ASL 4 web interface issues

[prupert]

We are currently in the process of testing ASL 4 on some of our boxes.

We have seen a couple of issues in the ASL web:

1. Security Events > Summary: all tables and graphs stay empty. Events can only be found under Search and Recent Events.

2. When clicking the event for more details, an event detail window opens, but it stays blank. Happens for all events.

3. Click "View all activity from this IP" -> shows an empty table "No events matched your filter selections.", although there should be events.

4. Accidently clicked the [+] icon after a TLD, apparently this directly attempts to geoblock the whole country and reloads the firewall (please add an "are you sure" to these icons).

5. The functionality for adding a geoblock contains a bug, it inserts a lot of deny from 0.0.0.0 firewall rules, effectively blocking EVERY incoming connection.

[spaceout]

So far, I've experienced two issues with the latest version of ASL...

1. While using the web interface, when I click the False Positive button a new window opens up and I just see a "Cancel" button in the middle of the window. There's no indication as to whether or not the false positive report was actually sent.

2. The other issue was with Geo-Blocking. I apparently had too many countries being blocked and it slowed my system down to a grinding halt. With 3.2 I had no issues with blocking almost every country other than a small handful. Something changed with how that works, because as soon as I upgraded my server load shot through the roof and the rules updates would take almost 2 hours to complete. I cleared out my geo-block list and everything cleared up immediately.

Everything else appears to be working quite well. I love some of the new capabilities! Well done ASL!

[jgodwin]

prupert:

1. Security Events > Summary: all tables and graphs stay empty. Events can only be found under Search and Recent Events.
2. When clicking the event for more details, an event detail window opens, but it stays blank. Happens for all events.
3. Click "View all activity from this IP" -> shows an empty table "No events matched your filter selections.", although there should be events.

run:
1) /var/asl/bin/aum -uf
2) /var/asl/bin/asl -s -f

If that does not resolve, please open a support case.

4. Accidently clicked the [+] icon after a TLD, apparently this directly attempts to geoblock the whole country and reloads the firewall (please add an "are you sure" to these icons).

On the way.

5. The functionality for adding a geoblock contains a bug, it inserts a lot of deny from 0.0.0.0 firewall rules, effectively blocking EVERY incoming connection.

Not reproducing it here, was there a particular country or countries you got this on?



spaceout:

1. While using the web interface, when I click the False Positive button a new window opens up and I just see a "Cancel" button in the middle of the window. There's no indication as to whether or not the false positive report was actually sent.

Was there a particular rule id this happened with, or any?

2. The other issue was with Geo-Blocking. I apparently had too many countries being blocked and it slowed my system down to a grinding halt. With 3.2 I had no issues with blocking almost every country other than a small handful. Something changed with how that works, because as soon as I upgraded my server load shot through the roof and the rules updates would take almost 2 hours to complete. I cleared out my geo-block list and everything cleared up immediately.

We are looking into some options with this.

[prupert]

prupert:

1. Security Events > Summary: all tables and graphs stay empty. Events can only be found under Search and Recent Events.
2. When clicking the event for more details, an event detail window opens, but it stays blank. Happens for all events.
3. Click "View all activity from this IP" -> shows an empty table "No events matched your filter selections.", although there should be events.

run:
1) /var/asl/bin/aum -uf
2) /var/asl/bin/asl -s -f

If that does not resolve, please open a support case.

Ran the commands, no help unfortunately, will open a support case.

[prupert]

5. The functionality for adding a geoblock contains a bug, it inserts a lot of deny from 0.0.0.0 firewall rules, effectively blocking EVERY incoming connection.

Not reproducing it here, was there a particular country or countries you got this on?

Netherlands, the country code was nl

What 'iptables -L -n' showed when logged in through the console was for every IP block a DENY <ipblock> and on the next line a DENY 0.0.0.0 iptables rule.

[mikeshinn]

Thats definitely not on any of the country lists (plus any address like that is fail safe-ed on our end before we send them out). Are you sure it was from the geoip lists and not from one of the third party RBLs, or asnt manually added to a blacklist (I have seen 0.0.0.0 added accidentally to a customer created blacklist)?

If you wouldnt mind opening a case, you'd be happy to look at your system to see where this is coming from.

[jgodwin]

Ok, I think what you are seeing here is just a particularity of the way iptables -L -n displays its output. These are from geoblocking .nl:

[root@localhost src]# iptables -L -n | grep 95.142.72.16
ASL-GEO-BLACKLIST-LOG all -- 0.0.0.0/0 95.142.72.16/28
ASL-GEO-BLACKLIST-LOG all -- 95.142.72.16/28 0.0.0.0/0

[root@localhost src]# iptables-save | grep 95.142.72.16
-A ASL-GEO-BLACKLIST -d 95.142.72.16/28 -j ASL-GEO-BLACKLIST-LOG
-A ASL-GEO-BLACKLIST -s 95.142.72.16/28 -j ASL-GEO-BLACKLIST-LOG

-L -n will display 0.0.0.0/0 for the source of the first rule and the destination of the second, as neither of them have both source and destination explicitly stated. There aren't actually any rules being defined that would block all traffic from or to all ip addresses.

iptables-save will show the actual rule definitions, and iptables-save | grep "0.0.0.0" will return empty.

[BruceLee]

I do face this problems as well in ASL 4.0.4-15. Was this solved? Thanks

We have seen a couple of issues in the ASL web:

• 1. Security Events > Summary: all tables and graphs stay empty. Events can only be found under Search and Recent Events.
  
  2. When clicking the event for more details, an event detail window opens, but it stays blank. Happens for all events.
  
  3. Click "View all activity from this IP" -> shows an empty table "No events matched your filter selections.", although there should be events.

[jgodwin]

If it is not corrected by running ' /var/asl/bin/aum -uf ', please open a case in the support portal.

The issue will be with the creation of triggers in the database, but cause and solution can vary.

[BruceLee]

aum -uf did not solve it. I'm planning to move to another server so I will review if its necessary to open a case now. new server will be a complete new install so this upgrade error should not show up. if it's taking too long until I can setup it up I will open a new case. thanks