 layers deep in a private network. NAT within NAT within NAT means not much is going to "go rogue" and hit the Shield.
First thing I tried was a DNS query on a questionable domain.
dig a 3wzn5p2yiumh7akj.onion
returned
06/17-14:07:59.466089 [**] [1:2014939:1] ET POLICY DNS Query for TOR Hidden Domain .onion Accessible Via TOR [**] [Classification: Potential Corporate Privacy Violation] [Priori3
Then I did a
ping -b 255.255.255.255 -p "7569643d3028726f6f74290a" -c3
Which actually popped TWO alerts, because I had added it to local.rules before I got the sid-msg.map file in there
06/17-14:09:49.086335 [**] [1:2100498:8] GPL ATTACK_RESPONSE id check returned root [**] [Classification: Potentially Bad Traffic] [Priority: 2] {ICMP} 10.10.10.200 -> 255.255.255.255
06/17-14:09:49.086335 [**] [1:498:3] ATTACK RESPONSES id check returned root [**] [Classification: Potentially Bad Traffic] [Priority: 2] {ICMP} 10.10.10.200 -> 255.255.255.255
So, that seemed to verify it was working. Then, I got the following, which was completely unexpected.
06/17-10:51:42.280977 [**] [1:2013504:3] ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management [**] [Classification: Not Suspicious Traffic0
Happened when my Ubuntu laptop went and did a Software Update. So, yeah, seems to be working (at least the detection part, and at least to Console).
And in case anyone is wondering, Snort is using both ALL the Emerging Threats AND the Snort Community rules AND my one local rule without issue..
19938 Snort rules read
19504 detection rules
153 decoder rules
281 preprocessor rules
19938 Option Chains linked into 533 Chain Headers
0 Dynamic rules
+++++++++++++++++++++++++++++++++++++++++++++++++++
+-------------------[Rule Port Counts]---------------------------------------
| tcp udp icmp ip
| src 3303 119 0 0
| dst 12093 2141 0 0
| any 2162 118 66 27
| nc 462 3 0 1
| s+d 59 35 0 0
+----------------------------------------------------------------------------
root@OpenWrt:/etc/snort# free
total used free shared buff/cache available
Mem: 970636 414548 501264 772 54824 518356
Swap: 0 0 0
root@OpenWrt:/etc/snort# uptime
14:13:58 up 17:47, load average: 0.00, 0.00, 0.00
root@OpenWrt:/etc/snort#
I have no preprocessors, no so_rules, no reputation monitor, and it's not running inline. These are just straight-up .rules files. (I'd love to get the rest of it working, if I understood what they did and how to do it).
****
Issue 2:
I saw on the Itus firmware they used e2guardian to web-filter. Is this something we want to put back in? I included it, or at least tried to, on a local build. It says it put it in there, but I'll be damned if i can find it. I was looking at the fw_update file Gnomad mentioned and saw it was the site restrictions were being updated by it, so I thought I'd ask.
****
Issue 3:
Anyone know LUA who wants to try and make a luCi page for Snort/e2guardian rules as far as active/updated? I doubt anyone, including me, wants to use the ET all ruleset. I can work with you on the directory structure and we could include all of the individual files. Perhaps the luCi page can let you toggle which rule files you want to use (read from the directory) and then update a .conf file (which we can call from the main snort.conf). This allows granularity for each user. But, I don't know LUA, so.....
Running Itus Shield v2 Firmware