Link to us
click here to generate a link for your website.
| Addons for Ipcop 1.4.16 [ These downloads work only on Ipcop 1.4.16 and higher ]
| Guardian for Ipcop 1.4.16 v2.4.9.8 *new file* | |
Comments
|
Comments: 6
Registered: 28 Feb 2006 : 05:28Location: VietNam, saigon | dont look to updated the ruleset, or is that just me ?
|
|
Comments: 1
Registered: 26 Dec 2006 : 19:38Location: Michigan | When trying to install the new version it says "Not Running IPCop 1.4.16" but i am running 1.4.18, how do i get it to install?
|
|
Comments: 245
Location: Helmbrechts, Germany | stf
If you like my addons, feel free to donate some money.
Even little amounts help to keep things going. |
|
Comments: 21
Registered: 27 Feb 2008 : 02:23 |
How to install guardian ipcop 1.4.16 … for IPCOP v1.4.18
Start with a fresh install of IPCOP v1.4.18.
Have no other previous versions of guardian install attempts on the machine.
The guardian install script may hang or fail if there are remnants of previous version installs exist.
tar -zxvf guardian_ipcop_1.4.16.tgz
Copy guardian_ipcop_1.4.16.tgz
to /tmp/
... must be extracted to this folder!!!
....extracted view ... /tmp/guardian
|
|
Comments: 21
Registered: 27 Feb 2008 : 02:23 | The problem is the version check ...
Download 1.4.15_7_Guardian 2.4.9.7 patch vv1b ... below
http://mh-lantech.css-hamburg.de/ipcop/e107_plugins/forum/forum_viewtopic.php?4477.0#post_4480
The problem is the version check ...
Download 1.4.15_7_Guardian 2.4.9.7 patch vv1b ... below
http://mh-lantech.css-hamburg.de/ipcop/e107_plugins/forum/forum_viewtopic.php?4477.0#post_4480
... and replace the install script.
... you also have to edit the md5 "check" file so that it reads the right value for each file ...
OR ... hack the install script yourself ...
REM out "#" the version check ...
REM out "#" the MD5 check ...
REM out "#" the deleting of the install files after installation ***
*** (not necessary … but maybe useful … to debug the other issues with this addon)
(this addon has issues … and is not perfect … but it does work!)
Modify “install”
So it reads …
#!/bin/bash
#
#####################################################################################################
#
# (c) Markus Hoffmann, 2004-open end
#
#####################################################################################################
#
# COPYRIGHT NOTICE for this Script
# Copyright 2005 Markus Hoffmann
# All Rights Reserved.
# EMail: [email]
# URL : [link]
#
# Jedermann darf dieses Programm kostenlos benutzten und aendern , solange
# dieser Copyright-Verweis und die restlichen Kommentare erhalten bleiben. Mit
# dem Einsatz dieses Skripts akzeptieren Sie, dass Markus Hoffmann von jeglicher
# Haftung und Gewaehrleisttung hinsichtlich des Einsatzes befreit ist.
#
#
#####################################################################################################
#
# Im Script muss nichts veraendert werden
#
#####################################################################################################
#
#
# Guardian for IpCop 1.4.16
#
# Original Mod was for Smoothwall
# and could be found here: [link]
#
# DATE : 29.10.2004
#
# modified 16.09.2005
#
# adapted for 1.4.15 ff (update from 1.4.11) 12.03.2007 Bernhard Bitsch
#
# version for 1.4.15 ff 24.04.2007 Bernhard Bitsch
#
# version for 1.4.16 17.09.2007 Bernhard Bitsch
#
# establish a suitable PATH ourselves
PATH=/usr/local/sbin:/sbin:/usr/sbin:/usr/local/bin:/bin:/usr/bin
export PATH
##########
##################################################
##VERSION=`perl -e "require '/var/ipcop/general-functions.pl'; print \\$General::version;"`
##if [ "$VERSION" != "1.4.16" ]
##then
## echo "Not running IPCop 1.4.16"
## exit 1
##fi
##################################################
##########
#
# check if files extracted to tmp:
#
echo -e "check if files extracted to tmp\c" 2>&1 >/tmp/Guardian-install.log
if [ ! -d /tmp/guardian ] ; then
echo "the file is not extracted to /tmp"
echo "please extract guardian_ipcop_1.4.16.tgz in /tmp !"
exit 1
fi
echo -e ".....ok\n">>/tmp/Guardian-install.log 2>&1
#
# check if files exist:
#
echo -e "check if files exist\c">>/tmp/Guardian-install.log 2>&1
if [ ! -f /tmp/guardian/install -o \
! -f /tmp/guardian/check -o \
! -f /tmp/guardian/files.tar.gz ] ; then
echo "at least one the following files are missing:"
echo /tmp/guardian/install
echo /tmp/guardian/check
echo /tmp/guardian/files.tar.gz
exit 1
fi
echo -e ".....ok\n">>/tmp/Guardian-install.log 2>&1
##########
############################################################
##
## md5 Summer ueberpruefen
##
##echo -e "check md5-Sums\c">>/tmp/Guardian-install.log 2>&1
##md5sum -c /tmp/guardian/check >/tmp/guardian/test 2>&1
##WARNUNG=`cat /tmp/guardian/test|grep FAILED`
##if [ "$WARNUNG" ]
##then
## echo
## echo -e "\033[1;31mmd5-Summen nicht Ordnung, Dateien vermutlich beschaedigt, bitte neu herunterladen \033[0m"
## echo
## echo -e "\033[1;31mmd5-check failed, installation aborted. Please download again. \033[0m"
## echo
## grep -v "WARNING" /tmp/guardian/test
## echo
## exit 1
##else
## echo
## echo -e "\033[1;31mmd5-Summen in Ordnung\033[0m"
## echo
## echo -e "\033[1;31mmd5-check OK\033[0m"
## echo
## echo -e ".....ok\n">>/tmp/Guardian-install.log 2>&1
##fi
############################################################
##########
# backup ipblock file
#
if [ -e "/var/ipcop/guardian/ipblock/config" ]
then
tar cfz /tmp/ipblock.tgz /var/ipcop/guardian/ipblock/config >/dev/null 2>&1
fi
#
# backup ignore file
#
if [ -e "/var/ipcop/guardian/settings/guardian.ignore" ]
then
tar cfz /tmp/ignore.tgz /var/ipcop/guardian/settings/guardian.ignore >/dev/null 2>&1
fi
#
# backup target file
#
if [ -e "/var/ipcop/guardian/settings/guardian.target" ]
then
tar cfz /tmp/target.tgz /var/ipcop/guardian/settings/guardian.target >/dev/null 2>&1
fi
#
# detect old version
#
if [ -x "/var/ipcop/guardian/bin/uninstall" ]
then
if [ -e "/var/ipcop/guardian/settings/enable" ]
then
tar cfz /tmp/enable.tgz /var/ipcop/guardian/settings/enable >/dev/null 2>&1
fi
echo -e "Old version detected, uninstalling first\t\c"
/var/ipcop/guardian/bin/uninstall >/dev/null 2>&1
echo -e "Done"
fi
if [ -x "/var/log/home/guardian/bin/uninstall" ]
then
echo -e "Installed version of Guardian to old! \n"
echo -e " Try to uninstall manually. See /var/log/home/guardian/bin/uninstall \n"
rm -f /tmp/target.tgz
rm -f /tmp/ignore.tgz
rm -f /tmp/ipblock.tgz
exit
fi
#
# extract files
#
echo -e "extract files">>/tmp/Guardian-install.log 2>&1
tar xvfz files.tar.gz -C /tmp/guardian/>>/tmp/Guardian-install.log 2>&1
echo -e "\n">>/tmp/Guardian-install.log 2>&1
#
# rotes Interface in config eintragen
#
REDDEVICE=`cat /var/ipcop/red/iface` >>/tmp/Guardian-install.log 2>&1
sed -i -e s/DUMMY/$REDDEVICE/ guardian.conf >>/tmp/Guardian-install.log 2>&1
sed -i -e s/DUMMY/$REDDEVICE/ settings >>/tmp/Guardian-install.log 2>&1
#
# Verzeichnisse erstellen
#
echo -e "creating directories\c">>/tmp/Guardian-install.log 2>&1
mkdir -p /var/ipcop/guardian >>/tmp/Guardian-install.log 2>&1
mkdir /var/ipcop/guardian/ipblock >>/tmp/Guardian-install.log 2>&1
mkdir /var/ipcop/guardian/settings >>/tmp/Guardian-install.log 2>&1
mkdir /var/ipcop/guardian/bin >>/tmp/Guardian-install.log 2>&1
mkdir /var/log/guardian >>/tmp/Guardian-install.log 2>&1
echo -e ".....ok\n">>/tmp/Guardian-install.log 2>&1
#
# Dateien kopieren
#
echo -e "Installing files\t\t\t\t\c"
echo -e "copy files\c">>/tmp/Guardian-install.log 2>&1
cp /tmp/guardian/setipblock /usr/local/bin/ && chown root:nobody /usr/local/bin/setipblock && chmod 4750 /usr/local/bin/setipblock
cp /tmp/guardian/guardianctrl /usr/local/bin/ && chown root:nobody /usr/local/bin/guardianctrl && chmod 4750 /usr/local/bin/guardianctrl
cp /tmp/guardian/guardian.pl /var/ipcop/guardian/bin/ && chmod 755 /var/ipcop/guardian/bin/guardian.pl
ln -s /var/ipcop/guardian/bin/guardian.pl /usr/bin/
cp /tmp/guardian/guardian.conf /var/ipcop/guardian/settings/
cp /tmp/guardian/guardian.ignore /var/ipcop/guardian/settings/
cp /tmp/guardian/guardian.target /var/ipcop/guardian/settings/
cp /home/httpd/cgi-bin/ipinfo.cgi /home/httpd/cgi-bin/ipinfo.cgi.org
cp /tmp/guardian/*.cgi /home/httpd/cgi-bin/ && chmod 755 /home/httpd/cgi-bin/guardianlog.cgi && chmod 755 /home/httpd/cgi-bin/guardian.cgi && chmod 755 /home/httpd/cgi-bin/ipblockinfo.cgi && chmod 755 /home/httpd/cgi-bin/ipblock.cgi && chmod 755 /home/httpd/cgi-bin/ipinfo.cgi && chmod 755 /home/httpd/cgi-bin/country.cgi
cp /tmp/guardian/guard.log /var/log/guardian/
cp /tmp/guardian/guard.err /var/log/guardian/
cp /tmp/guardian/guardian.png /home/httpd/html/images/guardian.png
cp /tmp/guardian/snortupdateutility.js /home/httpd/html/include/snortupdateutility.js
cp /tmp/guardian/guardian.log /var/log/guardian/ && chown root.nobody /var/log/guardian/guard* && chmod 666 /var/log/guardian/guard*
cp /tmp/guardian/config /var/ipcop/guardian/ipblock/config && chmod 666 /var/ipcop/guardian/ipblock/config && chown root.nobody /var/ipcop/guardian/ipblock/config
cp /tmp/guardian/guardian.cron /var/ipcop/guardian/bin/ && chmod 755 /var/ipcop/guardian/bin/guardian.cron
cp /tmp/guardian/uninstall /var/ipcop/guardian/bin/ && chmod 755 /var/ipcop/guardian/bin/uninstall
cp /tmp/guardian/boot /var/ipcop/guardian/bin/boot && chmod 755 /var/ipcop/guardian/bin/boot
cp /tmp/guardian/update_geoip /usr/local/bin/ && chmod 755 /usr/local/bin/update_geoip
cp /tmp/guardian/settings /var/ipcop/guardian/settings/ && chmod 666 /var/ipcop/guardian/settings/settings
mv /tmp/guardian/sources /var/ipcop/guardian/sources
mv /tmp/guardian/license /var/ipcop/guardian/license
cp /tmp/guardian/lang/* /var/ipcop/addon-lang
perl -e "require '/var/ipcop/lang.pl'; &Lang::BuildCacheLang"
tar xfz /tmp/guardian/geoip.tar.gz -C / >/dev/null 2>&1
mv /tmp/guardian/flags /home/httpd/html/images/
cp /tmp/guardian/country_code.pl /var/ipcop/guardian/bin/ && chmod 755 /var/ipcop/guardian/bin/country_code.pl
touch '/var/log/guardian/restarts.log'
chown -R nobody:nobody /var/ipcop/guardian/settings
chown -R nobody:nobody /var/ipcop/guardian/ipblock
chown -R nobody:nobody /var/ipcop/guardian/settings
chown -R nobody:nobody /var/log/guardian
cp /home/httpd/cgi-bin/ids.cgi /home/httpd/cgi-bin/ids.cgi.org
echo -e ".....ok\n">>/tmp/Guardian-install.log 2>&1
echo -e "Done"
echo -e "Patching files\t\t\t\t\t\c"
# logrotate.conf
INSTALLED=`grep guardian /etc/logrotate.conf`
if [ "x$INSTALLED" == "x" ]
then
cat /tmp/guardian/guardian >>/etc/logrotate.conf
fi
# ruleslist.conf
chmod 666 /etc/snort/ruleslist.conf
chown root:root /etc/snort/vars
chown nobody:nobody /var/ipcop/snort/settings
chmod 644 /etc/snort/vars
chmod 644 /var/ipcop/snort/settings
chmod 666 /etc/snort/rules/*
# ids.cgi
cp /tmp/guardian/ids.cgi_patched /home/httpd/cgi-bin/ids.cgi && chmod 755 /home/httpd/cgi-bin/ids.cgi >>/tmp/Guardian-install.log 2>&1
#
# restore files
#
if [ -e "/tmp/ignore.tgz" ]
then
tar xfz /tmp/ignore.tgz -C / >/dev/null 2>&1
rm -f /tmp/ignore.tgz
fi
if [ -e "/tmp/target.tgz" ]
then
tar xfz /tmp/target.tgz -C / >/dev/null 2>&1
rm -f /tmp/target.tgz
fi
if [ -e "/tmp/enable.tgz" ]
then
tar xfz /tmp/enable.tgz -C / >/dev/null 2>&1
rm -f /tmp/enable.tgz
fi
if [ -e "/tmp/ipblock.tgz" ]
then
tar xfz /tmp/ipblock.tgz -C / >/dev/null 2>&1
rm -f /tmp/ipblock.tgz
fi
#
# patch GUI files
#
/bin/cat /var/ipcop/header.pl | sed -e '/\/time.cgi/ r ipblock.header'>/tmp/header.pl
/bin/cp /tmp/header.pl /var/ipcop/header.pl
/bin/rm /tmp/header.pl
/bin/cat /var/ipcop/header.pl | sed -e '/\/ids.dat/ r log.header'>/tmp/header.pl
/bin/cp /tmp/header.pl /var/ipcop/header.pl
/bin/rm /tmp/header.pl
/bin/cat /etc/rc.d/rc.firewall.local | sed -e '/start)/ r /tmp/guardian/firewall.header'>/tmp/rc.firewall.local
/bin/cp /tmp/rc.firewall.local /etc/rc.d/rc.firewall.local
/bin/rm /tmp/rc.firewall.local
CRONINSTALLED=`grep Guardian /var/spool/cron/root.orig`
if [ "x$CRONINSTALLED" == "x" ]
then
cat /var/spool/cron/root.orig | sed -e '/Added for Guardian/,/End Guardian/d'>/tmp/root.orig
cp /tmp/root.orig /var/spool/cron/root.orig
rm /tmp/root.orig
fi
echo '#Added for Guardian'>>/var/spool/cron/root.orig
echo '*/2 * * * * [ -e /var/ipcop/guardian/settings/enable ] && /var/ipcop/guardian/bin/guardian.cron'>>/var/spool/cron/root.orig
echo '#End Guardian'>>/var/spool/cron/root.orig
fcrontab -z >/dev/null 2>&1
/bin/cat /home/httpd/cgi-bin/status.cgi | sed -e '/...pluto../ r status3.header'>/tmp/status.cgi
/bin/cp /tmp/status.cgi /home/httpd/cgi-bin/status.cgi
/bin/rm /tmp/status.cgi
LOCALINSTALLED=`grep Guardian /etc/rc.d/rc.local`
if [ "x$LOCALINSTALLED" == "x" ]
then
echo '#Added for Guardian'>>/etc/rc.d/rc.local
echo 'echo "Starting Guardian (if enabled)"'>>/etc/rc.d/rc.local
echo '/usr/local/bin/guardianctrl start'>>/etc/rc.d/rc.local
echo '#End Guardian'>>/etc/rc.d/rc.local
fi
if [ ! -e "/home/httpd/cgi-bin/logs.cgi/firewalllog.dat.org" ]
then
cp -arf /home/httpd/cgi-bin/logs.cgi/firewalllog.dat /home/httpd/cgi-bin/logs.cgi/firewalllog.dat.org
fi
patch -Np1 </tmp/guardian/logpatch /home/httpd/cgi-bin/logs.cgi/firewalllog.dat >/dev/null 2>&1
echo -e "Done"
echo -e "Restarting Firewall\t\t\t\t\c"
/etc/rc.d/rc.firewall stop >/dev/null 2>&1
sleep 2
/etc/rc.d/rc.firewall start >/dev/null 2>&1
sleep 2
/usr/local/bin/setxtaccess >/dev/null 2>&1
sleep 2
/usr/local/bin/setportfw >/dev/null 2>&1
sleep 2
/usr/local/bin/restartwireless >/dev/null 2>&1
echo -e "Done"
mkdir -p /var/log/guardian/old
chown root:root /etc/snort/ruleslist.conf
chmod 0666 /etc/snort/ruleslist.conf
CRONINSTALLED2=`grep geoip /var/spool/cron/root.orig`
if [ "x$CRONINSTALLED2" == "x" ]
then
echo -e "Creating cronjob\t\t\t\t\c"
echo -e "# Added for GeoIP BEGIN" >>/var/spool/cron/root.orig
echo -e "01 10 2 * * /usr/local/bin/update_geoip >/dev/null 2>&1" >>/var/spool/cron/root.orig
echo -e "# Added for GeoIP END" >>/var/spool/cron/root.orig
fcrontab -z >/dev/null 2>&1
echo -e "Done"
fi
###
# versioncontroll
#
while [ "$AUTO" != "y" -a "$AUTO" != "n" ]
do
echo -e "Enable automatic versioncheck for this mod ? [y/n] \c"
read AUTO
done
if [ $AUTO == "y" ]
then
cat <<END >>/home/httpd/cgi-bin/guardian.cgi
sub checkversion {
#Automatic Updates is enabled
my \$localcheckname=\$_[0];
my \$localcheckversion=\$_[1];
my @LOCALCHECK=&checkversionenabled(\$localcheckname,\$localcheckversion);
return \$LOCALCHECK[0], \$LOCALCHECK[1];
}
END
else
cat <<END >>/home/httpd/cgi-bin/guardian.cgi
sub checkversion {
#Automatic Updates is disabled
return "0","0";
}
END
fi
##########
##################################################
##cd ..
##rm -rf /tmp/guardian*
##rm -rf /tmp/installguardian
##cd /tmp/
##################################################
##########
if [ ! -e /usr/lib/libpng.so.3 ]
then
if [ -e /usr/lib/libpng12.so.0.12.0 ]
then
ln -s /usr/lib/libpng12.so.0.12.0 /usr/lib/libpng.so.3
else
echo -e "\n\nERROR !!! Could not link libpng !!!\n\n"
fi
fi
echo -e "Updating GeoIP info\t\t\t\t\c"
/usr/local/bin/update_geoip
echo -e "Starting Guardian\t\t\t\t\c"
fetchipac -S>/dev/null 2>&1
/usr/local/bin/guardianctrl start >/dev/null 2>&1
echo -e "Done"
echo
echo Guardian installed successfully.
echo
--------------------------------------------------
Install had to be done at the console because of the yes/no question
./install
--------------------------------------------------
--------------------------------------------------
Once installed the Snort Intrusion Detection System cgi page is broken.
Download 1.4.15_7_Guardian 2.4.9.7 patch vv1b … below …
http://mh-lantech.css-hamburg.de/ipcop/download.php?view.193
--------------------------------------------------
Edit and replace all the contents of …
… /home/httpd/cgi-bin/ids.cgi with the the above download.
Or … copy over the file … and don’t forget to … set the permissions …
chmod 755 ids.cgi
--------------------------------------------------
Next … and this is the last step … Guardian is already working but …
We want to …remove the ACTIVE paypal calls from the bottom of the “guardian.cgi” file.
Edit /home/httpd/cgi-bin/guardian.cgi
In the “guardian.cgi” file …
from line 686-694
add rem statements to the beginning of each line ... "# "
so it appears as below … truncated line view (cos the paypal serial key is huge)…
# print <<END; ...
# <div align='right'> ...
# <form action="https://www.paypal.com/ ...
# <input type="hidden" name="cmd" value= ...
# <input type="image" src="https://sslsit ...
# <input type="hidden" name="encrypted" va ...
# </form> ...
# </div> ...
# END ...
--------------------------------------------------
That’s it … Guardian should be working …
And now when we refresh the page … paypal is no longer referenced.
On the Guardian “guardian.cgi” page Guardian says it’s not working ….
But on the System Status page it shows that it is.
--------------------------------------------------
|
|
Comments: 21
Registered: 27 Feb 2008 : 02:23 |
Guardian ipcop 1.4.16 … for IPCOP v1.4.18
--------------------------------------------------
1. Bug in the handling of rules …
When you check a rule to edit … and hit “edit” … if you leave page before you hit “Add” the rule will removed from the list and lost. In other words … as soon as you hit “edit” the rule is removed from the list.
2. Bug in the handling of rules …
If there are two rules the same and you decide to remove just one of them … both will be removed. You can use the above bug to allow you to remove just one of them. Edit the rule you want to delete and leave it … un - “Add” - ed … leave the page and come back … and it alone … will be gone.
--------------------------------------------------
BTW ... FYI ... install a plugin/addon like IPTablesGUI v0.1.0 ... so you can have a better idea of what is going on ... and you know for sure if your rules are working or not.
--------------------------------------------------
Sample output of IPTablesGUI ... showing the rules of Guardian.
Chain ipblock (2 references)
num pkts bytes target prot opt in out source destination
1 0 0 LOG all -- * * 62.140.208.131 0.0.0.0/0 LOG flags 0 level 4
2 0 0 DROP all -- * * 62.140.208.131 0.0.0.0/0
3 0 0 LOG all -- * * 72.21.210.210 0.0.0.0/0 LOG flags 0 level 4
4 0 0 DROP all -- * * 72.21.210.210 0.0.0.0/0
5 0 0 LOG all -- * * 209.62.185.43 0.0.0.0/0 LOG flags 0 level 4
6 0 0 DROP all -- * * 209.62.185.43 0.0.0.0/0
7 0 0 LOG all -- * * 208.111.157.70 0.0.0.0/0 LOG flags 0 level 4
8 0 0 DROP all -- * * 208.111.157.70 0.0.0.0/0
9 0 0 LOG all -- * * 72.21.206.84 0.0.0.0/0 LOG flags 0 level 4
10 0 0 DROP all -- * * 72.21.206.84 0.0.0.0/0
11 0 0 LOG all -- * * 72.247.238.217 0.0.0.0/0 LOG flags 0 level 4
12 0 0 DROP all -- * * 72.247.238.217 0.0.0.0/0
13 0 0 LOG all -- * * 12.129.147.65 0.0.0.0/0 LOG flags 0 level 4
14 0 0 DROP all -- * * 12.129.147.65 0.0.0.0/0
15 0 0 LOG all -- * * 24.50.112.0 0.0.0.0/0 LOG flags 0 level 4
16 0 0 DROP all -- * * 24.50.112.0 0.0.0.0/0
17 0 0 LOG all -- * * 195.225.177.7 0.0.0.0/0 LOG flags 0 level 4
18 0 0 DROP all -- * * 195.225.177.7 0.0.0.0/0
--------------------------------------------------
|
|
Comments: 21
Registered: 27 Feb 2008 : 02:23 | Awhile back ...
PhuPhyt ... asked
Does anyone here have a good idea how to take lists from [link] and make iptables just drop access ?
Yes ... get the lists from www.completewhois.com
Use banish-1.4.6.tar.gz to block entire CIDR ranges ...
Note ... The entire CIDR Bogon list has about 7300 entries ... after about 2500 or so ... iptables craps out royally ... banish-1.4.6 works great ... if you keep your list down below 2500 entries.
Snort ... with Guardian ... as far as I know ... is the only way to block monster ranges of ips ... without clogging up iptables.
So if your going to try and block an entire bogons-cidr-all range set ... Guardian is a must have addon.
A Snort ruleset with 7300 IP ranges can take a couple of minutes to load. Works perfectly.
If anyone wants such a ruleset ... just say the word ... and I'll post it somewhere. Acquired set of Feb, 2008
|
|
Comments: 21
Registered: 27 Feb 2008 : 02:23 | --------------------------------------------------
CIDR Bogon ranges.
--------------------------------------------------
Here is the Snort ruleset from [link]
Based on data collected on Thu Jan 31 06:46:56 PST 2008
The file ... sosi-cidr_bogon.rules.rar
Download link for this ruleset ... below
http://rapidshare.com/files/97397110/sosi-cidr_bogon.rules.rar
[link]
|
|
Comments: 21
Registered: 27 Feb 2008 : 02:23 | --------------------------------------------------
Snort ruleset from the “bogons-cidr-all.txt” file at
completewhois.com/bogons/ .. .
Iptables limits to about 2500 entries .. so ..
The only way to cover 7381
reserved range IP-ranges, in raw cidr format
is with a Snort ruleset.
--------------------------------------------------
The file ... (25K) ... sosi-cidr_bogon.rules.rar
uncompressed (157,865 bytes)
Download link for this ruleset .. .
http://rapidshare.com/files/97397110/sosi-cidr_bogon.rules.rar
--------------------------------------------------
Note . Snort may fail to start if sid rule numbers overlap.
This set of rules uses “sid:“ ranges 10000001 through 10000256.
--------------------------------------------------
#*************************************************************
# SOSI
#*************************************************************
#*************************************************************
# bogons-cidr-all.txt
# See [link]
# Based on data collected on Thu Jan 31 06:46:56 PST 2008
#*************************************************************
#*************************************************************
|
|
Comments: 21
Registered: 27 Feb 2008 : 02:23 | Snort ruleset from the “bogons-cidr-all.txt” at completewhois.com/bogons/
--------------------------------------------------
NEW - UPDATED (rev3)
Snort ruleset from the “bogons-cidr-all.txt” file at
completewhois.com/bogons/ .. .
--------------------------------------------------
Note . Snort may fail to start if sid rule numbers overlap.
This set of rules uses “sid:“ ranges 10000001 through 10000256.
--------------------------------------------------
#************************************************* ************
# SOSI
#************************************************* ************
#************************************************* ************
# bogons-cidr-all.txt
# See [link]
# Based on data collected on Thu Jan 31 06:46:56 PST 2008
#************************************************* ************
#************************************************* ************
--------------------------------------------------
The file ... (25K) ... sosi-cidr_bogon.rules(rev3).zip
uncompressed (157,863 bytes)
Download this ruleset .. .
http://www.howtoforge.org/forums/attachment.php?attachmentid=749&d=1205209192
|
|
Comments: 21
Registered: 27 Feb 2008 : 02:23 | - - -
There may be a better way in getting this Guardian thing working ...
... start with a fresh install of IPCOP
... update the Snort ruleset !!!!!!!!!!!!!!!!!!!!!!!!!!!
It would seem that after the Snort ruleset has been updated
the Guardian "ids.cgi" hack does not have to be used ...
The rule selector of Snort works as it should ... but only if
Snort was updated first.
- - -
|
|
Comments: 21
Registered: 27 Feb 2008 : 02:23 | ____________________________________________________________________
I have Just finished reinstalling Guardian (guardian_ipcop_1.4.16.tgz)
on a fresh IPCOP (ipcop-1.4.18) and have confirmed the above and below
statements to be true.
____________________________________________________________________
____________________________________________________________________
There may be a better way in getting this Guardian thing working ...
... start with a fresh install of IPCOP
... update the Snort ruleset !!!!!!!!!!!!!!!!!!!!!!!!!!!
It would seem that after the Snort ruleset has been updated
the Guardian "ids.cgi" hack does not have to be used ...
The rule selector of Snort works as it should ... but only if
Snort was updated first.
____________________________________________________________________
Copy guardian_ipcop_1.4.16.tgz
to /tmp/
... must be extracted to this folder!!!
....extracted view ... /tmp/guardian
____________________________________________________________________
Enter terminal command:
____________________________________________________________________
tar -zxvf guardian_ipcop_1.4.16.tgz
replace contents of "install" file
____________________________________________________________________
had to be done at the console because of yes/no question
./install
____________________________________________________________________
To view and use the pluggin go to IPCop/Services/Intrusion Detection/
Adds a Guardian interface and the ability
to choose Snort Intrusion Detection rule sets.
____________________________________________________________________
Remove the paypal links, which are a port 443 encrypted connections.
When refreshing the pluggin page ... It (the firewall) makes a
connection to paypal and adds a huge delay in page loading time.
From the addon modify the following ...
... go to ...
cd /home/httpd/cgi-bin
edit the following files ...
____________________________________________________________________
guardian.cgi
from line 686-694
add rem statements to the beginning of each line ... "# "
# print <<END; ...
# <div align='right'> ...
# <form action="https://www.paypal.com/ ...
# <input type="hidden" name="cmd" value= ...
# <input type="image" src="https://sslsit ...
# <input type="hidden" name="encrypted" va ...
# </form> ...
# </div> ...
# END ...
____________________________________________________________________
(this step is no longer needed if you update Snort before you install
guardian_ipcop_1.4.16.tgz)
Replace "ids.cgi" / patch ... with ...
ids(1.4.15_7_Guardian 2.4.9.7 patch vv1b).zip
or use the fixed version ...
(The original ids.cgi from guardian worked ...
updated the rules before hand and it worked
didn't have to replace it with fixed version ...
and the rules selector also worked)
____________________________________________________________________
May have to reboot ... for guardian to start working.
____________________________________________________________________
|
|
Comments: 2
Registered: 24 Aug 2008 : 20:40 | Hey,
I was wondering if anyone else had the problem of when updating to the latest ipcop (1.4.21) it breaks the rule selector and the ability to enable guardian under intrusion detection? Anyone got a fix to this?
I would appreciate it a lot as I like to be able to tune my rules. Also anyone know of a way so the snort rules selector shows up different rulesets? For instance spyware-put? When I tried once just to simply add it to use that rules file in the snort directory it just broke the rule selector.
Thanks for any help in advance.
|
|
Comments: 21
Registered: 27 Feb 2008 : 02:23 | ____________________________________________________________________
kevross33
Hey,
I was wondering if anyone else had the problem of when updating to the latest ipcop (1.4.21) it breaks
the rule selector and the ability to enable guardian under intrusion detection? Anyone got a fix to
this?
I would appreciate it a lot as I like to be able to tune my rules. Also anyone know of a way so the
snort rules selector shows up different rulesets? For instance spyware-put? When I tried once just to
simply add it to use that rules file in the snort directory it just broke the rule selector.
Thanks for any help in advance.
____________________________________________________________________
Yo ... kevross33
My ipcop (1.4.21) is up and running fine with Guardian (guardian_ipcop_1.4.16.tgz) ... built from a
fresh install of ipcop (1.4.20), then updated to (1.4.21). I'm not sure if the ipcop update can break
the snort rules selector page, as I think I updated it before hand.
I trust you have read the above tips in this thread ... as ... Everything you need to install ipcop and
guardian correctly (read working) ... is here on this page and in this thread.
Then, after the basic ipcop (1.4.21) ...
The plugin order went as follows ...
*(a proven order that worked ... for me at least)
*(some of these as less useful then the others ... some essential)
*(at this time ... these were the latest greatest version numbers)
- - -
- - -
- - -
"snort rules update" *(not a plugin ... but, just necessary for guardian ... see above tips in this
thread)
snortalog_ipcop_1.4.8.tar.tar
guardian
guiports-1.6.2.tar.gz
samba-0.2.1.tar.gz *(lately, the website doesn't want to give up the goods)
ipcop-advproxy-2.1.10.tar.tar
ipcop-calamaris-2.1.2.tar.gz
BlockOutTraffic-3.0.0-GUI-b3.tar.tgz
Net-Traffic-1.3.0-GUI-b3.tar.gz
ipcop-urlfilter-1.9.3.tar.gz
iptablesgui-ipcop-0.1.0.tar.gz
banish-1.4.7.tar.gz
rkhunter_1.2.9_ipcop_1.4.11.tar.tar
- - -
- - -
- - -
Frankly I'm a little confused to as to your question of 'spyware-put' ... as that is part of the default
snort ruleset ... and they should have been working fine. Perhaps I've just taken it for granted that I
fixed the problem with 666 as the permissions in the /etc/snort/rules directory . hmmm, can't say ...
dunno
But, if your adding an outside rulesets (to snort)... which I do ... from sites such as
[link] .. and/or making your own from various reference sources ... perhaps it's the
permissions in the rules directory that is in error *(this tripped me up for quite awhile). These
rulesets need to be written to ... ie. turning on or off individual rules within.
These are the commands I use when installing - navigating about snort ...
*(random order ... not necessarily all used ... use each when appropriate)
*(if permission 666 is too drastic ... please tech, correct me here ... but it works as such)
- - -
- - -
- - -
cd /etc/snort
cd /etc/snort/rules
chown snort:snort /etc/snort/rules/*.*
chmod -v 666 /etc/snort/rules/*.*
- - -
- - -
- - -
BTW ... 'sid:' numbers in rulesets must be unique ... duplicate 'sid:' numbers can be very frustrating
to find.
Good luck, kevross33 and ya fella ipcopsters ... hope that answers your question.
Hmm … I wonder if people actually read this and / or have found it useful ... 
____________________________________________________________________
|
|
Comments: 21
Registered: 27 Feb 2008 : 02:23 | For those of you wishing to install 'iptablesgui-ipcop-0.1.0.tar.gz' to complement your IPCOP and Guardian setup ... and / or wishing to download far more extreme IPDeny (www'dot'ipdeny'dot'com) country wide Snort rule sets please visit [link] (www'dot'howtoforge'dot'org/forums/showthread.php?t=66&page=2)
There you will find a useful security tip on installing 'iptablesgui-ipcop-0.1.0.tar.gz' aswell as 'new' Snort rule sets for Snort - Guardian.
... On another thread someone asked how to backup your Snort rule sets ...
Backup ...
the single file ...
/etc/snort/ruleslist.conf
and the entire directory of ...
/etc/snort/rules
... please be advised of the permissions and ownerships of the files when restoring them back to a clean basic IPCOP ...
- - -
- - -
- - -
cd /etc/snort
cd /etc/snort/rules
chown snort:snort /etc/snort/rules/*.*
chmod -v 666 /etc/snort/rules/*.*
- - -
- - -
- - -
Yo ... kevross33 ... when the permissions are wrong in the /etc/snort/rules directory ... Snort will fail to start (it doesn't just break the rule selector page) ... simular to what kevross33 discribed ...
Elixa
|
|
Comments: 2
Registered: 24 Aug 2008 : 20:40 | Hey, I still have ipcop 1.15 on a CD so i start upgrading from that and installing addons as I go. What happened was as soon as go from .18 - .19 guardian disapears from the intrusion detection page (though you can still see where it tried to load the snort rules selector aspect.
It would be good to get the rules selector to see the other rules files so I can select individual rules by the GUI, I will play around with it. I would like it as I currently just paste the emerging threats and my own rules before I submit them to emerging threats into existing rules files that it can see.
I will try the method listed in this forum for getting it working properly. Thanks for the help.
|
|
Comments: 21
Registered: 27 Feb 2008 : 02:23 | Yo ... kevross33 ... yah ...I see what your saying ... but I can't help you with ipcop version numbers, that far back. I started ipcop at 'ipcop-1.4.16-install-cd.i386.iso' ... never bothered with the upgrades (much)(as I see it, ipcop is just coming to terms with its 'flawless' upgrade method now - perfect addon methodology may be another story) ... just waited for the entire new 'iso's. Besides that ... I have two designated computers for ipcop ... I build the next one up and swap the old one out (suggestion - make little text - help files and backup your old rules - settings, cut'n'past the command lines, and you can have a new ipcop 'decked out' in 2-3 hours). You know ... for what its worth ... maybe its time to download the next new 51mb - 'ipcop-1.4.20-install-cd.i386.iso' and start fresh'n'new. With all the latest greatest stuff and fixes (albeit under the hood - non cosmetic) ... it may give you 'peace of mind' knowing you've have the best of what they have to offer (besides that ...another day another new threat/vulnerability) ... tested/designed to be as bug free as they could make it.
BTW ... I described my addon order (above) because I found that if you install Banish and Guardian on the same ipcop system ... "Guardian had to be installed first" ... if you installed Banish first ... later Guardian would break the "firewall logs" cgi page. Since Guardian can be a little tricky to install ... and I figured Snort is near useless without it ... once Guardian was A-OK working ... it was all downhill from there.
Yah know ... If you study these addon install scripts ... they assume certain things when appending their code to existing cgi pages ... if something is off / askew (from ver to ver ... addon to addon) ... it may take a brain surgeon or the original programmer to figure out why the thing doesn't work. That's probably the best (non?) answer to your problem that I can think of.
Yo ... kevross33 ... you submit your own rules to emerging threats? ... cool!.
Check out the 'new' Snort rules here in the downloads section ... 'Addons für Ipcop 1.4.21'
Oh And , Your welcome. ... Good Luck with the rebuild
Don’t forget to update the original Snort rules first.
|
|
Comments: 21
Registered: 27 Feb 2008 : 02:23 | Yo ... kevross33 ... spose a better answer would have been ... yah broke it!
-----------------------------------------------------------------------
In the Description bebima says ... "There is also a function in the connection-page of the webinterface to block ip's. Just click the ip to show the who-is and at the end of the who-is-page there is a link to block the ip."
So in other words ... when you do a whois on a ip ... there's a 'block ip' button on the bottom of the page. When you block it ... Guardian becomes the manager of that rule .... ie shows up in Guardian.
This is an excellent way of hunting down those pesky ips that constantly harass port 67-68. They maybe close to your own ip-range or a specific other ... but ... suspiciously, returning a whois of your own service providers name ... and maybe even some of IANA ips ..who-knows.
Anyways ... the cool thing about all this is ... after viewing the iptables gui (iptablesgui-ipcop-0.1.0.tar.gz) ... you can see over time how many packets these pesky ips "would have" sent to ports 67-68 ... but were denied.
BTW ... when studying the iptables gui you can see that port 67-68 are open-ish on RED for abuse (cos the have to be for DHCP ... but not necessarily so for rouge outside ips).
Guardian’s ipchain rule structure, as you can see in iptables gui, writes a nice clean rule that pre-filters all traffic on RED.
Once all the port 67-68 ips attack ips are all blocked ... you'll (all) see considerably less actively in open ended [UNREPLIED] port 68 connections on the Connections-IPTables Connection Tracking page.
Just a thought .
|
|
Comments: 2
Registered: 19 Oct 2007 : 18:17 | Just reinstalled it with the patch after upgrading to 1.4.21 and everything is fine.
|
|
Comments: 21
Registered: 27 Feb 2008 : 02:23 | Tip on IP(s) to ignore with Guardian. False positives …
Once you have Guardian all set up and blocking IP(s) from the output of Snort …
Snort may inevitably trigger on a port scan from your own providers DNS IP(s) … (happens quite often actually)
If this happens … you will be blocked from DNS lookups (ie broken internet) … unless the Guardian rule times out or gets erased.
Note which port 53 DNS connections you make on Ipcop’s “Connections - IPTables Connection Tracking” page …
Then plug those two IP(s) into Guardian’s “Add IP/Network to ignore” section… perhaps label them as your provider DNS name …
… and you’re good to go.
|
|
Comments: 21
Registered: 27 Feb 2008 : 02:23 | Tip on Guardian ...
Renaming [autoblocked] in Guardian ...
keeps a rule from timing out *(becomes permanent)
Tip on Snort VRT rules ... Default IPCOP
Some Snort rules are excluded from being updated
by default ... in "oinkmaster.conf"
This file is used whenever the "Apply Now" button is pressed
on the Snort “Intrusion Detection” page.
cd /var/ipcop/snort
oinkmaster.conf
Scroll down and find ... "# skipfile sid-msg.map"
and add REM "# " statements so all the Snort get updated ...
"Apply Now"
------------
# skipfile sid-msg.map
# skipfile web-attacks.rules
# skipfile backdoor.rules
# skipfile shellcode.rules
# skipfile policy.rules
# skipfile porn.rules
# skipfile info.rules
# skipfile icmp-info.rules
# skipfile virus.rules
# skipfile chat.rules
# skipfile multimedia.rules
# skipfile p2p.rules
skipfile experimental.rules
------------
|
You must be logged in to make comments on this site - please log in, or if you are not registered click here to signup |
support mhaddons !
Donat-o-Meter Stats
2010´s Donations|
| Name for Front Page |
Jan 21 |
€100 |
I would like to thank pcengines
for the generous donation of a complete
WRAP-machine.
Here is a list of people who have donated to mhaddons so far.
Here you could read about the advantage of being a donator.
IT!works Systemhaus GmbH
Unser Name ist Programm! - SAP-Entwicklung
- SAP-Beratung
- EDV-Dienstleistungen
- Softwareentwicklung
- Netzwerk-Installation
- PCs und Software
|
4.5 - 2 votes
