11532 – Guardian does not block malicious destination IPs

Bug 11532 - Guardian does not block malicious destination IPs

Summary: Guardian does not block malicious destination IPs

Status:	CLOSED DUPLICATE of bug 10273

Alias:	None

Product:	IPFire
Classification:	Unclassified
Component:	--- (show other bugs)
Version:	2
Hardware:	all All

Importance:	Will affect an average number of users Security
Assignee:	Stefan Schantl
QA Contact:	Peter Müller

URL:
Keywords:	Security

Depends on:	10273
Blocks:	IDSIPSBUGS
	Show dependency tree / graph

Reported:	2017-10-26 20:57 UTC by Peter Müller
Modified:	2018-07-11 18:47 UTC (History)
CC List:	1 user (show)

See Also:	10273 11761

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Peter Müller 2017-10-26 20:57:06 UTC

When accessing a malicious IP (tested with 37.120.189.254, which is listed as a C&C server in the Emerging Treats botcc ruleset) from a network behind IPFire (i.e. GREEN), snort triggers an alert:

Date: 10/26 20:40:01
Name: ET CNC Shadowserver Reported CnC Server TCP group 27
Priority: 1
Type: A Network Trojan was Detected
IP Info: 87.173.XXX.XXX:37687 -> 37.120.189.254:80
SID: 2404052
Refs: http://www.shadowserver.org, http://doc.emergingthreats.net/bin/view/Main/BotCC

However, since the source IP addres is the firewall itself, Guardian does nothing. The client is able to access the C&C IP.

Guardian should check if a snort alert is triggered because of the _destination_ IP. If yes, and it does not belong to the DNS servers or the machine's gateway, the destiation IP should be blocked.

I consider this bug being a security risk.

Comment 1 Peter Müller 2017-11-08 16:22:24 UTC

WIP, see: https://wiki.ipfire.org/devel/telco/2017-11-06

Comment 2 Peter Müller 2018-06-19 20:33:52 UTC

- ping -

Comment 3 Peter Müller 2018-07-11 18:47:10 UTC


*** This bug has been marked as a duplicate of bug 10273 ***