Search found 38 matches

by cbrown
August 13th, 2019, 1:44 am
Forum: IPFire in General
Topic: Intrusion Prevention System - core 131
Replies: 54
Views: 4496

Re: Intrusion Prevention System - core 131

Curious about net setup up for Pi-Hole. Can I hang the RP/Pi-Hole box off my green net with a fixed address and then assign my IPFire DNS Server Address to be the Pi-Hole?
by cbrown
June 26th, 2019, 2:34 pm
Forum: IPFire in General
Topic: Intrusion Prevention System - core 131
Replies: 54
Views: 4496

Re: Intrusion Prevention System - core 131

A sweet bit of hacking there, H&M ;D
Any chance this capability would make it into IPFire 2.x in the next few months?

-cb
by cbrown
June 5th, 2019, 11:54 pm
Forum: IPFire in General
Topic: Internet Traffic Targeting Blue-to-Green OpenVPN tun0 Address
Replies: 0
Views: 107

Internet Traffic Targeting Blue-to-Green OpenVPN tun0 Address

I recently noticed a disturbing packet dropped by timfprogs/blocklist tool for the TOR_ALL list. I use OpenVPN to access Green from Blue. The blocked packet was targeting my OpenVPN Tun0 address 10.42.241.14 port 123 (NTP). What disturbs me is the idea that some external entity could be aware of the...
by cbrown
May 26th, 2019, 12:26 am
Forum: IPFire in General
Topic: [Solved] timfprogs/ipfblocklist -- Safe, Pkts, Bytes
Replies: 5
Views: 327

Re: [Solved] timfprogs/ipfblocklist -- Safe, Pkts, Bytes

Hi TimF, The block-lists for FEODO_BAD_IP and FEODO_IP get errors after downloading and do not load any entries in 'ipset' The errors consist of a long list of: Use of uninitialized value $address in pattern match (m//) at /usr/local/bin/blocklist.pl line 634, <LIST> line 152. Use of uninitialized v...
by cbrown
May 24th, 2019, 3:22 pm
Forum: IPFire in General
Topic: [Solved] timfprogs/ipfblocklist -- Safe, Pkts, Bytes
Replies: 5
Views: 327

Re: timfprogs/ipfblocklist -- Safe, Pkts, Bytes

TimF,

Wow, thanks for the comprehensive reply :)

-cbrown
by cbrown
May 24th, 2019, 8:14 am
Forum: IPFire in General
Topic: [Solved] timfprogs/ipfblocklist -- Safe, Pkts, Bytes
Replies: 5
Views: 327

Re: timfprogs/ipfblocklist -- Safe, Pkts, Bytes

Okay, after a reboot I see counts increasing for pkts and bytes for CIARMY – along with DROP_CIARMY entries in Firewall log. I was confused earlier by the blanks showing earlier ( blanks not even zeroes ) for CIARMY in the image above. I’m still unclear on the meaning of Safe I suppose this topic wo...
by cbrown
May 23rd, 2019, 7:37 pm
Forum: IPFire in General
Topic: [Solved] timfprogs/ipfblocklist -- Safe, Pkts, Bytes
Replies: 5
Views: 327

[Solved] timfprogs/ipfblocklist -- Safe, Pkts, Bytes

TimF, My simple cave-man brain is having trouble making sense out of the columns for Safe, Pkts, Bytes. Could you point me to something that explains what the corresponding values mean? Safe -- Safe to block? Pkts -- Packets blocked? Bytes -- Bytes blocked? CIARMY seems to have the highest volume of...
by cbrown
May 22nd, 2019, 3:43 pm
Forum: IPFire in General
Topic: [Solved] Whitelisted Host Stops Getting White Listed
Replies: 4
Views: 248

Re: Whitelisted Host Stops Getting White Listed

I just did a manual rule update with 'update-ids-ruleset' then checked 'System Logs->Intrusion Prevention'. The log shows: [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /var/lib/surica ta/whitelist.rules I then ran a manual update for timfprogs/ipfblocklist. The blocklist update f...
by cbrown
May 22nd, 2019, 2:39 pm
Forum: IPFire in General
Topic: [Solved] Whitelisted Host Stops Getting White Listed
Replies: 4
Views: 248

Re: Whitelisted Host Stops Getting White Listed

FWIW, the whitelisted host is the repository for “The CINS Army List” used by the timfprogs/ipfblocklist feature. So, the traffic getting blocked is coming from my IPFire box going to the whitelisted host. Again, this seems to work fine for several hours – with the whitelisted site being successfull...
by cbrown
May 22nd, 2019, 12:35 pm
Forum: IPFire in General
Topic: [Solved] Whitelisted Host Stops Getting White Listed
Replies: 4
Views: 248

[Solved] Whitelisted Host Stops Getting White Listed

It seems that at least one of the entries I have in "Intrusion Prevention System->Whitelisted Hosts" stops getting whitelisted after some period of time. Over the course of several hours of running without issue, the rule that blocks this address starts blocking it again. I will continue to monitor ...
by cbrown
May 20th, 2019, 2:42 pm
Forum: IPFire in General
Topic: [Solved] IPS alert on Traffic Originating/Src IPFire Red0
Replies: 3
Views: 243

Re: [Solved] IPS alert on Traffic Originating/Src IPFire Red0

The target site appears to be the repository for "The CINS Army List" timfprogs/ipfblocklist feature.

TimF: if I'm wrong here, please reply.

thx
by cbrown
May 20th, 2019, 2:04 pm
Forum: IPFire in General
Topic: No rule files match the pattern /var/lib/surica ta/whitelist.rules
Replies: 0
Views: 112

No rule files match the pattern /var/lib/surica ta/whitelist.rules

Whenever Suricata reloads rules, I see this error on the log: [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /var/lib/surica ta/whitelist.rules I thought that perhaps it would go away if I were to add a few entries to “Whitelisted Hosts”. However, that made no difference, the “no w...
by cbrown
May 19th, 2019, 1:11 pm
Forum: IPFire in General
Topic: [Solved] Nothing in Logs→System Logs/Intrusion Prevention
Replies: 8
Views: 332

Re: Nothing in Logs→System Logs/Intrusion Prevention

Hi ummeegge,

Yes, I see the IPS events when rules fire in "IPS Logs".
I was looking for other things like when Suricata is starting, stopping, updating rules, etc.

cbrown