robj wrote:Hi all -- I just joined. I'm really sad to hear about Itus going under. Great people and a great product idea. And now I'm having technical issues with my shield and cannot solve them on my own after many hours trying. I searched and didn't see a good place to post problems on this forum for possible help. Forgive my ignorance if I'm posting in the wrong place.
My shield (router mode) stopped working two days ago. No reason, just stopped. I tried all the suggestions in other forum posts about rebooting, resetting, restarting my modem, router, and shield. No dice. Tested cables too, and not the problem. Waited the prescribed timeframes for each bootup, including 15 min for Shield
When modem is connected to router without Shield between, everything works great. So problem is isolated to the Shield.
Lights are on, so the Shield appears to be working, and I can access its admin interface. But I can never get the internet connected with Shield in place. So obviously something is wrong
I'm very appreciative of any troubleshooting suggestions you can provide
However, if Itus is no longer, will Shield still get regular 3rd party updates (similar to virus definition updates)? If the current ones will become obsolete, and I cannot get new updates, is there a point in resurrecting my shield (?)
thanks for your insights and kind regards,
-Rob
Hi Rob!
Firstly, yes, if you're on 1.51 with the latest fw_upgrade script then Shield will continue to get updates for malicious sites for IPS rules. These are being pulled from rules.emergeingthreats.net, an open source Snort rules provider, with the rules being updated daily at emergingthreats. So yes, I'd recommend resurrecting your Shield!
What you described sounds like Snort is not starting. In Router Mode, Shield will still pass internet if Snort doesn't start - traffic just won't get filtered. In Bridge mode, traffic is passed through Snort like a soft switch. The fact that you're getting into the interface through the .111 interface, but no traffic is what points me to a Snort problem.
Try going into the Status, System Log file from the LuCI interface and scroll to the bottom. You're looking for FATAL ERROR, something like the problem described below...
After the upgrade, the system was not connecting. Searching through the logs I found this:
Sun Jan 24 10:01:38 2016 daemon.notice snort[10282]: WARNING: /etc/snort/rules/snort.rules(4349) GID 1 SID 2404000 in rule duplicates previous rule. Ignoring old rule.
Sun Jan 24 10:01:38 2016 daemon.err snort[10282]: FATAL ERROR: /etc/snort/rules/snort.rules(4349) threshold (in rule): could not create threshold - only one per sig_id=2404000.
Sun Jan 24 10:01:38 2016 daemon.info procd: Instance snort::instance1 s in a crash loop 6 crashes, 3 seconds since last crash
I searched through /etc/snort/snort.rules and found this entry listed twice:
drop tcp $HOME_NET any -> [103.225.168.222,104.131.93.109,104.144.167.131,104.144.167.132,104.161.17.17,104.238.141.230,104.238.147.212,106.187.48.236,106.187.99.92,107.161.19.71] any (msg:"ET CNC Shadowserver Reported CnC Server TCP group 1"; flags:S; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; sid:2404000; rev:4109;)
I commented out the first instance, saved, restarted snort and watched the log. Then this:
Sun Jan 24 10:09:38 2016 daemon.notice snort[10989]: WARNING: /etc/snort/rules/snort.rules(4350) GID 1 SID 2404001 in rule duplicates previous rule. Ignoring old rule.
Sun Jan 24 10:09:38 2016 daemon.err snort[10989]: FATAL ERROR: /etc/snort/rules/snort.rules(4350) threshold (in rule): could not create threshold - only one per sig_id=2404001.
So, looks like a number of duplicates have been introduced into the snort rules. While the log indicates the earlier (old) rule is ignored, it looks like it still causes a fatal exception preventing snort from starting.
Is there a backup of the snort rules stored on the system that I can replace the corrupt file with? Or, is the snort.rules file available for download alone? I don't want to go through this exercise of finding one, commenting out, restarting, to see if there's another one duplicated. It might be as simple as going to the first duplicate instance and deleting everything beneath it.
Also, the script goes to rules.emergingthreats.net to dl update files. That site is blocked by Norton connectsafe, which is running as a DNS filter on my router. Shield would never get to the site to dl a new ruleset.
Further update....
I walked through the snort.rules file and found where it looked like the original fileset had duplicated itself on top. I selected what appeared to be the duplicates and deleted them from the file, effectively the top half of the file's data.
I then went to the router and cleared rules.emergingthreats.net to allow it to pass the DNS filter - basically changed filter providers to Yandex and then navigated to rules.emergingthreats.net to ensure it would pass.
I then restarted Snort. Everything came back up and I had internet access.
I then SSH'd into Shield and manually kicked off fw_upgrade. Everything processed, the system log didn't list a fatal exception. It appears to be running as expected now, except I still received a couple of errors on the script:
rm: can't remove '/tmp/ads.tmp' : No such file or directory
rm: can't remove '/tmp/malicious.tmp' : No such file or directory
Even though it works fine with those errors, I would expect those to exist as I looked through the script and it tries to pull rules for them. I haven't looked at the server to confirm that there are or are not rules available for the script to pull to create those files, though. But for now, I have internet running through Shield again.
(Last edited by Wisiwyg on 31 Jan 2016, 01:27)