Author Topic: Snort rule blocking updates  (Read 2455 times)

0 Members and 1 Guest are viewing this topic.

Offline
*
Snort rule blocking updates
« on: December 17, 2021, 04:04:19 PM »
Just want to share this...

I tried updating CWP Pro from within the admin panel and by command (sh /scripts/update_cwp --verbose). Both methods failed without any errors. The admin panel would remain covered by a modal with a spinner icon. The terminal window would display only the following:

Code: [Select]
[root@cwp ~]# sh /scripts/update_cwp --verbose

====================================================
============= CentOS Web Panel Cron ================
====================================================


###########################
Firewall Flush Daily Blocks
###########################


######################
Update Server Packages
######################

My CWP is behind a gateway device that utilizes Snort for IPS. I had to not only disable a particular rule but also reboot the gateway device. Simply reloading the Snort rules was not sufficient \_(ツ)_/

The rule: 21420 (https://www.snort.org/rule_docs/1-21420)

Log snippet:
Code: [Select]
2021:12:17-09:43:17 gateway snort[27335]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="FILE-OTHER RealNetworks RealPlayer compressed skin overflow attempt" group="340" srcip="151.80.90.199" dstip="192.168.0.110" proto="6" srcport="80" dstport="46488" sid="21420" class="Attempted User Privilege Gain" priority="1" generator="1" msgid="0"
2021:12:17-09:44:41 gateway snort[27335]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="FILE-OTHER RealNetworks RealPlayer compressed skin overflow attempt" group="340" srcip="198.27.104.40" dstip="192.168.0.110" proto="6" srcport="80" dstport="49798" sid="21420" class="Attempted User Privilege Gain" priority="1" generator="1" msgid="0"
2021:12:17-09:44:41 gateway snort[27335]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="FILE-OTHER RealNetworks RealPlayer compressed skin overflow attempt" group="340" srcip="198.27.104.40" dstip="192.168.0.110" proto="6" srcport="80" dstport="49798" sid="21420" class="Attempted User Privilege Gain" priority="1" generator="1" msgid="0"
2021:12:17-09:45:21 gateway snort[27335]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="FILE-OTHER RealNetworks RealPlayer compressed skin overflow attempt" group="340" srcip="137.74.148.116" dstip="192.168.0.110" proto="6" srcport="80" dstport="52826" sid="21420" class="Attempted User Privilege Gain" priority="1" generator="1" msgid="0"

Hope this may help others.

Offline
*****
Re: Snort rule blocking updates
« Reply #1 on: December 23, 2021, 10:19:21 AM »
You did not add any error in your post actually.
You can ask me to solve any problem with your server for some money in pm  ;)
Services Monitoring & RBL Monitoring
http://centos-webpanel.com/services-monitor
Join our Development Team and get paid !
http://centos-webpanel.com/develope-modules-for-cwp

Installation Instructions
http://centos-webpanel.com/installation-instructions
Get Fast Support Here
http://centos-webpanel.com/support-services

Offline
*
Re: Snort rule blocking updates
« Reply #2 on: December 23, 2021, 01:08:19 PM »
You did not add any error in your post actually.

From the log snippet I posted...
Code: [Select]
action="drop"The Snort rule causes the connection to the CWP update server to drop.
« Last Edit: December 23, 2021, 01:10:30 PM by jeffshead »