Bug 11544

Summary:	Guardian SnortPriorityLevel Not Working - Core116
Product:	IPFire	Reporter:	Douglas Charles Duckworth <dod2014>
Component:	---	Assignee:	Stefan Schantl <stefan.schantl>
Status:	CLOSED FIXED	QA Contact:
Severity:	Major Usability
Priority:	Will affect an average number of users	CC:	dod2014, matthias.fischer, michael.tremer, peter.mueller
Version:	2
Hardware:	unspecified
OS:	Unspecified
Attachments:	guardian

Description Douglas Charles Duckworth 2017-11-11 19:15:24 UTC

Created attachment 545 [details]
guardian

I have Guardian set to only block Snort Priority Level 1 alerts but it's blocking Level 2 as well.

Alert:

[**] [1:2402000:4623] ET DROP Dshield Block Listed Source group 1 [**]
[Classification: Misc Attack] [Priority: 2] 
11/11-12:18:49.554499 77.72.82.7:53790 -> myip:4569
TCP TTL:246 TOS:0x28 ID:53722 IpLen:20 DgmLen:40
******S* Seq: 0xFBE35F5A  Ack: 0x0  Win: 0x400  TcpLen: 20
[Xref => http://feeds.dshield.org/block.txt]

syslog:

Nov 11 12:18:49 ipfire guardian[3955]: <info> Blocking 77.72.82.7 for 86400 seconds... 

/var/ipfire/guardian/guardian.conf:

# Autogenerated configuration file.
# All user modifications will be overwritten.

# Log settings.
LogFacility = syslog
LogLevel = info

# IPFire related settings.
FirewallEngine = IPtables
SocketOwner = nobody:nobody
IgnoreFile = /var/ipfire/guardian/guardian.ignore

# Configured block settings.
BlockCount = 1
BlockTime = 86400
FirewallAction = DROP

# Enabled modules.
Monitor_SSH = /var/log/messages
Monitor_SNORT = /var/log/snort/alert
Monitor_HTTPD = /var/log/httpd/error_log

# Module settings.
SnortPriorityLevel = 1

Does anyone know of a fix?

Comment 1 Matthias Fischer 2017-11-13 22:30:23 UTC

Hi,

I took a quick look at the sources and found this in '/usr/lib/perl5/site_perl/5.12.3/Guardian/Parser.pm' (line 111-116):

...
# Loop through all lines of the current alert.
foreach my $line (@alert) {
	# Check Priority Level and skip the alert if it is to low.
	#if ($line =~ /.*\[Priority: (\d+)\].*/) {
	#return unless($1 < $priority);
	#}
...

The IMHO critical lines are commented.

Intentional?

Best,
Matthias

Comment 2 Douglas Charles Duckworth 2017-11-15 00:57:53 UTC

Hi

I don't know why this would be commented out since Guardian has a feature to skip alerts based upon threshold.

Comment 3 Douglas Charles Duckworth 2017-11-15 01:02:26 UTC

After removing comments:

user@ipfire[~]$ sudo /etc/init.d/guardian start
Starting Guardian...

Global symbol "$priority" requires explicit package name at /usr/lib/perl5/site_perl/5.12.3/Guardian/Parser.pm line 115.
Compilation failed in require at /usr/sbin/guardian line 35.

Comment 4 Stefan Schantl 2018-06-27 19:16:23 UTC

Fixed by commit:

https://git.ipfire.org/?p=people/stevee/guardian.git;a=commit;h=df8eb30562ceedfe3c042b1c124b308e6b317d42