** Changed in: fwsnort (Ubuntu)
Status: Incomplete => Invalid
** Converted to question:
https://answers.launchpad.net/ubuntu/+source/fwsnort/+question/696031
** Description changed:
psad detects the default url of fwsnort rules and blocks the ip
when executing the following commands the ip addresses do not correspond
to the servers configured in the fwsnort and psad files
- sudo psad --sig-update
+ EDIT (sudo psad --sig-update) corrected
sudo fwsnort --update-rules
Resolviendo rules.emergingthreats.net (rules.emergingthreats.net)...
23.21.164.163, 18.214.66.196
Conectando con rules.emergingthreats.net
(rules.emergingthreats.net)[23.21.164.163]:80... falló: Expiró el tiempo de
conexión.
Conectando con rules.emergingthreats.net
(rules.emergingthreats.net)[18.214.66.196]:80... ^C[-] Could not download
emerging-all.rules file.
[*] Could not move emerging-all.rules -> emerging-all.rules.tmp at
/usr/sbin/fwsnort line 4387.
I receive mail alert in mutt
Subject: [psad-status] tcpwrappers AUTO-BLOCK against 18.214.66.196
Subject: [psad-status] tcpwrappers AUTO-BLOCK against 23.21.164.163
added iptables auto-block against 18.214.66.196
added iptables auto-block against 23.21.164.163
Danger level: [2] (out of 5)
Scanned TCP ports: [48356: 1 packets]
TCP flags: [ACK: 1 packets]
iptables chain: FWSNORT_INPUT_ESTAB (prefix "[498] REJ SID1310
ESTAB"), 1 packets
fwsnort rule: 498
Source: 18.214.66.196
DNS: ec2-18-214-66-196.compute-1.amazonaws.com
MAC:
[+] TCP scan signatures:
"PORN free XXX"
dst port: 48356 (no server bound to local port)
flags: ACK
content: "FREE XXX"
sid: 1310
chain: FWSNORT_INPUT_ESTAB
packets: 1
classtype: kickass-porn
-----------------------------------------------------------------
Danger level: [2] (out of 5)
Scanned TCP ports: [54500: 2 packets]
TCP flags: [ACK: 2 packets]
iptables chain: FWSNORT_INPUT_ESTAB (prefix "[514] REJ SID1795
ESTAB"), 1 packets
fwsnort rule: 514
iptables chain: FWSNORT_INPUT_ESTAB (prefix "[93] REJ SID100000105
ESTAB"), 1 packets
fwsnort rule: 93
Source: 23.21.164.163
DNS: ec2-23-21-164-163.compute-1.amazonaws.com
MAC:
[+] TCP scan signatures:
"PORN ejaculation"
dst port: 54500 (no server bound to local port)
flags: ACK
content: "ejaculat"
sid: 1795
chain: FWSNORT_INPUT_ESTAB
packets: 1
classtype: kickass-porn
"COMMUNITY INAPPROPRIATE lolita sex"
dst port: 54500 (no server bound to local port)
flags: ACK
content: "lolita"
content: "sex"
sid: 100000105
chain: FWSNORT_INPUT_ESTAB
packets: 1
classtype: kickass-porn
--------------------------------------------------------------------
/etc/psad/psad.conf
#### AOL AIM server nets
AIM_SERVERS [64.12.24.0/24, 64.12.25.0/24, 64.12.26.14/24,
64.12.28.0/24, 64.12.29.0/24,
64.12.161.0/24, 64.12.163.0/24, 205.188.5.0/24, 205.188.9.0/24];
/etc/fwsnort/fwsnort.conf
### AOL AIM server nets
AIM_SERVERS [64.12.24.0/24, 64.12.25.0/24, 64.12.26.14/24,
64.12.28.0/24, 64.12.29.0/24,
64.12.161.0/24, 64.12.163.0/24, 205.188.5.0/24, 205.188.9.0/24];
-------------------------------------------------------------------
ubuntu Linux 5.4.0-66-generic #74~18.04.2-Ubuntu SMP Fri Feb 5 11:17:31
UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
apt-cache policy fwsnort
fwsnort:
Instalados: 1.6.7-3
Candidato: 1.6.7-3
Tabla de versión:
*** 1.6.7-3 500
500 http://archive.ubuntu.com/ubuntu bionic/universe amd64 Packages
500 http://archive.ubuntu.com/ubuntu bionic/universe i386 Packages
100 /var/lib/dpkg/status
apt-cache policy psad
psad:
Instalados: 2.4.3-1.2
Candidato: 2.4.3-1.2
Tabla de versión:
*** 2.4.3-1.2 500
500 http://archive.ubuntu.com/ubuntu bionic/universe amd64 Packages
100 /var/lib/dpkg/status
ProblemType: Bug
DistroRelease: Ubuntu 18.04
Package: fwsnort 1.6.7-3
ProcVersionSignature: Ubuntu 5.4.0-66.74~18.04.2-generic 5.4.86
Uname: Linux 5.4.0-66-generic x86_64
ApportVersion: 2.20.9-0ubuntu7.23
Architecture: amd64
CurrentDesktop: ubuntu:GNOME
Date: Wed Mar 3 20:12:08 2021
InstallationDate: Installed on 2020-04-16 (321 days ago)
InstallationMedia: Ubuntu 18.04.4 LTS "Bionic Beaver" - Release amd64
(20200203.1)
PackageArchitecture: all
SourcePackage: fwsnort
UpgradeStatus: No upgrade log present (probably fresh install)
edit:psad corrected without changing configuration only fwsnort error remains
sudo psad --sig-update
[+] Archiving original /etc/psad/signatures -> signatures.old1
[+] Downloading latest signatures from:
http://www.cipherdyne.org/psad/signatures
--2021-03-12 19:03:32-- http://www.cipherdyne.org/psad/signatures
Resolviendo www.cipherdyne.org (www.cipherdyne.org)... 67.20.100.192
Conectando con www.cipherdyne.org (www.cipherdyne.org)[67.20.100.192]:80...
conectado.
Petición HTTP enviada, esperando respuesta... 200 OK
Longitud: 45267 (44K)
Guardando como: “signatures”
signatures
100%[=================================================>] 44,21K
105KB/s en 0,4s
2021-03-12 19:03:33 (105 KB/s) - “signatures” guardado [45267/45267]
[+] New signature file /etc/psad/signatures has been put in
place. You can restart psad (or use 'psad -H') to import the
new sigs.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1917682
Title:
rules url error fwsnort
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/fwsnort/+bug/1917682/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
