Bug 11532 - Guardian does not block malicious destination IPs
Summary: Guardian does not block malicious destination IPs
Status: CLOSED DUPLICATE of bug 10273
Alias: None
Product: IPFire
Classification: Unclassified
Component: --- (show other bugs)
Version: 2
Hardware: all All
: Will affect an average number of users Security
Assignee: Stefan Schantl
QA Contact: Peter Müller
URL:
Keywords: Security
Depends on: 10273
Blocks: IDSIPSBUGS
  Show dependency treegraph
 
Reported: 2017-10-26 20:57 UTC by Peter Müller
Modified: 2018-07-11 18:47 UTC (History)
1 user (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Peter Müller 2017-10-26 20:57:06 UTC
When accessing a malicious IP (tested with 37.120.189.254, which is listed as a C&C server in the Emerging Treats botcc ruleset) from a network behind IPFire (i.e. GREEN), snort triggers an alert:

Date: 10/26 20:40:01
Name: ET CNC Shadowserver Reported CnC Server TCP group 27
Priority: 1
Type: A Network Trojan was Detected
IP Info: 87.173.XXX.XXX:37687 -> 37.120.189.254:80
SID: 2404052
Refs: http://www.shadowserver.org, http://doc.emergingthreats.net/bin/view/Main/BotCC

However, since the source IP addres is the firewall itself, Guardian does nothing. The client is able to access the C&C IP.

Guardian should check if a snort alert is triggered because of the _destination_ IP. If yes, and it does not belong to the DNS servers or the machine's gateway, the destiation IP should be blocked.

I consider this bug being a security risk.
Comment 1 Peter Müller 2017-11-08 16:22:24 UTC
WIP, see: https://wiki.ipfire.org/devel/telco/2017-11-06
Comment 2 Peter Müller 2018-06-19 20:33:52 UTC
- ping -
Comment 3 Peter Müller 2018-07-11 18:47:10 UTC

*** This bug has been marked as a duplicate of bug 10273 ***