search

blox-org / snortsam

Firewall Blacklisting Agent used in Blox
3 stars 4 forks source link

Function IPTBlock() in ssp_iptables.c not blocking #2

Open Lutzion opened 1 year ago

Lutzion commented 1 year ago

Hello, i still love to use snortsam for example to "support" apaches mod_security. mod_security drops requests under configured circumstances, but thats it. So i let mod_security call samtool and tell snortsam with samtool to drop the ip completely for minutes or hours depending on the severity.

As i use it on linux, i block with iptables.

All my attempts to manage it with this version did not work, so i added a bit more debugging in ssp_iptables.c 

    //SBC CHANGES STARTS
     get_network(bd->blockip,int_netmask, &packet_network);
        //if (packet_network != interface_network) {
        if (packet_network != interface_network) {
            // ### LH, cancel if network is not the same? Better the other way round?
            snprintf(msg,sizeof(msg)-1,"packet_network(0x%08X) != interface_network (0x%08X) ### TODO ### LH ",
                            packet_network, interface_network);
            logmessage(3,msg,"iptables",0);
            printf("Debug: [iptables] %s\n", msg);
            //return;
        }
    //SBC CHANGES ENDS

In the original code blocking is aborted, when packet_network (the requesting ip-address) differs from interface_network (the servers ip-address). So actually every blocking is aborted!

Should it have been if (packet_network == interface_network) { to avoid blocking yourself? Avoid blocking yourself can be done with dontblock in the configuration file /etc/snortsam.conf.

Finally commenting the return lets the code work for me as expected.

Thank you and regards, Lutz