Bug 11544

Summary: Guardian SnortPriorityLevel Not Working - Core116
Product: IPFire Reporter: Douglas Charles Duckworth <dod2014>
Component: ---Assignee: Stefan Schantl <stefan.schantl>
Status: CLOSED FIXED QA Contact:
Severity: Major Usability    
Priority: Will affect an average number of users CC: dod2014, matthias.fischer, michael.tremer, peter.mueller
Version: 2   
Hardware: unspecified   
OS: Unspecified   
Attachments: guardian

Description Douglas Charles Duckworth 2017-11-11 19:15:24 UTC
Created attachment 545 [details]
guardian

I have Guardian set to only block Snort Priority Level 1 alerts but it's blocking Level 2 as well.

Alert:

[**] [1:2402000:4623] ET DROP Dshield Block Listed Source group 1 [**]
[Classification: Misc Attack] [Priority: 2] 
11/11-12:18:49.554499 77.72.82.7:53790 -> myip:4569
TCP TTL:246 TOS:0x28 ID:53722 IpLen:20 DgmLen:40
******S* Seq: 0xFBE35F5A  Ack: 0x0  Win: 0x400  TcpLen: 20
[Xref => http://feeds.dshield.org/block.txt]

syslog:

Nov 11 12:18:49 ipfire guardian[3955]: <info> Blocking 77.72.82.7 for 86400 seconds... 

/var/ipfire/guardian/guardian.conf:

# Autogenerated configuration file.
# All user modifications will be overwritten.

# Log settings.
LogFacility = syslog
LogLevel = info

# IPFire related settings.
FirewallEngine = IPtables
SocketOwner = nobody:nobody
IgnoreFile = /var/ipfire/guardian/guardian.ignore

# Configured block settings.
BlockCount = 1
BlockTime = 86400
FirewallAction = DROP

# Enabled modules.
Monitor_SSH = /var/log/messages
Monitor_SNORT = /var/log/snort/alert
Monitor_HTTPD = /var/log/httpd/error_log

# Module settings.
SnortPriorityLevel = 1

Does anyone know of a fix?
Comment 1 Matthias Fischer 2017-11-13 22:30:23 UTC
Hi,

I took a quick look at the sources and found this in '/usr/lib/perl5/site_perl/5.12.3/Guardian/Parser.pm' (line 111-116):

...
# Loop through all lines of the current alert.
foreach my $line (@alert) {
	# Check Priority Level and skip the alert if it is to low.
	#if ($line =~ /.*\[Priority: (\d+)\].*/) {
	#return unless($1 < $priority);
	#}
...

The IMHO critical lines are commented.

Intentional?

Best,
Matthias
Comment 2 Douglas Charles Duckworth 2017-11-15 00:57:53 UTC
Hi

I don't know why this would be commented out since Guardian has a feature to skip alerts based upon threshold.
Comment 3 Douglas Charles Duckworth 2017-11-15 01:02:26 UTC
After removing comments:

user@ipfire[~]$ sudo /etc/init.d/guardian start
Starting Guardian...

Global symbol "$priority" requires explicit package name at /usr/lib/perl5/site_perl/5.12.3/Guardian/Parser.pm line 115.
Compilation failed in require at /usr/sbin/guardian line 35.