IDS logs do no work

General questions.
Post Reply
donaldo
Posts: 168
Joined: March 21st, 2013, 9:55 am

IDS logs do no work

Post by donaldo » July 10th, 2018, 5:51 am

Hi to everybody
I have another question:
if i set the IDS with the sourcefire VRT Rules for registered user, i can set the rules but i do not see logs. Do the rules works?
If i set emergingthread i see the logs.

Emergingthread is equal Sourcefire like number of rules?

i thinks is very useful to see the logs for a firewall. It is possible to repair this bug?

Thanks
Donatello

TimF
Posts: 83
Joined: June 10th, 2017, 7:27 pm

Re: IDS logs do no work

Post by TimF » July 10th, 2018, 5:14 pm

I think this is a difference between the Talos VRT and Emerging Threats rule sets.

Both rule sets include rules that look at the characteristics of the traffic passing through Snort, however the Emerging Threats ruleset includes rules that just look for known suspect IP addresses. If you see rules being triggered named 'ET CINS Active Threat Intelligence Poor Reputation IP' or 'ET DROP Dshield Block Listed Source' it's these rules which are being triggered (there are others). In most cases the packets would be blocked by your firewall anyway; they're probably reconnaissance for a later attack. The Talos VRT rules don't trigger because they're looking at the traffic at a later stage of the attack.

Using Snort rules to block IP addresses this way is actually inefficient. There is a more efficient way of doing it in Snort using the reputation processor, but this doesn't work in the way that Snort is set up on IPFire, which is why the Talos VRT equivalent isn't enabled. There has been some discussion about providing a method of loading IP address blacklists into the firewall, but I'm not aware of any decision being made.

Post Reply