OPNsense Forum

English Forums => Intrusion Detection and Prevention => Topic started by: N0_Klu3 on May 23, 2020, 10:38:39 pm

Title: IPS rules that wont cause issues
Post by: N0_Klu3 on May 23, 2020, 10:38:39 pm

I’m looking to enable IPS but wanted to check which rule sets will work without causing too many false positives?

Is there somewhere I can get some default rules to enable?
I really like the snort rules where you can choose Balanced or Secure or what not.

I really with ET had these options, so I’m kinda looking for something like this if possible?

Title: Re: IPS rules that wont cause issues
Post by: nzkiwi68 on June 25, 2020, 01:54:17 am

Have a good read of this;

https://forum.opnsense.org/index.php?topic=6590.0 (https://forum.opnsense.org/index.php?topic=6590.0)

That's a useful start.
Also.. think about what your protecting...

Example:
If you don't have an SQL server exposed via a web server and a web server, then, maybe you don't need these rules;

• ET telemetry/emerging-web_server
• ET telemetry/emerging-sql

Title: Re: IPS rules that wont cause issues
Post by: FullyBorked on July 19, 2020, 02:35:08 am

In my experience to really tune your IPS/IDS and get the most benefit from the feature, you'll need to do the following. 

• Enable the rules you want, (I enable them all), but leave them in alert mode. 
• Then over the next week or so check in on things on the alert tab, and disable rules that are false positives or that are blocking things you don't think need or want to be blocked.
• After a few weeks you should have your alerts list down to no alerts or very few. 
• Then you can enable blocking for the remaining rules. 

As rules are updated you'll always have to keep track of the IPS/IDS rules and adjust them over time.