11544 – Guardian SnortPriorityLevel Not Working - Core116

Bug 11544 - Guardian SnortPriorityLevel Not Working - Core116

Summary: Guardian SnortPriorityLevel Not Working - Core116

Status:	CLOSED FIXED

Alias:	None

Product:	IPFire
Classification:	Unclassified
Component:	--- (show other bugs)
Version:	2
Hardware:	unspecified Unspecified

Importance:	Will affect an average number of users Major Usability
Assignee:	Stefan Schantl
QA Contact:

URL:
Keywords:

Depends on:
Blocks:

Reported:	2017-11-11 19:15 UTC by Douglas Charles Duckworth
Modified:	2018-06-27 19:16 UTC (History)
CC List:	4 users (show)

See Also:

Attachments
guardian (43.44 KB, image/png) 2017-11-11 19:15 UTC, Douglas Charles Duckworth	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Douglas Charles Duckworth 2017-11-11 19:15:24 UTC

Created attachment 545 [details]
guardian

I have Guardian set to only block Snort Priority Level 1 alerts but it's blocking Level 2 as well.

Alert:

[**] [1:2402000:4623] ET DROP Dshield Block Listed Source group 1 [**]
[Classification: Misc Attack] [Priority: 2] 
11/11-12:18:49.554499 77.72.82.7:53790 -> myip:4569
TCP TTL:246 TOS:0x28 ID:53722 IpLen:20 DgmLen:40
******S* Seq: 0xFBE35F5A  Ack: 0x0  Win: 0x400  TcpLen: 20
[Xref => http://feeds.dshield.org/block.txt]

syslog:

Nov 11 12:18:49 ipfire guardian[3955]: <info> Blocking 77.72.82.7 for 86400 seconds... 

/var/ipfire/guardian/guardian.conf:

# Autogenerated configuration file.
# All user modifications will be overwritten.

# Log settings.
LogFacility = syslog
LogLevel = info

# IPFire related settings.
FirewallEngine = IPtables
SocketOwner = nobody:nobody
IgnoreFile = /var/ipfire/guardian/guardian.ignore

# Configured block settings.
BlockCount = 1
BlockTime = 86400
FirewallAction = DROP

# Enabled modules.
Monitor_SSH = /var/log/messages
Monitor_SNORT = /var/log/snort/alert
Monitor_HTTPD = /var/log/httpd/error_log

# Module settings.
SnortPriorityLevel = 1

Does anyone know of a fix?

Comment 1 Matthias Fischer 2017-11-13 22:30:23 UTC

Hi,

I took a quick look at the sources and found this in '/usr/lib/perl5/site_perl/5.12.3/Guardian/Parser.pm' (line 111-116):

...
# Loop through all lines of the current alert.
foreach my $line (@alert) {
	# Check Priority Level and skip the alert if it is to low.
	#if ($line =~ /.*\[Priority: (\d+)\].*/) {
	#return unless($1 < $priority);
	#}
...

The IMHO critical lines are commented.

Intentional?

Best,
Matthias

Comment 2 Douglas Charles Duckworth 2017-11-15 00:57:53 UTC

Hi

I don't know why this would be commented out since Guardian has a feature to skip alerts based upon threshold.

Comment 3 Douglas Charles Duckworth 2017-11-15 01:02:26 UTC

After removing comments:

user@ipfire[~]$ sudo /etc/init.d/guardian start
Starting Guardian...

Global symbol "$priority" requires explicit package name at /usr/lib/perl5/site_perl/5.12.3/Guardian/Parser.pm line 115.
Compilation failed in require at /usr/sbin/guardian line 35.

Comment 4 Stefan Schantl 2018-06-27 19:16:23 UTC

Fixed by commit:

https://git.ipfire.org/?p=people/stevee/guardian.git;a=commit;h=df8eb30562ceedfe3c042b1c124b308e6b317d42