ClearFoundation

Snort just does detection. if the rule has a "fwsam" element to it with another couple of parameters snortsam will then activate a block. Have a little read here. There are some rules with blocks defined and you can see them with

So what your sujesting is that currently snort on COS 6.2 Does nothing at all.




The location you mentioned doesnt exist on COS 6.2

It looks like they've moved more things between 5.2 and 6.2. Note to me - check in 6.2 before posting from memory. ........ and yes it looks like there are no rules with fwsam defined so it makes you wonder about why bother running snortsam. Snort is still doing its stuff, detecting and logging packets but snortsam looks like a waste of effort as the rules are.

If you search the forum I wrote a script to use the Emerging Threats rules which as a by-product allows you to define your own fwsam elements. The script will need updating for 6.2 as 6.2 uses v2.9.x of snort whereas 5.2 used 2.8.x and the file layout is different.

@devs - What is the point of snortsam with the default rule set?

Nick i dont think they realised that they where removed from the normal ruleset. I did a google and found that a few other products suffered the same fate and they sujest using a .map file i have the .map file but im yet to achive to get it working. Purely because im a snort novice. I will keep looking into it though.

Robert wrote:
So what your suggesting is that currently snort on COS 6.2 Does nothing at all.
ouch! looks that way, or at least the intrusion prevention service...IDS is still working

It would appear that Snort no longer provide rules without a VRT subscription, or indirectly via the ClearOS Intrusion Protection Updates app. It's a real shame if all that's left is a bunch of rules with no IPS hooks...particularly when compared with what we had in 5.2!

@Robert
Have you seen this for configuring sid-block.map.

@Tim,
It makes snortsam pretty much useless as it is. I'll see if I can work out how to dump all the current (ClearOS5.2) fwsam rules so they can be put into a sid-block.map file, but I haven't a clue where I'd stand at all with licensing. I also don't know how the 5.2 rules compare against the 6.2 ones.

@Nick

dl.dropbox.com/u/17606346/sid-block.zip

knock your heart out. Im trying to get pulledpork to work but cant because its trying to access the version of the snort rules that i dont have access to i think.

Ok talking to the peeps on Snort IRC channel and that version installed in ClearOS 6.2 is EOL

"it was EOL on July 13 of last year"

Can you possably tell me the configure line used to compile the rpm so i can give the latest release a whirle a little easier.

Thanks,

Rob

@Robert
I've simplified your list to remove duplicates:
Rename to sid-block.map because of forum posting rules.

I've also created a list from all the 5.2 rules as there are some there which you don't have in your list but do get used if you use the Emerging Threats rules
Again, rename to sid-block.map because of forum posting rules.

If you are trying to use pulledpork, did you find my Emerging Threats script for 5.2 here. It would need updating for 6.2 and is a bit of a sledgehammer so you can't select which rules to enable and which you don't want, which I believe is waht you can do with pulledpork.

I'll try to raise a feature request for the IPS so we get some form of editor for sid-block.map if ClearOS are not going to provide any rules with snortsam blocks.

[edit]
Bug/Feature 609 filed in bug tracker
[/edit]

[edit2]
Where have you put your sid-block.map file? I've put in the directory with my rules, but as I'm using a play NAT'ed VM it is a bit hard to make snort/snortsam trigger so I can't test properly.
[/edit2]

Nick the sid-block.map file wont work because the version is so old