OPNsense Forum

English Forums => Intrusion Detection and Prevention => Topic started by: marshalleq on November 26, 2020, 10:48:53 pm

Title: SMTP / IMAP IDS/IPS Not working?
Post by: marshalleq on November 26, 2020, 10:48:53 pm

Hi everyone, for some time I've been having some issues with dictionary attacks locking out my mail server accounts.  I'm not sure if the IPS is not working, because if it was I'd expect that this wouldn't happen.  Perahaps I have misconfigured something.

Can anyone help as to:
1 - What rules I would need to prevent this
2 - Any obvious configuration issues - how I might know IPS/IDS is actually working?

I've done some searching, but haven't found anything conclusive.

I'm using the free in return for some data ruleset you get from the opnsense store.

Had this message up here for a week or two, no replies, so I edited it just now.  Perhaps nobody knows how to check if it's working....

Thanks.

Title: Re: SMTP / IMAP IDS/IPS Not working?
Post by: errored out on February 02, 2021, 12:25:28 pm

What are the logs / alerts showing?  To test, you can use an eicar file. 

More information is needed.  What rules did you select (which free rules), how did you configure your IPS?   Did you  disable the offloading and other NIC functions?

Quote from: marshalleq on November 26, 2020, 10:48:53 pm

Had this message up here for a week or two, no replies, so I edited it just now.  Perhaps nobody knows how to check if it's working....

Sometimes people may look at your question and see that it is basic, and searching on the forum will provide an answer, or perhaps a simple web search could also work.  The IPS used for Opnsense is suricata. 

Title: Re: SMTP / IMAP IDS/IPS Not working?
Post by: Fright on February 02, 2021, 02:35:29 pm

what rules do you expect to work? traffic is encrypted?