ClearFoundation

Hi,

First of all, I would like to congratulate the team for the work on ClearOS, it's a great product.

I'm using ClearOS v5.2 on the top of my network in gateway mode, with intrusion detection and prevention activated. All worked fine for month, but 2 days ago, ClearOS drops all the traffic of the gateway, resulting in a very bad unavailability of all my services

I took some time to diagnose the problem, and finally solved it by desactivating intrusion detection and prevention services.

No configuration had been made on clearOS before it drops the traffic, so I wonder what had could happened ! Now, I would like to reactivate the intrusion services, but I would like to know exactly what had happened.

Does anybody know this kind of issue ? Where can I find revelant log to trace the problem ?

Thank you,

Ben

Have a look in /var/log/messages if there is a problem with snort (IDS)/snortsam (IPS) starting, /var/log/secure for when rules are triggered by snort and /var/log/snortsam for any blocks put in by snortsam.

Hi Nick,

Thank you very much for your answer, and sorry for mine late !

Here's what I can find in the logs about snort :

in /var/log/messages, 2 days before the full drop happens :


In /var/log/secure, I see a lot of line (>500 in 10 hours) like that on POP3, IMAPS, POP3S. I think it's the problem, but don't know why snort think that. I can see my IP, and I what not bruteforcing this server


/var/log/snortsam seems normal, no extra activity. I can't see my IP in, but I was blocked.

What do you think ? Tell me if you need more information.

Thanks a lot,

Ben

Odd. I am not too sure about snort. Were you connected internally or externally when it thought it was being brute-forced? For the moment you could try disabling the Scan rules and see if it helps.

I was connected externally. All the dropped IPs was external too.

How can I disable only the brute force attack detection. On the web front, I can only disable the whole group web-misc. Is it in that category ? It contains 511 rules. Is it possible to fine-grain the selection ?

And I am in a production environnement, so I would like to clearly identify what happened before trying to reactivate IDS/IPS.

How can I dig a bit more to find why snort think there is a bruteforce attack on mails services (POP3, IMAPS, POP3S) ? Is there's a debug mode for snort logging ?

Thanks,

Ben

To disable a rule go to /etc/snort/scan.rules and look for the line with something like "sid: 2002995". Disable it by putting a # at the start of the line then restart snort.

I've no idea about debugging snort itself. It may be a query for your e-mail client provider.