Search found 27 matches

by cbrown
Yesterday, 2:42 pm
Forum: IPFire in General
Topic: [Solved] IPS alert on Traffic Originating/Src IPFire Red0
Replies: 3
Views: 122

Re: [Solved] IPS alert on Traffic Originating/Src IPFire Red0

The target site appears to be the repository for "The CINS Army List" timfprogs/ipfblocklist feature.

TimF: if I'm wrong here, please reply.

thx
by cbrown
Yesterday, 2:04 pm
Forum: IPFire in General
Topic: No rule files match the pattern /var/lib/surica ta/whitelist.rules
Replies: 0
Views: 36

No rule files match the pattern /var/lib/surica ta/whitelist.rules

Whenever Suricata reloads rules, I see this error on the log: [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /var/lib/surica ta/whitelist.rules I thought that perhaps it would go away if I were to add a few entries to “Whitelisted Hosts”. However, that made no difference, the “no w...
by cbrown
May 19th, 2019, 1:11 pm
Forum: IPFire in General
Topic: Nothing in Logs→System Logs/Intrusion Prevention
Replies: 8
Views: 168

Re: Nothing in Logs→System Logs/Intrusion Prevention

Hi ummeegge,

Yes, I see the IPS events when rules fire in "IPS Logs".
I was looking for other things like when Suricata is starting, stopping, updating rules, etc.

cbrown
by cbrown
May 19th, 2019, 12:51 pm
Forum: IPFire in General
Topic: [Solved] IPS alert on Traffic Originating/Src IPFire Red0
Replies: 3
Views: 122

[Solved] IPS alert on Traffic Originating/Src IPFire Red0

The IPS is alerting about every hour on traffic with the source being my IPFire box’s red0 address going to 208.70.186.167. This target address appears to be an ISP, M&A Technology Inc, but this is not someone with which I knowingly have any relationship. The Emerging Threats rule firing is: ET POLI...
by cbrown
May 19th, 2019, 10:02 am
Forum: IPFire in General
Topic: Nothing in Logs→System Logs/Intrusion Prevention
Replies: 8
Views: 168

Nothing in Logs→System Logs/Intrusion Prevention

I have been running IPFire 2.23 - Core Update 131 for a few days.
Is it normal for there to be no logs in System Logs section for Intrusion Prevention?

Thanks,
cbrown
by cbrown
May 18th, 2019, 3:54 pm
Forum: IPFire in General
Topic: Intrusion Prevention System - core 131
Replies: 24
Views: 900

Re: Intrusion Prevention System - core 131

Basically, it seems that Suricata is barfing when parsing the Talos rule files. (At least for the Talos Subcribed set downloaded wth my Oinkdode). May 17 13:02:40 ipfire suricata: This is Suricata version 4.1.4 RELEASE May 17 13:02:40 ipfire suricata: all 2 packet processing threads, 4 management th...
by cbrown
May 18th, 2019, 2:24 pm
Forum: IPFire in General
Topic: IPS Monitor-Traffic-Only on Per-Interface Basis
Replies: 0
Views: 47

IPS Monitor-Traffic-Only on Per-Interface Basis

In the old days of Snort + Guardian, with Snort enabled on all interfaces, Snort alerts got logged for all even though Guardian was only blocking the traffic coming in on the Red interface. This feature is lost with the new IPS. The new IPS provides the option to block or not-block on all enabled in...
by cbrown
May 17th, 2019, 10:59 pm
Forum: IPFire in General
Topic: Intrusion Prevention System - core 131
Replies: 24
Views: 900

Re: Intrusion Prevention System - core 131

I too switched to the ET Community ruleset and all seems to be working. When I try the Talos Subscribed rules, I get this nice set of errors. It looks as if Suricata is running but no rules fire/alert May 17 13:00:36 ipfire oinkmaster[4954]: Loading /var/ipfire/suricata/oinkmaster.conf May 17 13:00:...
by cbrown
May 17th, 2019, 10:04 pm
Forum: IPFire in General
Topic: Ipfstatusmail (Status emails for IPFire)
Replies: 49
Views: 2945

Re: Ipfstatusmail (Status emails for IPFire)

Hi TimF

I too would like an uninstaller if/when you get bored and run out of other things to do :)

Thanks
cbrown
by cbrown
May 17th, 2019, 4:02 pm
Forum: IPFire in General
Topic: Intrusion Prevention System - core 131
Replies: 24
Views: 900

Re: Intrusion Prevention System - core 131

Perhaps the same issue / concern ... I have selected the Talos Subscription ruleset and enabled all the rule files. Suricata shows as running but I too have no entries in Logs→IPS Logs, FWIW, the file /var/log/suricata/stats.log is showing incrementing values for entry ips.blocked (currently at 13K+...
by cbrown
April 17th, 2019, 9:00 pm
Forum: IPFire in General
Topic: [Solved] Get an Oink Code gets 404
Replies: 1
Views: 129

[Solved] Get an Oink Code gets 404

The Intrusion Detection System WUI page "https://your-ip-fire-here:444/cgi-bin/ids" has a label for a link that is intended to take you to an external website were a new oink code could be generated. However, when clicking on the label, you get a nice looking page at snort.org saying page not found ...
by cbrown
April 16th, 2019, 10:29 am
Forum: IPFire in General
Topic: [Solved] Automatic Rule Updates for Suricata
Replies: 2
Views: 206

Re: Automatic Rule Updates for Suricata

Thanks, I’m sure I saw that info a few weeks back but my limited synapses and neurons forced it to be swapped out to the bit bucket ::)
Rules will also now automatically be updated daily or weekly. Having the latest ruleset allows to detect latest attack vectors and malicious traffic efficiently.
by cbrown
April 16th, 2019, 1:19 am
Forum: IPFire in General
Topic: [Solved] Automatic Rule Updates for Suricata
Replies: 2
Views: 206

[Solved] Automatic Rule Updates for Suricata

Is there an effort underway to have automatic rule updates for Suricata?
Perhaps a Suricata version of ids-update.pl or ...
this tool: https://suricata-update.readthedocs.io/en/latest/
by cbrown
April 5th, 2019, 12:37 pm
Forum: IPFire in General
Topic: Two wired networks
Replies: 4
Views: 338

Re: Two wired networks

Here's a generic cookbook for routing all traffic through VPN on your IPFire box https://forum.ipfire.org/viewtopic.php?f=27&t=22302&p=122537&hilit=vpn+service#p123409 Not sure but I suspect you could do something like this: 1) run your normal internet (not-VPN) traffic straight trough your Asus rou...