[Bug 1917682] Re: rules url error fwsnort
changing the address from http to https seems to fix psad's crash, but i still get data from unconfigured servers in: /etc/fwsnort/fwsnort.conf ### AOL AIM server nets AIM_SERVERS [64.12.24.0/24, 64.12.25.0/24, 64.12.26.14/24, 64.12.28.0/24, 64.12.29.0/24, 64.12.161.0/24, 64.12.163.0/24, 205.188.5.0/24, 205.188.9.0/24]; sudo fwsnort --update-rules [+] Downloading latest rules into /etc/fwsnort/snort_rules/--2021-03-13 12:23:40-- https://rules.emergingthreats.net/open/snort-2.9.0/emerging-all.rules Resolviendo rules.emergingthreats.net (rules.emergingthreats.net)... 18.214.66.196, 23.21.164.163 Conectando con rules.emergingthreats.net (rules.emergingthreats.net)[18.214.66.196]:443... conectado. Petición HTTP enviada, esperando respuesta... 200 OK Longitud: 17054303 (16M) [text/plain] Guardando como: “emerging-all.rules” emerging-all.rules 100%[=>] 16,26M 509KB/sen 30s 2021-03-13 12:24:11 (551 KB/s) - “emerging-all.rules” guardado [17054303/17054303] [+] Finished. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1917682 Title: rules url error fwsnort To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/fwsnort/+bug/1917682/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1917682] Re: rules url error fwsnort
** Changed in: fwsnort (Ubuntu) Assignee: (unassigned) => claudio javier fernandez (cjfjavier) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1917682 Title: rules url error fwsnort To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/fwsnort/+bug/1917682/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1917682] Re: rules url error fwsnort
** Changed in: fwsnort (Ubuntu) Status: Incomplete => Invalid ** Converted to question: https://answers.launchpad.net/ubuntu/+source/fwsnort/+question/696031 ** Description changed: psad detects the default url of fwsnort rules and blocks the ip when executing the following commands the ip addresses do not correspond to the servers configured in the fwsnort and psad files - sudo psad --sig-update + EDIT (sudo psad --sig-update) corrected sudo fwsnort --update-rules Resolviendo rules.emergingthreats.net (rules.emergingthreats.net)... 23.21.164.163, 18.214.66.196 Conectando con rules.emergingthreats.net (rules.emergingthreats.net)[23.21.164.163]:80... falló: Expiró el tiempo de conexión. Conectando con rules.emergingthreats.net (rules.emergingthreats.net)[18.214.66.196]:80... ^C[-] Could not download emerging-all.rules file. [*] Could not move emerging-all.rules -> emerging-all.rules.tmp at /usr/sbin/fwsnort line 4387. I receive mail alert in mutt Subject: [psad-status] tcpwrappers AUTO-BLOCK against 18.214.66.196 Subject: [psad-status] tcpwrappers AUTO-BLOCK against 23.21.164.163 added iptables auto-block against 18.214.66.196 added iptables auto-block against 23.21.164.163 Danger level: [2] (out of 5) Scanned TCP ports: [48356: 1 packets] TCP flags: [ACK: 1 packets] iptables chain: FWSNORT_INPUT_ESTAB (prefix "[498] REJ SID1310 ESTAB"), 1 packets fwsnort rule: 498 Source: 18.214.66.196 DNS: ec2-18-214-66-196.compute-1.amazonaws.com MAC: [+] TCP scan signatures: "PORN free XXX" dst port: 48356 (no server bound to local port) flags: ACK content: "FREE XXX" sid: 1310 chain: FWSNORT_INPUT_ESTAB packets: 1 classtype: kickass-porn - Danger level: [2] (out of 5) Scanned TCP ports: [54500: 2 packets] TCP flags: [ACK: 2 packets] iptables chain: FWSNORT_INPUT_ESTAB (prefix "[514] REJ SID1795 ESTAB"), 1 packets fwsnort rule: 514 iptables chain: FWSNORT_INPUT_ESTAB (prefix "[93] REJ SID10105 ESTAB"), 1 packets fwsnort rule: 93 Source: 23.21.164.163 DNS: ec2-23-21-164-163.compute-1.amazonaws.com MAC: [+] TCP scan signatures: "PORN ejaculation" dst port: 54500 (no server bound to local port) flags: ACK content: "ejaculat" sid: 1795 chain: FWSNORT_INPUT_ESTAB packets: 1 classtype: kickass-porn "COMMUNITY INAPPROPRIATE lolita sex" dst port: 54500 (no server bound to local port) flags: ACK content: "lolita" content: "sex" sid: 10105 chain: FWSNORT_INPUT_ESTAB packets: 1 classtype: kickass-porn /etc/psad/psad.conf AOL AIM server nets AIM_SERVERS [64.12.24.0/24, 64.12.25.0/24, 64.12.26.14/24, 64.12.28.0/24, 64.12.29.0/24, 64.12.161.0/24, 64.12.163.0/24, 205.188.5.0/24, 205.188.9.0/24]; /etc/fwsnort/fwsnort.conf ### AOL AIM server nets AIM_SERVERS [64.12.24.0/24, 64.12.25.0/24, 64.12.26.14/24, 64.12.28.0/24, 64.12.29.0/24, 64.12.161.0/24, 64.12.163.0/24, 205.188.5.0/24, 205.188.9.0/24]; --- ubuntu Linux 5.4.0-66-generic #74~18.04.2-Ubuntu SMP Fri Feb 5 11:17:31 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux apt-cache policy fwsnort fwsnort: Instalados: 1.6.7-3 Candidato: 1.6.7-3 Tabla de versión: *** 1.6.7-3 500 500 http://archive.ubuntu.com/ubuntu bionic/universe amd64 Packages 500 http://archive.ubuntu.com/ubuntu bionic/universe i386 Packages 100 /var/lib/dpkg/status apt-cache policy psad psad: Instalados: 2.4.3-1.2 Candidato: 2.4.3-1.2 Tabla de versión: *** 2.4.3-1.2 500 500 http://archive.ubuntu.com/ubuntu bionic/universe amd64 Packages 100 /var/lib/dpkg/status ProblemType: Bug DistroRelease: Ubuntu 18.04 Package: fwsnort 1.6.7-3 ProcVersionSignature: Ubuntu 5.4.0-66.74~18.04.2-generic 5.4.86 Uname: Linux 5.4.0-66-generic x86_64 ApportVersion: 2.20.9-0ubuntu7.23 Architecture: amd64 CurrentDesktop: ubuntu:GNOME Date: Wed Mar 3 20:12:08 2021 InstallationDate: Installed on 2020-04-16 (321 days ago) InstallationMedia: Ubuntu 18.04.4 LTS "Bionic Beaver" - Release amd64 (20200203.1) PackageArchitecture: all SourcePackage: fwsnort UpgradeStatus: No upgrade log present (probably fresh install) edit:psad corrected without changing configuration
[Bug 1917682] Re: rules url error fwsnort
** Description changed: + psad detects the default url of fwsnort rules and blocks the ip - psad detects the default url of fwsnort rules and blocks the ip + + when executing the following commands the ip addresses do not correspond to the servers configured in the fwsnort and psad files sudo psad --sig-update + sudo fwsnort --update-rules - Resolviendo rules.emergingthreats.net (rules.emergingthreats.net)... 23.21.164.163, 18.214.66.196 Conectando con rules.emergingthreats.net (rules.emergingthreats.net)[23.21.164.163]:80... falló: Expiró el tiempo de conexión. Conectando con rules.emergingthreats.net (rules.emergingthreats.net)[18.214.66.196]:80... ^C[-] Could not download emerging-all.rules file. [*] Could not move emerging-all.rules -> emerging-all.rules.tmp at /usr/sbin/fwsnort line 4387. + I receive mail alert in mutt added iptables auto-block against 18.214.66.196 added iptables auto-block against 23.21.164.163 Danger level: [2] (out of 5) - Scanned TCP ports: [48356: 1 packets] - TCP flags: [ACK: 1 packets] -iptables chain: FWSNORT_INPUT_ESTAB (prefix "[498] REJ SID1310 ESTAB"), 1 packets - fwsnort rule: 498 + Scanned TCP ports: [48356: 1 packets] + TCP flags: [ACK: 1 packets] + iptables chain: FWSNORT_INPUT_ESTAB (prefix "[498] REJ SID1310 ESTAB"), 1 packets + fwsnort rule: 498 -Source: 18.214.66.196 - DNS: ec2-18-214-66-196.compute-1.amazonaws.com - MAC: 8c:c5:b4:dd:fe:e0 + Source: 18.214.66.196 + DNS: ec2-18-214-66-196.compute-1.amazonaws.com + MAC: 8c:c5:b4:dd:fe:e0 [+] TCP scan signatures: -"PORN free XXX" -dst port: 48356 (no server bound to local port) -flags: ACK -content: "FREE XXX" -sid: 1310 -chain: FWSNORT_INPUT_ESTAB -packets: 1 -classtype: kickass-porn + "PORN free XXX" + dst port: 48356 (no server bound to local port) + flags: ACK + content: "FREE XXX" + sid: 1310 + chain: FWSNORT_INPUT_ESTAB + packets: 1 + classtype: kickass-porn - Danger level: [2] (out of 5) - Scanned TCP ports: [54500: 2 packets] - TCP flags: [ACK: 2 packets] -iptables chain: FWSNORT_INPUT_ESTAB (prefix "[514] REJ SID1795 ESTAB"), 1 packets - fwsnort rule: 514 -iptables chain: FWSNORT_INPUT_ESTAB (prefix "[93] REJ SID10105 ESTAB"), 1 packets - fwsnort rule: 93 + Scanned TCP ports: [54500: 2 packets] + TCP flags: [ACK: 2 packets] + iptables chain: FWSNORT_INPUT_ESTAB (prefix "[514] REJ SID1795 ESTAB"), 1 packets + fwsnort rule: 514 + iptables chain: FWSNORT_INPUT_ESTAB (prefix "[93] REJ SID10105 ESTAB"), 1 packets + fwsnort rule: 93 -Source: 23.21.164.163 - DNS: ec2-23-21-164-163.compute-1.amazonaws.com - MAC: 8c:c5:b4:dd:fe:e0 + Source: 23.21.164.163 + DNS: ec2-23-21-164-163.compute-1.amazonaws.com + MAC: 8c:c5:b4:dd:fe:e0 [+] TCP scan signatures: -"PORN ejaculation" -dst port: 54500 (no server bound to local port) -flags: ACK -content: "ejaculat" -sid: 1795 -chain: FWSNORT_INPUT_ESTAB -packets: 1 -classtype: kickass-porn + "PORN ejaculation" + dst port: 54500 (no server bound to local port) + flags: ACK + content: "ejaculat" + sid: 1795 + chain: FWSNORT_INPUT_ESTAB + packets: 1 + classtype: kickass-porn -"COMMUNITY INAPPROPRIATE lolita sex" -dst port: 54500 (no server bound to local port) -flags: ACK -content: "lolita" -content: "sex" -sid: 10105 -chain: FWSNORT_INPUT_ESTAB -packets: 1 -classtype: kickass-porn + "COMMUNITY INAPPROPRIATE lolita sex" + dst port: 54500 (no server bound to local port) + flags: ACK + content: "lolita" + content: "sex" + sid: 10105 + chain: FWSNORT_INPUT_ESTAB + packets: 1 + classtype: kickass-porn - /etc/psad/psad.conf + /etc/psad/psad.conf AOL AIM server nets - AIM_SERVERS [64.12.24.0/24, 64.12.25.0/24, 64.12.26.14/24, 64.12.28.0/24, 64.12.29.0/24, + AIM_SERVERS [64.12.24.0/24, 64.12.25.0/24, 64.12.26.14/24, 64.12.28.0/24, 64.12.29.0/24, 64.12.161.0/24, 64.12.163.0/24, 205.188.5.0/24, 205.188.9.0/24]; - /etc/fwsnort/fwsnort.conf ### AOL AIM server nets
Re: [Bug 1917682] Re: rules url error fwsnort
Thank you for your response and sorry for the delay in my response, changed to public, good morning El mar, 9 de mar. de 2021 a la(s) 09:00, Marc Deslauriers ( 1917...@bugs.launchpad.net) escribió: > Thanks for reporting this issue. Can I make this bug public so that the > fwsnort community can see it and possibly fix the issue? > > ** Changed in: fwsnort (Ubuntu) >Status: New => Incomplete > > -- > You received this bug notification because you are subscribed to the bug > report. > https://bugs.launchpad.net/bugs/1917682 > > Title: > rules url error fwsnort > > Status in fwsnort package in Ubuntu: > Incomplete > > Bug description: > > psad detects the default url of fwsnort rules and blocks the ip > > sudo psad --sig-update > > sudo fwsnort --update-rules > > > Resolviendo rules.emergingthreats.net (rules.emergingthreats.net)... > 23.21.164.163, 18.214.66.196 > Conectando con rules.emergingthreats.net > (rules.emergingthreats.net)[23.21.164.163]:80... > falló: Expiró el tiempo de conexión. > Conectando con rules.emergingthreats.net > (rules.emergingthreats.net)[18.214.66.196]:80... > ^C[-] Could not download emerging-all.rules file. > [*] Could not move emerging-all.rules -> emerging-all.rules.tmp at > /usr/sbin/fwsnort line 4387. > > > added iptables auto-block against 18.214.66.196 > > added iptables auto-block against 23.21.164.163 > > Danger level: [2] (out of 5) > > Scanned TCP ports: [48356: 1 packets] > TCP flags: [ACK: 1 packets] > iptables chain: FWSNORT_INPUT_ESTAB (prefix "[498] REJ SID1310 > ESTAB"), 1 packets >fwsnort rule: 498 > > Source: 18.214.66.196 > DNS: ec2-18-214-66-196.compute-1.amazonaws.com > MAC: 8c:c5:b4:dd:fe:e0 > [+] TCP scan signatures: > > "PORN free XXX" > dst port: 48356 (no server bound to local port) > flags: ACK > content: "FREE XXX" > sid: 1310 > chain: FWSNORT_INPUT_ESTAB > packets: 1 > classtype: kickass-porn > - > > Danger level: [2] (out of 5) > > Scanned TCP ports: [54500: 2 packets] > TCP flags: [ACK: 2 packets] > iptables chain: FWSNORT_INPUT_ESTAB (prefix "[514] REJ SID1795 > ESTAB"), 1 packets >fwsnort rule: 514 > iptables chain: FWSNORT_INPUT_ESTAB (prefix "[93] REJ > SID10105 ESTAB"), 1 packets >fwsnort rule: 93 > > Source: 23.21.164.163 > DNS: ec2-23-21-164-163.compute-1.amazonaws.com > MAC: 8c:c5:b4:dd:fe:e0 > > [+] TCP scan signatures: > > "PORN ejaculation" > dst port: 54500 (no server bound to local port) > flags: ACK > content: "ejaculat" > sid: 1795 > chain: FWSNORT_INPUT_ESTAB > packets: 1 > classtype: kickass-porn > > "COMMUNITY INAPPROPRIATE lolita sex" > dst port: 54500 (no server bound to local port) > flags: ACK > content: "lolita" > content: "sex" > sid: 10105 > chain: FWSNORT_INPUT_ESTAB > packets: 1 > classtype: kickass-porn > > >/etc/psad/psad.conf > AOL AIM server nets > AIM_SERVERS [64.12.24.0/24, 64.12.25.0/24, > 64.12.26.14/24, 64.12.28.0/24, 64.12.29.0/24, > 64.12.161.0/24, 64.12.163.0/24, 205.188.5.0/24, 205.188.9.0/24]; > > > /etc/fwsnort/fwsnort.conf > ### AOL AIM server nets > AIM_SERVERS [64.12.24.0/24, 64.12.25.0/24, 64.12.26.14/24, > 64.12.28.0/24, 64.12.29.0/24, >64.12.161.0/24, 64.12.163.0/24, 205.188.5.0/24, 205.188.9.0/24]; > --- > > ubuntu Linux 5.4.0-66-generic #74~18.04.2-Ubuntu SMP Fri Feb 5 > 11:17:31 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux > > apt-cache policy fwsnort > fwsnort: > Instalados: 1.6.7-3 > Candidato: 1.6.7-3 > Tabla de versión: >*** 1.6.7-3 500 > 500 http://archive.ubuntu.com/ubuntu bionic/universe amd64 > Packages > 500 http://archive.ubuntu.com/ubuntu bionic/universe i386 > Packages > 100 /var/lib/dpkg/status > > apt-cache policy psad > psad: > Instalados: 2.4.3-1.2 > Candidato: 2.4.3-1.2 > Tabla de versión: >*** 2.4.3-1.2 500 > 500 http://archive.ubuntu.com/ubuntu bionic/universe amd64 > Packages > 100 /var/lib/dpkg/status > > ProblemType: Bug > DistroRelease: Ubuntu 18.04 > Package: fwsnort 1.6.7-3 > ProcVersionSignature: Ubuntu 5.4.0-66.74~18.04.2-generic 5.4.86 > Uname: Linux 5.4.0-66-generic x86_64 > ApportVersion: 2.20.9-0ubuntu7.23 > Architecture: amd64 > CurrentDesktop: ubuntu:GNOME > Date: Wed Mar 3
[Bug 1917682] Re: rules url error fwsnort
** Information type changed from Private Security to Public -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1917682 Title: rules url error fwsnort To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/fwsnort/+bug/1917682/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs