I noticed on one of my COS 6.4 systems that snort rules were being triggered but the IPs were never blocked, so I investigated snortsam. I'm getting output like so:
Code:
Error: [/etc/snortsam.conf: 52] Config file '/etc/snortsam.d/webconfig-whitelist.conf' not found or inaccessible!
Parsing config file /etc/snortsam.d/system-autowhitelist.conf...
Checking for existing state file "/var/db/snortsam.state".
Found. Reading state file.
Error: Could not bind socket.
I tried several different systems, put them through the paces and got the same results. So I did some forum searches and found I'm not the only one with the problem, but most of the threads were with 6.2 - 6.4. All my systems are on 6.4. Is there a solution that I've missed?
I've gotten mixed reads on it with the reduced rulesets and Peter mentioning that a free IDS might be worse than none. In any case, I'm not proud of myself that I didn't catch this till now.
To the COS team, is there an official word on intrusion detection in COS 6.4?
Removing TFTP & WINS settings has no affect. Switching to 192.168.1.1 has gateway works. DHCP hands out the correct gateway IPs. Change it back to 10.3.5.1 and we're back to 10.3.5.12 as gateway. So there's a pattern, vexing for sure, enlightening - remains to be seen.
In the /var/messages file, I do get entries like this:
# LinksysPAP2
May 2 13:49:41 system dnsmasq-dhcp[25409]: DHCPDISCOVER(eth3) 00:21:29:0a:a7:72
May 2 13:49:41 system dnsmasq-dhcp[25409]: DHCPOFFER(eth3) 10.3.5.240 00:21:29:0a:a7:72
May 2 13:49:41 system dnsmasq-dhcp[25409]: DHCPREQUEST(eth3) 10.3.5.240 00:21:29:0a:a7:72
May 2 13:49:41 system dnsmasq-dhcp[25409]: DHCPNAK(eth3) 10.3.5.240 00:21:29:0a:a7:72 wrong server-ID
May 2 13:49:41 system dnsmasq-dhcp[25409]: DHCPREQUEST(eth3) 10.3.5.240 00:21:29:0a:a7:72
May 2 13:49:41 system dnsmasq-dhcp[25409]: DHCPNAK(eth3) 10.3.5.240 00:21:29:0a:a7:72 wrong server-ID
# Kubuntu 13.04
May 2 13:24:47 system dnsmasq-dhcp[920]: DHCPDISCOVER(eth3) 10.3.5.140 1c:6f:65:d7:e7:c6
May 2 13:24:47 system dnsmasq-dhcp[920]: DHCPOFFER(eth3) 10.3.5.140 1c:6f:65:d7:e7:c6
May 2 13:24:47 system dnsmasq-dhcp[920]: DHCPREQUEST(eth3) 10.3.5.140 1c:6f:65:d7:e7:c6
May 2 13:24:47 system dnsmasq-dhcp[920]: DHCPNAK(eth3) 10.3.5.140 1c:6f:65:d7:e7:c6 wrong server-ID
May 2 13:24:47 system dnsmasq-dhcp[920]: DHCPDISCOVER(eth3) 1c:6f:65:d7:e7:c6
May 2 13:24:47 system dnsmasq-dhcp[920]: DHCPOFFER(eth3) 10.3.5.140 1c:6f:65:d7:e7:c6
Something is wrong indicated by the DHCPNAK "wrong server-ID" lines.
It might just be easier to move my subnet since this isn't a large network. But it galls me to do it without more answers.
